Image summary for sles-15-sp1-chost-byos-v20220127

SUSE-IU-2022:49-1

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:

• CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
• CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)

• Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).

• Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401)

• Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243

• Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708

• Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14

• Enable fish-completion

• Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

• Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires.

• Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support).
• Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly.

• Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243

• Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

This update for openssh fixes the following issues:

• Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501)

This update for bind fixes the following issues:

• CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246]

This update for docker, golang-github-docker-libnetwork fixes the following issues:

• A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)

This update for python3 fixes the following issues:

• CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
• Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
• CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).
• CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).
• CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812)
• CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
• CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
• CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
• CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

• ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes).
• ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes).
• ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes).
• ALSA: doc: Fix reference to mixart.rst (git-fixes).
• ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes).
• ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes).
• ALSA: hda/via: Add minimum mute flag (git-fixes).
• ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes).
• ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes).
• ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes).
• ASoC: Intel: haswell: Add missing pm_ops (git-fixes).
• ASoC: dapm: remove widget from dirty list on free (git-fixes).
• EDAC/amd64: Fix PCI component registration (bsc#1112178).
• IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991).
• KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912).
• KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230).
• NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes).
• NFS: nfs_igrab_and_active must first reference the superblock (git-fixes).
• NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes).
• NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes).
• RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992).
• RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ).
• RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742).
• RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992).
• RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ).
• RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306).
• RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306).
• RDMA/core: Fix reported speed and width (bsc#1046306 ).
• RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992).
• RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ).
• RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427).
• RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427).
• RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206).
• RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ).
• RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427).
• RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684).
• RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684).
• RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ).
• RDMA/mlx5: Fix typo in enum name (bsc#1103991).
• RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991).
• RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ).
• SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
• USB: ehci: fix an interrupt calltrace error (git-fixes).
• USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes).
• USB: serial: iuu_phoenix: fix DMA from stack (git-fixes).
• USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes).
• USB: yurex: fix control-URB timeout handling (git-fixes).
• __netif_receive_skb_core: pass skb by reference (bsc#1109837).
• arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130).
• arm64: pgtable: Fix pte_accessible() (bsc#1180130).
• bnxt_en: Do not query FW when netif_running() is false (bsc#1086282).
• bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ).
• bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745).
• bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes).
• bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282).
• bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745).
• bnxt_en: fix error return code in bnxt_init_board() (git-fixes).
• bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ).
• bnxt_en: read EEPROM A2h address using page 0 (git-fixes).
• bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745).
• bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes).
• btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
• btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206).
• btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206).
• btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
• caif: no need to check return value of debugfs_create functions (git-fixes).
• can: c_can: c_can_power_up(): fix error handling (git-fixes).
• can: dev: prevent potential information leak in can_fill_info() (git-fixes).
• can: vxcan: vxcan_xmit: fix use after free bug (git-fixes).
• chelsio/chtls: correct function return and return type (bsc#1104270).
• chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ).
• chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ).
• chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ).
• chelsio/chtls: fix deadlock issue (bsc#1104270).
• chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ).
• chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ).
• chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ).
• chelsio/chtls: fix socket lock (bsc#1104270).
• chelsio/chtls: fix tls record info to user (bsc#1104270 ).
• chtls: Added a check to avoid NULL pointer dereference (bsc#1104270).
• chtls: Fix chtls resources release sequence (bsc#1104270 ).
• chtls: Fix hardware tid leak (bsc#1104270).
• chtls: Remove invalid set_tcb call (bsc#1104270).
• chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ).
• cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837).
• cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes).
• cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542).
• cxgb4: fix SGE queue dump destination buffer context (bsc#1073513).
• cxgb4: fix adapter crash due to wrong MC size (bsc#1073513).
• cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129).
• cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648).
• cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129).
• cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277).
• cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371).
• cxgb4: move DCB version extern to header file (bsc#1104279 ).
• cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220).
• cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129).
• cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129).
• cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648).
• dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049).
• dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes).
• dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes).
• docs: Fix reST markup when linking to sections (git-fixes).
• drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).
• drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956)
• drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: * context changes
• drm/atomic: put state on error path (git-fixes).
• drm/i915: Check for all subplatform bits (git-fixes).
• drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178)
• drm/i915: Fix sha_text population code (bsc#1112178)
• drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770)
• drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770)
• drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770)
• drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes).
• drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes).
• drm/nouveau/privring: ack interrupts the same way as RM (git-fixes).
• drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770)
• drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178)
• drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178)
• drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178)
• ehci: fix EHCI host controller initialization sequence (git-fixes).
• ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes).
• floppy: reintroduce O_NDELAY fix (boo#1181018).
• futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
• futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
• futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
• futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
• futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
• futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
• futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
• futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
• i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes).
• i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes).
• i40e: avoid premature Rx buffer reuse (bsc#1111981).
• igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes).
• igc: fix link speed advertising (jsc#SLE-4799).
• iio: ad5504: Fix setting power-down state (git-fixes).
• iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191).
• iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191).
• ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837).
• ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ).
• kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191).
• kernfs: deal with kernfs_fill_super() failures (bsc#1181809).
• lockd: do not use interval-based rebinding over TCP (git-fixes).
• locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
• md/raid10: initialize r10_bio->read_slot before use (git-fixes).
• md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes).
• media: gp8psk: initialize stats at power control logic (git-fixes).
• misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes).
• misdn: dsp: select CONFIG_BITREVERSE (git-fixes).
• mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes).
• mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374).
• mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes).
• mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374).
• mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes).
• mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)).
• mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)).
• mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)).
• mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)).
• mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)).
• mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)).
• mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes).
• nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
• net/af_iucv: always register net_device notifier (git-fixes).
• net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108).
• net/af_iucv: set correct sk_protocol for child sockets (git-fixes).
• net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837).
• net/liquidio: Delete driver version assignment (git-fixes).
• net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes).
• net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes).
• net/mlx5: Add handling of port type in rule deletion (bsc#1103991).
• net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305).
• net/mlx5e: Fix VLAN cleanup flow (git-fixes).
• net/mlx5e: Fix VLAN create flow (git-fixes).
• net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes).
• net/mlx5e: Fix two double free cases (bsc#1046305).
• net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020).
• net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ).
• net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990).
• net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837).
• net/smc: cancel event worker during device removal (git-fixes).
• net/smc: check for valid ib_client_data (git-fixes).
• net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes).
• net/smc: receive pending data after RCV_SHUTDOWN (git-fixes).
• net/smc: receive returns without data (git-fixes).
• net/sonic: Add mutual exclusion for accessing shared state (git-fixes).
• net: atlantic: fix potential error handling (git-fixes).
• net: atlantic: fix use after free kasan warn (git-fixes).
• net: bcmgenet: keep MAC in reset until PHY is up (git-fixes).
• net: bcmgenet: reapply manual settings to the PHY (git-fixes).
• net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes).
• net: cbs: Fix software cbs to consider packet sending time (bsc#1109837).
• net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes).
• net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes).
• net: ena: set initial DMA width to avoid intel iommu issue (git-fixes).
• net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes).
• net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes).
• net: freescale: fec: Fix ethtool -d runtime PM (git-fixes).
• net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353).
• net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes).
• net: hns3: add management table after IMP reset (bsc#1104353 ).
• net: hns3: check reset interrupt status when reset fails (git-fixes).
• net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes).
• net: hns3: fix a TX timeout issue (bsc#1104353).
• net: hns3: fix a wrong reset interrupt status mask (git-fixes).
• net: hns3: fix error VF index when setting VLAN offload (bsc#1104353).
• net: hns3: fix error handling for desc filling (bsc#1104353 ).
• net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390).
• net: hns3: fix interrupt clearing error for VF (bsc#1104353 ).
• net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353).
• net: hns3: fix shaper parameter algorithm (bsc#1104353 ).
• net: hns3: fix the number of queues actually used by ARQ (bsc#1104353).
• net: hns3: fix use-after-free when doing self test (bsc#1104353 ).
• net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353).
• net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633).
• net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ).
• net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633).
• net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes).
• net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes).
• net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes).
• net: phy: micrel: make sure the factory test bit is cleared (git-fixes).
• net: qca_spi: Move reset_count to struct qcaspi (git-fixes).
• net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).
• net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes).
• net: stmmac: Do not accept invalid MTU values (git-fixes).
• net: stmmac: Enable 16KB buffer size (git-fixes).
• net: stmmac: RX buffer size must be 16 byte aligned (git-fixes).
• net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes).
• net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes).
• net: stmmac: fix length of PTP clock's name string (git-fixes).
• net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes).
• net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes).
• net: team: fix memory leak in __team_options_register (git-fixes).
• net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes).
• net: usb: lan78xx: Fix error message format specifier (git-fixes).
• net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes).
• net_failover: fixed rollback in net_failover_open() (bsc#1109837).
• net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787).
• nfp: validate the return code from dev_queue_xmit() (git-fixes).
• nfs_common: need lock during iterate through the list (git-fixes).
• nfsd4: readdirplus shouldn't return parent of export (git-fixes).
• nfsd: Fix message level for normal termination (git-fixes).
• pNFS: Mark layout for return if return-on-close was not sent (git-fixes).
• page_frag: Recover from memory pressure (git fixes (mm/pgalloc)).
• powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284).
• powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes).
• powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284).
• qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301).
• qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538).
• r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes).
• rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
• s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes).
• s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915).
• s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915).
• s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915).
• s390/qeth: delay draining the TX buffers (git-fixes).
• s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes).
• s390/qeth: fix deadlock during recovery (git-fixes).
• s390/qeth: fix locking for discipline setup / removal (git-fixes).
• s390/smp: perform initial CPU reset also for SMT siblings (git-fixes).
• sched/fair: Fix enqueue_task_fair warning (bsc#1179093).
• sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093).
• sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093).
• sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093).
• sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093).
• scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes).
• scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252).
• scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891).
• scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891).
• scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891).
• scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891).
• scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891).
• scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891).
• scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891).
• scsi: lpfc: Fix target reset failing (bsc#1180891).
• scsi: lpfc: Fix vport create logging (bsc#1180891).
• scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891).
• scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891).
• scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891).
• scsi: lpfc: Simplify bool comparison (bsc#1180891).
• scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891).
• scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891).
• scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142).
• serial: mvebu-uart: fix tx lost characters at power off (git-fixes).
• spi: cadence: cache reference clock rate during probe (git-fixes).
• team: set dev->needed_headroom in team_setup_by_port() (git-fixes).
• tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837).
• usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes).
• usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes).
• usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes).
• usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes).
• usb: gadget: select CONFIG_CRC32 (git-fixes).
• usb: udc: core: Use lock when write to soft_connect (git-fixes).
• veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837).
• vfio iommu: Add dma available capability (bsc#1179573 LTC#190106).
• vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231).
• vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes).
• virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes).
• wan: ds26522: select CONFIG_BITREVERSE (git-fixes).
• wil6210: select CONFIG_CRC32 (git-fixes).
• x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191).
• x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191).
• x86/hyperv: Fix kexec panic/hang issues (bsc#1176831).
• x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178).
• x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191).
• x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
• x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
• x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178).
• x86/mm: Fix leak of pmd ptlock (bsc#1112178).
• x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191).
• x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178).
• x86/resctrl: Do not move a task to the same resource group (bsc#1112178).
• x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178).
• xdp: Fix xsk_generic_xmit errno (bsc#1109837).
• xhci: make sure TRB is fully written before giving it to the controller (git-fixes).
• xhci: tegra: Delay for disabling LFPS detector (git-fixes).

This update for avahi fixes the following issues:

• CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
• Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d.
• Add sudo to requires: used to drop privileges.

This update for open-lldp fixes the following issue:
Update to version v1.0.1+65.f3b70663b55e

• Event interface: only set receive buffer size if too small (bsc#1175570)

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
• iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:

• CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
• CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
• CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
• CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
• CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
• CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)

This update for bind fixes the following issues:

• dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933]

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

The SUSE Linux Enterprise 15 SP1 kernel was updated receive various security and bugfixes.
The following security bugs were fixed:

• CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
• CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
• CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
• CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

• btrfs: Cleanup try_flush_qgroup (bsc#1182047).
• btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
• btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130)
• btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
• btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
• btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
• btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047).
• Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes).
• ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293).
• kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).')
• libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442).
• net: bcmgenet: add support for ethtool rxnfc flows (git-fixes).
• net: bcmgenet: code movement (git-fixes).
• net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes).
• net: bcmgenet: Fix WoL with password after deep sleep (git-fixes).
• net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes).
• net: bcmgenet: set Rx mode before starting netif (git-fixes).
• net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes).
• net: bcmgenet: Use correct I/O accessors (git-fixes).
• net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes).
• net/mlx4_en: Handle TX error CQE (bsc#1181854).
• net: moxa: Fix a potential double 'free_irq()' (git-fixes).
• net: sun: fix missing release regions in cas_init_one() (git-fixes).
• nvme-multipath: Early exit if no path is available (bsc#1180964).
• rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
• scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617).
• usb: dwc2: Abort transaction after errors with unknown reason (bsc#1180262).
• usb: dwc2: Do not update data length if it is 0 on inbound transfers (bsc#1180262).
• usb: dwc2: Make 'trimming xfer length' a debug message (bsc#1180262).
• vmxnet3: Remove buf_info from device accessible structures (bsc#1181671).
• xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600).
• xen/netback: fix spurious event detection for common event case (bsc#1182175).

This update for openssl-1_1 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for efivar fixes the following issues:

• Fixed an issue with the NVME path parsing (bsc#1181967)

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for glib2 fixes the following issues:

• CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

• CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for systemd-presets-common-SUSE fixes the following issues:

• Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
• Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer`
• Avoid needless refresh on boot. (bsc#1165780)

This update for nghttp2 fixes the following issues:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

This update for ruby2.5 fixes the following issues:

• CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125).
• Enable optimizations also on ARM64 (bsc#1177222)

This update for gnutls fixes the following issues:

• CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
• CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

This update for ldb fixes the following issues:

• CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
• CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).

This update for python3 fixes the following issues:

• python36 was updated to 3.6.13
• CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).

This update for zstd fixes the following issues:

• CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
• CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

This update for rsyslog fixes the following issues:

• Fix groupname retrieval for large groups. (bsc#1178490)

This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commands help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Add missing includes for GCC 11 compatibility.
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105)

This update for vim provides the following fixes:

• Install SUSE vimrc in /usr. (bsc#1182324)
• Source correct suse.vimrc file. (bsc#1182324)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for cups fixes the following issues:

• Fixed the web UI kerberos authentication (bsc#1175960)

This update for openldap2 fixes the following issues:

• Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

This update for cifs-utils fixes the following issues:

• CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239)

This update for open-iscsi fixes the following issues:

• CVE-2020-17437: uIP Out-of-Bounds Write (bsc#1179908)
• CVE-2020-17438: uIP Out-of-Bounds Write (bsc#1179908)
• CVE-2020-13987: uIP Out-of-Bounds Read (bsc#1179908)
• CVE-2020-13988: uIP Integer Overflow (bsc#1179908)
• Enabled no-wait ('-W') iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421)
• Added the ability to perform async logins (bsc#1173886)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for qemu fixes the following issues:

• Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
• Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
• Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
• Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
• Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
• Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
• Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
• Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
• Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
• Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
• Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
• Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
• Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
• Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
• Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)
• Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)
• Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)
• Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
• Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
• Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
• Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
• Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)
• Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)
• Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel
• Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
• Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
• Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
• Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
• Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)
• Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent. (bsc#1178565)

This update for grub2 fixes the following issues:

• Fix error `grub_file_filters not found` in Azure virtual machine. (bsc#1182012)
• Fix a migration issue due to a lower build number in higher service packs. (bsc#1183761)
• Fix executable stack marking in `grub-emu`. (bsc#1181696)

This update for sudo fixes the following issues:

• L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)

This update for ruby2.5 fixes the following issues:

• Update to 2.5.9
• CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644)

This update for systemd-presets-common-SUSE fixes the following issues:

• Enabled hcn-init.service for HNV on POWER (bsc#1184136)

This update for e2fsprogs fixes the following issues:

• Fixed an issue when building e2fsprogs (bsc#1183791)

This update for systemd fixes the following issues:

• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

This update for libnettle fixes the following issues:

• CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

This update for tcpdump fixes the following issues:

• Disabled five regression tests that fail with libpcap > 1.8.1 (bsc#1183800)

This update for systemd-presets-branding-SLE fixes the following issues:

• Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)

This update for cups fixes the following issues:

• CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)

This update for cifs-utils fixes the following issues:

• Fixed a bug where it was no longer possible to mount CIFS filesystem after the last maintenance update (bsc#1184815)

This update for bind fixes the following issues:

• CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
• CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
• make /usr/bin/delv in bind-tools position independent (bsc#1183453).

This update for avahi fixes the following issues:

• CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).

This update for samba fixes the following issues:

• CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).
• CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
• CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
• Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
• s3-libads: use dns name to open a ldap session (bsc#1184310).
• Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064)

This update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent contains the following fixes:
Changes in google-guest-agent:

• Update to version 20210223.01 (bsc#1183414, bsc#1183415) * add a match block to sshd_config for SAs (#99) * add ipv6 forwarded ip support (#101) * call restorecon on ssh host keys (#98) * Include startup and shutdown in preset (#96) * set metadata URL earlier (#94)
• Fix activation logic of systemd services (bsc#1182793)

• Update to version 20201211.00 * Require snapshot scripts to live under /etc/google/snapshots (#90) * Adding support for Windows user account password lengths between 15 and 255 characters. (#91) * Adding bkatyl to OWNERS (#92)

• Update to version 20210317.00 (bsc#1183414, bsc#1183415) * dracut.conf wants spaces around values (#19) * make the same change for debian (#18) * change path back for google_nvme_id (#17) * move google_nvme_id to /usr/bin (#16) * correct udev rule syntax (#15) * prune el6 spec (#13) * Updated udev rules (#11)
• Remove empty %{_sbindir} from %install and %files section

• Remove service files (bsc#1180304) + google-optimize-local-ssd.service, google-set-multiqueue.service scripts are called from within the guest agent

• Update to version 20210316.00 (bsc#1183414, bsc#1183415) * call correct function in pwenthelper (#53)

• Update to version 20210108.00 * Update logic in the cache_refresh binary (#52) * remove old unused workflow files (#49)

• Update to version 20210316.00 (bsc#1183414, bsc#1183415) * call correct function in pwenthelper (#53)

• Update to version 20210108.00 * Update logic in the cache_refresh binary (#52) * remove old unused workflow files (#49)

• Update to version 20200925.00 (bsc#1179031, bsc#1179032) * add getpwnam,getpwuid,getgrnam,getgrgid (#42) * Change requires to not require the python library for policycoreutils. (#44) * add dial and recvline (#41) * PR feedback * new client component and tests

• Update to version 20200819.00 (bsc#1175740, bsc#1175741) * deny non-2fa users (#37) * use asterisks instead (#39) * set passwords to ! (#38) * correct index 0 bug (#36) * Support security key generated OTP challenges. (#35)

• No post action for ssh

• Initial build (bsc#1174304, bsc#1174306, jsc#ECO-2099, jsc#PM-1945) + Version 20200507.00 + Replaces google-compute-engine-oslogin package

This update for patterns-microos provides the following fix:

• Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for python3 fixes the following issues:

• CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)

This update for shim fixes the following issues:

• Update to the unified shim binary for SBAT support (bsc#1182057) + Merged EKU codesign check (bsc#1177315)
• shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464).

This update for krb5 fixes the following issues:

• Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

This update for chrony fixes the following issues:

• Fix build with glibc-2.31 (bsc#1162964)
• Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400)

This update for sed fixes the following issues:

• Fixed a building issue with glibc-2.31 (bsc#1183797).

This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19

• Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
• Fix memory leaks in error cases
• Fix error handling in `solv_xfopen_fd()`
• Fix regex code on win32
• fixed memory leak in choice rule generation
• `repo_add_conda`: add a flag to skip version 2 packages.

• Properly handle permission denied when providing optional files. (bsc#1185239)
• Fix service detection with `cgroupv2`. (bsc#1184997)
• Add missing includes for GCC 11. (bsc#1181874)
• Fix unsafe usage of static in media verifier.
• `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
• `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
• Do no cleanup in custom cache dirs. (bsc#1182936)
• `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

This update for openldap2 fixes the following issue:

• Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)

The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
• CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
• CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).
• CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).
• CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
• CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
• CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
• CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
• CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
• CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
• CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).
• CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
• CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
• CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
• CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
• CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
• CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).
• CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).
• CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).
• CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
• CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
• CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
• CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
• CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).
• CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).
• CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).
• CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
• CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).
• CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).
• CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
• CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
• CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).
• CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
• CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
• CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

• Revert 'rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)' This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113).
• Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
• bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455).
• bfq: update internal depth state when queue depth changes (bsc#1172455).
• bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775).
• bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775).
• handle also the opposite type of race condition
• ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997).
• ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844).
• ibmvnic: store valid MAC address (bsc#1182011).
• macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
• nvme: return an error if nvme_set_queue_count() fails (bsc#1180197).
• post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388).
• rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063).
• rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244)
• rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650)
• xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022, XSA-367).

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for lz4 fixes the following issues:

• CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

This update for libxml2 fixes the following issues:

• CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for nfs-utils fixes the following issues:

• The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170)
• Improve logging of authentication (bsc#1181540)
• Add man page of the 'nconnect mount'. (bsc#1181651)
• Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194)

This update for supportutils fixes the following issues:

• Collects rotated logs with different compression types (bsc#1180478)
• Captures now IBM Power bootlist (jsc#SLE-15557)
• Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894)
• Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122)
• Checks package signatures in rpm.txt (bsc#1021918)
• Optimize find (bsc#1184912)
• Using zypper --xmlout (bsc#1181351)
• Error fix for sysfs.txt (bsc#1089870)
• Added list-timers to systemd.txt (bsc#1169348)
• Including nfs4 in search (bsc#1184829)
• [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826)
• Fixed mismatched taint flags (bsc#1178491)
• Removed redundant fdisk code that can cause timeout issues (bsc#1181679)
• Supportconfig processes -f without hanging (bsc#1182904)
• Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950)
• [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911)
• Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932)
• No longer truncates boot log (bsc#1181610)
• Collects rotated logs with different compression types (bsc#1180478)
• Capture IBM Power bootlist (SLE-15557)
• [powerpc] Collect logs for power specific components #72 (bscn#1176895)
• Fixed btrfs errors (bsc#1168894)
• Large ntp.txt with binary data (bsc#1169122)
• Only include hostinfo details in /etc/motd (bsc#1170092)
• Fixed CPU load average calculation (bsc#1170094)
• Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858)
• Implement persistens host information across reboots (bsc#1183732)

This update for snappy fixes the following issues:
Update from version 1.1.3 to 1.1.8

• Small performance improvements.
• Removed `snappy::string` alias for `std::string`.
• Improved `CMake` configuration.
• Improved packages descriptions.
• Fix RPM groups.
• Aarch64 fixes
• PPC speedups
• PIE improvements
• Fix license install. (bsc#1080040)
• Fix a 1% performance regression when snappy is used in PIE executable.
• Improve compression performance by 5%.
• Improve decompression performance by 20%.
• Use better download URL.
• Fix a build issue for tensorflow2. (bsc#1184507)

This update for google-guest-agent, google-guest-oslogin, google-osconfig-agent contains the following fixes:

• Update to version 20210414.00 (bsc#1185848, bsc#1185849) * start sshd (#106) * Add systemd-networkd.service restart dependency. (#104) * Update error message for handleHealthCheckRequest. (#105)

• Update to version 20210429.00 (bsc#1185848, bsc#1185849) * correct pagetoken in groupsforuser (#59) * resolve self groups last (#58) * support empty groups (#57) * no paginating to find groups (#56) * clear users vector (#55) * correct usage of pagetoken (#54)

• Update to version 20210506.00 (bsc#1185848, bsc#1185849) * Add more os policy assignment examples (#348) * e2e_tests: enable stable tests for OSPolicies (#347) * Align start and end task logs (#346) * ConfigTask: add additional info logs (#345) * e2e_tests: add validation tests (#344) * Config Task: make sure agent respects policy mode (#343) * update * e2e_tests: readd retries to OSPolicies * Set minWaitDuration as a string instead of object (#341) * e2e_tests: Fix a few SUSE tests (#339) * Remove pre-release flag from config (#340) * e2e_tests: fixup OSPolicy tests (#338) * e2e_tests: unlock mutex for CreatePolicies as soon as create finishes (#337) * e2e_tests: Don't retry failed OSPolicy tests, fix msi test (#336) * Examples for os policy assignments (#334) * e2e_tests: increase the deadline for OSPolicy tests and only start after a zone has been secured (#335) * Fix panic when installing MSI (#332) * e2e_tests: Add test cases of installing dbe, rpm and msi packages (#333) * e2e_tests: add more logging * e2e_tests: (#330) * e2e_test: Add timouts to OSPolicy tests so we don't wait forever (#329) * Create top level directories for gcloud and console for os policy assignment examples (#328) * e2e_tests: Move api from an internal directory (#327) * Make sure we use the same test name for reruns (#326) * Add CONFIG_V1 capability (#325) * e2e_tests: reduce size of instances, use pd-balanced, rerun failed tests once (#324) * Only report installed packages for dpkg (#322) * e2e_tests: fix windows package and repository tests (#323) * Add top level directories for os policy examples (#321) * e2e_tests: move to using inventory api for inventory reporting (#320) * e2e_tests: add ExecResource tests (#319) * ExecResource: make sure we set permissions correctly for downloaded files (#318) * Config task: only run post check on resources that have already been evaluated (#317) * e2e_test: reorganize OSPolicy tests to be per Resource type (#316) * Set custom user agent (#299) * e2e_tests: check InstanceOSPoliciesCompliance for each test case, add LocalPath FileResource test (#314) * PackageResource: make sure to run AptUpdate prior to package install (#315) * Fix bugs/add more logging for OSPolicies (#313) * Change metadata http client to ignore http proxies (#312) * e2e_test: add tests for FileResource (#311) * Add task_type context logging (#310) * Fix e2e_test typo (#309) * Fix e2e_tests (#308) * Disable OSPolicies by default since it is an unreleased feature (#307) * e2e_tests: Add more OSPolicies package and repo tests (#306) * Do not enforce repo_gpgcheck in guestpolicies (#305) * Gather inventory 3-5min after agent start (#303) * e2e_tests: add OSPolicies tests for package install (#302) * Add helpful error log if a service account is missing (#304) * OSPolicies: correct apt repo extension, remove yum/zypper gpgcheck override (#301) * Update cos library to parse new version of packages file (#300) * config_task: Rework config step logic (#296) * e2e_test: enable serial logs in cos to support ReportInventory test (#297)

This update for shim fixes the following issues:

• shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)

This update for python3 fixes the following issues:

• Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block.

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
• Allow partial chain verification (jsc#SLE-17956).

This update for mozilla-nss fixes the following issue:

• Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for shim fixes the following issues:

• shim-install: remove the unexpected residual 'removable' label for Azure (bsc#1185464, bsc#1185961)

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
• CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)
• CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)
• CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)
• CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675)
• CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).
• CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
• CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
• CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
• CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).
• CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)
• CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987)

• Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).
• Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).
• dm: fix redundant IO accounting for bios that need splitting (bsc#1183738).
• ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).
• ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).
• ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).
• kabi: Fix breakage in NVMe driver (bsc#1181161).
• kabi: Fix nvmet error log definitions (bsc#1181161).
• kabi: nvme: fix fast_io_fail_tmo (bsc#1181161).
• md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).
• net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)
• netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).
• netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).
• netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).
• netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950).
• nvme-fabrics: allow to queue requests for live queues (bsc#1181161).
• nvme-fabrics: do not check state NVME_CTRL_NEW for request acceptance (bsc#1181161).
• nvme-fabrics: reject I/O to offline device (bsc#1181161).
• nvme-pci: Sync queues on reset (bsc#1181161).
• nvme-rdma: avoid race between time out and tear down (bsc#1181161).
• nvme-rdma: avoid repeated request completion (bsc#1181161).
• nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161).
• nvme-rdma: fix controller reset hang during traffic (bsc#1181161).
• nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161).
• nvme-rdma: fix timeout handler (bsc#1181161).
• nvme-rdma: serialize controller teardown sequences (bsc#1181161).
• nvme-tcp: avoid race between time out and tear down (bsc#1181161).
• nvme-tcp: avoid repeated request completion (bsc#1181161).
• nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161).
• nvme-tcp: fix controller reset hang during traffic (bsc#1181161).
• nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161).
• nvme-tcp: fix timeout handler (bsc#1181161).
• nvme-tcp: serialize controller teardown sequences (bsc#1181161).
• nvme: Restart request timers in resetting state (bsc#1181161).
• nvme: add error log page slot definition (bsc#1181161).
• nvme: include admin_q sync with nvme_sync_queues (bsc#1181161).
• nvme: introduce 'Command Aborted By host' status code (bsc#1181161).
• nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161).
• nvme: introduce nvme_sync_io_queues (bsc#1181161).
• nvme: make fabrics command run on a separate request queue (bsc#1181161).
• nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161).
• nvme: unlink head after removing last namespace (bsc#1181161).
• nvmet: add error log support for fabrics-cmd (bsc#1181161).
• nvmet: add error-log definitions (bsc#1181161).
• video: hyperv_fb: Add ratelimit on error message (bsc#1185725).

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

This update for qemu fixes the following issues:

• CVE-2020-10756: Fix out-of-bounds read information disclosure in icmp6_send_echoreply (bsc#1172380)

This update for nfs-utils fixes the following issues:

• Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194)

This update for gpg2 fixes the following issues:

• Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308).

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

• Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
• CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
• btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

• Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
• Fixed /dev/null is not available (bsc#1168481).
• CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

• CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
• Handle a requirement from docker (bsc#1181594).

This update for samba fixes the following issues:

• Fixes a regression changing the computer account password when using net ads(bsc#1185089)

This update for wget fixes the following issue:

• When running recursively, wget will verify the length of the whole URL when saving the files. This will make it overwrite files with truncated names, throwing the following message: 'The name is too long,... trying to shorten'. (bsc#1181173)

This update for google-guest-configs contains the following fix:

• Sync package in Public Cloud 15-SP3.

This update for libnettle fixes the following issues:

• CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for btrfsmaintenance fixes the following issues:

• Remove [Install] section from btrfsmaintenance. (bsc#1178874)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for systemd-presets-common-SUSE fixes the following issues:
When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, just system services. Now it enables also the user services installed before this package (bsc#1186561)

This update for thin-provisioning-tools fixes the following issues:

• Link as position-independent executable (bsc#1184124)

This update for patterns-microos provides the following fix:

• Add zypper-migration-plugin to the default pattern. (bsc#1186791)

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for openldap2 fixes the following issues:

• Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

This update for multipath-tools fixes the following issues:

• Update from version 0.7.9+195+suse.16740c5 to version 0.7.9+207+suse.58b7a57:

This update for chrony fixes the following issues:

• Fixed an issue when chrony aborts in FIPS mode due to MD5. (bsc#1173760)

This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

This update for dosfstools fixes the following issue:

• Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863)

This update for dbus-1 fixes the following issues:

• CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for efivar provides the following fix:

• Fix the eMMC sysfs parsing. (bsc#1187386)

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
• Skip udev rules if 'elevator=' is used (bsc#1184994)

This update for containerd fixes the following issues:

• CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282)

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

• CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
• CVE-2021-33624: Fixed a bug which allows unprivileged BPF program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (bsc#1187554)
• CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
• CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
• CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bnc#1179610)
• CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
• CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bnc#1186463)
• CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
• CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861 bsc#1185863)
• CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
• CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
• CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
• CVE-2021-33200: Fix leakage of uninitialized bpf stack under speculation. (bsc#1186484)

• af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081).
• kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
• net: Do not set transport offset to invalid value (bsc#1176081).
• net: Introduce parse_protocol header_ops callback (bsc#1176081).
• net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
• net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081).
• net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
• net/packet: Ask driver for protocol if not provided by user (bsc#1176081).
• net/packet: Remove redundant skb->protocol set (bsc#1176081).
• resource: Fix find_next_iomem_res() iteration issue (bsc#1181193).
• scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701).
• SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428).
• SUNRPC: More fixes for backlog congestion (bsc#1185428).
• x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193).
• x86/debug: Extend the lower bound of crash kernel low reservations (bsc#1153720).
• x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193).
• x86/mm: Rework ioremap resource mapping determination (bsc#1181193).

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for shim fixes the following issues:
Update to shim to 15.4-4.7.1, Version: 15.4, 'Thu Jul 15 2021' Update the SLE signatures
Includes fixes for various bugs in MOK handling and booting (bsc#1187696, bsc#1185261, bsc#1185441, bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261, bsc#1187260, bsc#1185232)
Remove shim-install because the shim-install is updated in the RPM.

This update for growpart-rootgrow fixes the following issues:

• Change the logic to determine the partition ID of the root filesystem (bsc#1188179) + Previously the algorithm depended on the order of the output from lsblk using an index to keep track of the known partitions. The new implementation is order independent, it depends on the partition ID being numerical in nature and at the end of the device string.

• Add coverage config. Omit version module from coverage check.

• Fix string formatting for flake8 formatting.

• Replace travis testing with GitHub actions. Add ci testing workflow action.

• Switch implementation to use Popen for Python 3.4 compatibility (bsc#1165198)

• Bump version: 1.0.2 → 1.0.3

• Fixed unit tests and style This clobbers several fixes into one. Sorry about it but I started on already made changes done by other people. This commit includes several pep8 style fixes mostly on the indentation level. In addition it fixes the unit tests to really cover all code and to make the exception tests really effective.

• Switch to use Popen instead of run The run() fuction in the subprocess module was implemented after Python 3.4. However, we need to support Python 3.4 for SLES 12

• Bump version: 1.0.1 → 1.0.2

• Package LICENSE file The LICENSE file is part of the source repo but was not packaged with the rpm package

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for qemu fixes the following issues:
Security issues fixed:

• CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
• CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
• CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
• CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
• CVE-2021-3582: Fix possible mremap overflow in the pvrdma (bsc#1187499)
• CVE-2021-3607: Ensure correct input on ring init (bsc#1187539)
• CVE-2021-3608: Fix the ring init error flow (bsc#1187538)
• CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
• CVE-2020-25085: Fix out-of-bounds access issue while doing multi block SDMA (bsc#1176681)

• QEMU BIOS fails to read stage2 loader (on s390x)(bsc#1186290)
• Fix qemu hang while cancelling migrating hugepage vm (bsc#1185591)

This update for sca-appliance-common, supportutils fixes the following issues:

• Adding ethtool options to the supportconfigt. (jsc#SLE-18239, jsc#SLE-18344)
• Fixed and issue when 'lsof' causes performance problems. (bsc#1186687)
• Exclude 'rhn.conf' from 'etc.txt' to prevent supportconfig capturing passwords in clear text. (bsc#1186347)
• Fix 'analyzevmcore' to supports local directories. (bsc#1186397)
• Fix for 'getappcore' checking for valid compression binary. (bsc#1185991)
• Fixed 'getappcore' to prevent triggering errors with help message. (bsc#1185993)

This update for growpart-rootgrow fixes the following issues:

• Fix root partition ID lookup. Only consider trailing digits to be part of the paritition ID. (bsc#1188868) (bsc#1188904)

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:

• CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
• If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
• Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
• Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
• Use unbuffered /dev/urandom for random data to prevent early startup performance issues

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This update for krb5 fixes the following issues:

• CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)

This update for dbus-1 fixes the following issues:

• CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505)

This update for openssl-1_1 fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for bind fixes the following issues:

• Fix an assertion failure in the 'rehash()' function (bsc#1188763) When calculating the new hashtable bitsize, there was an off-by-one error that would allow the new bitsize to be larger than maximum allowed.
• tsig-keygen is now used to generate DDNS keys (bsc#1187921)

This update for libesmtp fixes the following issues:

• CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).

This update for openldap2 fixes the following issue:

• openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

This update for pcre2 fixes the following issue:

• Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)

This update for runc fixes the following issues:

• Fixed an issue when toolbox container fails to start. (bsc#1189743)

This update for openssl-1_1 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

This update for SUSEConnect fixes the following issues:

• Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
• Add subscription name to output of 'SUSEConnect --status'.
• send payload of GET requests as part of the url, not in the body (see bsc#1185611)

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for c-ares fixes the following issue:

• Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores.

This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:

• implement new socket option PR_SockOpt_DontFrag
• support larger DNS records by increasing the default buffer size for DNS queries
• Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138
• PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version.

• bmo#1713562 - Fix test leak.
• bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
• bmo#1693206 - Implement PKCS8 export of ECDSA keys.
• bmo#1712883 - DTLS 1.3 draft-43.
• bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
• bmo#1713562 - Validate ECH public names.
• bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

• bmo#1683710 - Add a means to disable ALPN.
• bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
• bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
• bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
• bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

• bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
• bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
• bmo#1708307 - Remove Trustis FPS Root CA from NSS.
• bmo#1707097 - Add Certum Trusted Root CA to NSS.
• bmo#1707097 - Add Certum EC-384 CA to NSS.
• bmo#1703942 - Add ANF Secure Server Root CA to NSS.
• bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
• bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
• bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
• bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
• bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
• bmo#1709291 - Add VerifyCodeSigningCertificateChain.

• bmo#1709654 - Update for NetBSD configuration.
• bmo#1709750 - Disable HPKE test when fuzzing.
• bmo#1566124 - Optimize AES-GCM for ppc64le.
• bmo#1699021 - Add AES-256-GCM to HPKE.
• bmo#1698419 - ECH -10 updates.
• bmo#1692930 - Update HPKE to final version.
• bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
• bmo#1703936 - New coverity/cpp scanner errors.
• bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
• bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
• bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

• bmo#1705286 - Properly detect mips64.
• bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and

• bmo#1697380 - Make a clang-format run on top of helpful contributions.
• bmo#1683520 - ECCKiila P384, change syntax of nested structs

• bmo#1688374 - Fix parallel build NSS-3.61 with make
• bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()

• bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key

• TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information.
• December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information.

• bmo#1679290 - Fix potential deadlock with certain third-party

• Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

• bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
• bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
• bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
• bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
• bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed

• bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode.
• bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni).
• bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
• bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows.
• bmo#1667153 - Add PK11_ImportDataKey for data object import.
• bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.

• The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
• The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
• Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed.
• https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

• bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
• bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
• bmo#1654142 - Add CPU feature detection for Intel SHA extension.
• bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
• bmo#1656986 - Properly detect arm64 during GYP build architecture

• P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
• PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633)
• DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

• bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
• bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
• bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
• bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
• bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
• bmo#1646594 - Fix AVX2 detection in makefile builds.
• bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
• bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
• bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
• bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
• bmo#1649226 - Add Wycheproof ECDSA tests.
• bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
• bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
• bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.

• Support for TLS 1.3 external pre-shared keys (bmo#1603042).
• Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
• The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
• The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

• A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list.

• bmo#1528113 - Use ARM Cryptography Extension for SHA256.
• bmo#1603042 - Add TLS 1.3 external PSK support.
• bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
• bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
• bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
• bmo#1641716 - Add Microsoft's non-EV root certificates.
• bmo1621151 - Disable email trust bit for 'O=Government

This update for google-guest-oslogin contains the following fixes:

• Update to version 20210728.00 (bsc#1188992, bsc#1189041) * JSON object cleanup (#65)

• Update to version 20210707.00 * throw exceptions in cache_refresh (#64)

• from version 20210702.00 * Use IP address for calling the metadata server. (#63)

• Update to version 20210618.00 * flush each group member write (#62)

This update for grub2, efibootmgr provides the following fixes:

• Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565)
• Fix error gfxterm isn't found with multiple terminals (bsc#1187565)
• Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975)

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for shim-susesigned fixes the following issues:
Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.
This update addresses the 'susesigned' shim component.
shim was updated to 15.4 (bsc#1182057)

• console: Move the countdown function to console.c
• fallback: show a countdown menu before reset
• MOK: Fix the missing vendor cert in MokListRT
• mok: fix the mirroring of RT variables
• Add the license change statement for errlog.c and mok.c
• Remove a couple of incorrect license claims.
• MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
• Make EFI variable copying fatal only on secureboot enabled systems
• Remove call to TPM2 get_event_log
• tpm: Fix off-by-one error when calculating event size
• tpm: Define EFI_VARIABLE_DATA_TREE as packed
• tpm: Don't log duplicate identical events
• VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
• OpenSSL: always provide OBJ_create() with name strings.
• translate_slashes(): don't write to string literals
• Fix a use of strlen() instead of Strlen()
• shim: Update EFI_LOADED_IMAGE with the second stage loader file path
• tpm: Include information about PE/COFF images in the TPM Event Log
• Fix a broken tpm type
• All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.
• Fix the NULL pointer dereference in AuthenticodeVerify()
• Remove the build ID to make the binary reproducible when building with AArch64 container
• Prevent the build id being added to the binary. That can cause issues with the signature
• Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
• Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
• Relax the maximum variable size check for u-boot
• Relax the check for import_mok_state() when Secure Boot is off
• Relax the check for the LoadOptions length
• Fix the size of rela* sections for AArch64
• Disable exporting vendor-dbx to MokListXRT
• Don't call QueryVariableInfo() on EFI 1.10 machines
• Avoid buffer overflow when copying the MOK config table
• Avoid deleting the mirrored RT variables
• Update to 15.3 for SBAT support (bsc#1182057)
• Generate vender-specific SBAT metadata
• Rename the SBAT variable and fix the self-check of SBAT
• Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261)
• shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
• shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)
• shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464)
• shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
• Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt

This update for xfsprogs fixes the following issues:

• Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299)
• xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency.
• mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536)
• mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535)
• xfs_growfs: Refactor geometry reporting. (bsc#1181306)
• xfs_growfs: Allow mounted device node as argument. (bsc#1181299)
• xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309)
• xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651)
• xfs_bmap: Remove '-c' from manpage. (bsc#1189552)
• xfs_bmap: Do not reject '-e'. (bsc#1189552)
• Implement 'libhandle1' through ECO. (jsc#SLE-20360)

This update for docker fixes the following issues:

• Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34.
• Add shell requires for the *-completion subpackages.

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858)

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for sudo fixes the following issues:

• Update to sudo 1.8.27 (jsc#SLE-17083).
• Fixed special handling of ipa_hostname (bsc#1181371).
• Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473).

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
• Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
• Rules weren't applied to dm devices (multipath) (bsc#1188713).
• Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
• Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
• Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

This update for glibc fixes the following issues:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

This update for kdump fixes the following issues:

• Make sure that the udev runtime directory exists (bsc#1164713).
• Add 'bootdev=' to dracut command line (bsc#1182309).
• Query systemd network.service to find out if wicked is used (bsc#1182309).
• Install /etc/resolv.conf using its resolved path (bsc#1183070).
• Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070).
• Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090).
• Fix incorrect exit code checking after 'local' with assignment (bsc#1184616).
• Do not iterate past end of string (bsc#1186037).
• Activate udev rules late during boot (bsc#1154837).
• Make sure that initrd.target.wants directory exists (bsc#1172670).

This update for xkeyboard-config fixes the following issue:

• Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)

The SUSE Linux Enterprise 15 SP2 kernel was updated.

The following security bugs were fixed:

• CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
• CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
• CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
• CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
• CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
• CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)

• ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
• apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
• ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
• ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
• ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
• ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
• ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
• ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
• ath9k: fix sleeping in atomic context (git-fixes).
• blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
• blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
• blk-mq: mark if one queue map uses managed irq (bsc#1185762).
• Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
• bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
• bnxt_en: Add missing DMA memory barriers (git-fixes).
• bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
• bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
• bnxt_en: Store the running firmware version code (git-fixes).
• bnxt: count Tx drops (git-fixes).
• bnxt: disable napi before canceling DIM (git-fixes).
• bnxt: do not lock the tx queue from napi poll (git-fixes).
• bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
• btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
• clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
• clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
• console: consume APC, DM, DCS (git-fixes).
• cuse: fix broken release (bsc#1190596).
• cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
• debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
• devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
• dmaengine: ioat: depends on !UML (git-fixes).
• dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
• dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
• docs: Fix infiniband uverbs minor number (git-fixes).
• drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
• drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
• drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
• drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
• drm/amdgpu: Fix BUG_ON assert (git-fixes).
• drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
• drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
• drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
• e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
• e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
• EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
• EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
• erofs: fix up erofs_lookup tracepoint (git-fixes).
• fbmem: do not allow too huge resolutions (git-fixes).
• fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
• fpga: machxo2-spi: Return an error on failure (git-fixes).
• fuse: flush extending writes (bsc#1190595).
• fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
• genirq: add device_has_managed_msi_irq (bsc#1185762).
• gpio: uniphier: Fix void functions to remove return value (git-fixes).
• gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
• gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
• hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
• hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
• hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
• hwmon: (tmp421) fix rounding for negative values (git-fixes).
• hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
• i40e: Add additional info to PHY type error (git-fixes).
• i40e: Fix firmware LLDP agent related warning (git-fixes).
• i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
• i40e: Fix logic of disabling queues (git-fixes).
• i40e: Fix queue-to-TC mapping on Tx (git-fixes).
• iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
• iavf: Set RSS LUT and key in reset handle path (git-fixes).
• ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
• ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
• ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
• ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
• ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
• ice: Prevent probing virtual functions (git-fixes).
• iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
• include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
• iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
• ionic: cleanly release devlink instance (bsc#1167773).
• ionic: count csum_none when offload enabled (bsc#1167773).
• ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
• ipc/util.c: use binary search for max_idx (bsc#1159886).
• ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
• ipvs: avoid expiring many connections from timer (bsc#1190467).
• ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
• ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
• iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
• kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
• kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
• kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
• kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
• libata: fix ata_host_start() (git-fixes).
• mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
• mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
• mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
• mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
• mac80211: mesh: fix potentially unaligned access (git-fixes).
• media: cedrus: Fix SUNXI tile size calculation (git-fixes).
• media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
• media: dib8000: rewrite the init prbs logic (git-fixes).
• media: imx258: Limit the max analogue gain to 480 (git-fixes).
• media: imx258: Rectify mismatch of VTS value (git-fixes).
• media: rc-loopback: return number of emitters rather than error (git-fixes).
• media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
• media: uvc: do not do DMA on stack (git-fixes).
• media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
• mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
• mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
• mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
• mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
• mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
• mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
• mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
• net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
• net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
• net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
• net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
• net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
• net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
• net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
• net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
• net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
• net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
• net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
• net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
• net/mlx5: Fix flow table chaining (git-fixes).
• net/mlx5: Fix return value from tracer initialization (git-fixes).
• net/mlx5: Unload device upon firmware fatal error (git-fixes).
• net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
• net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
• net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
• netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
• nfp: update ethtool reporting of pauseframe control (git-fixes).
• NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
• NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
• NFS: pass cred explicitly for access tests (bsc#1190746).
• nvme: avoid race in shutdown namespace removal (bsc#1188067).
• nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
• parport: remove non-zero check on count (git-fixes).
• PCI: aardvark: Fix checking for PIO status (git-fixes).
• PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
• PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
• PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
• PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
• PCI: Add AMD GPU multi-function power dependencies (git-fixes).
• PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
• PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
• PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
• PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
• PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
• PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
• PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
• PM: EM: Increase energy calculation precision (git-fixes).
• power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
• power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
• powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
• powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
• powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
• powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
• powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
• powerpc/perf: Fix the check for SIAR value (bsc#1065729).
• powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
• powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
• powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
• powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
• powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
• powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
• powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
• pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
• pwm: img: Do not modify HW state in .remove() callback (git-fixes).
• pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
• pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
• qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
• RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
• Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
• regmap: fix page selection for noinc reads (git-fixes).
• regmap: fix page selection for noinc writes (git-fixes).
• regmap: fix the offset of register error log (git-fixes).
• Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
• rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
• rpm/kernel-binary.spec: Use only non-empty certificates.
• rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
• rtc: rx8010: select REGMAP_I2C (git-fixes).
• rtc: tps65910: Correct driver module alias (git-fixes).
• s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
• sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
• scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
• scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
• scsi: fc: Add EDC ELS definition (bsc#1190576).
• scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
• scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
• scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
• scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
• scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
• scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
• scsi: lpfc: Add EDC ELS support (bsc#1190576).
• scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
• scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
• scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
• scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
• scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
• scsi: lpfc: Add support for the CM framework (bsc#1190576).
• scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
• scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
• scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
• scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
• scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
• scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
• scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
• scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
• scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
• scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
• scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
• scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
• scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
• scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
• scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
• scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
• scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
• scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
• scsi: lpfc: Remove unneeded variable (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
• scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
• scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
• scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
• scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
• scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
• serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
• serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
• serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
• serial: sh-sci: fix break handling for sysrq (git-fixes).
• spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
• staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
• staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
• staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
• thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
• time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
• tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
• tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
• tty: synclink_gt, drop unneeded forward declarations (git-fixes).
• usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
• usb: core: hcd: Add support for deferring roothub registration (git-fixes).
• usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
• usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
• usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
• usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
• usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
• usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
• usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
• usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
• usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
• usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
• usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
• usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
• usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
• usb: serial: option: add Telit LN920 compositions (git-fixes).
• usb: serial: option: remove duplicate USB device ID (git-fixes).
• usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
• usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
• video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
• video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
• vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
• vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
• vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
• vmxnet3: prepare for version 6 changes (bsc#1190406).
• vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
• vmxnet3: set correct hash type based on rss information (bsc#1190406).
• vmxnet3: update to version 6 (bsc#1190406).
• watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
• x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
• x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
• x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
• x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
• x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
• x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
• xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
• xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
• xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
• xhci: Set HCD flag to defer primary roothub registration (git-fixes).

This update for krb5 fixes the following issues:

• CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

• CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

• Install systemd service file as well (bsc#1190826)

• Fixed a failure to set CPU quota period in some cases on cgroup v1.
• Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
• Made release builds reproducible from now on.
• Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

• Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
• Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
• cgroup/systemd/v2: don't freeze cgroup on Set.
• cgroup/systemd/v1: avoid unnecessary freeze on Set.
• fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
• cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
• cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
• cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
• cgroupv2: support SkipDevices with systemd driver
• cgroup/systemd: return, not ignore, stop unit error from Destroy
• Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
• cgroup1: blkio: support BFQ weights.
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

• seccomp: fix 32-bit compilation errors
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
• runc start: fix 'chdir to cwd: permission denied' for some setups

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
• agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
• mount: Fix 'mount' output for net file systems (bsc#1122417).
• ipcs: Avoid overflows (bsc#1178236)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for less fixes the following issues:

• Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552)

This update for qemu fixes the following issues:
Security issues fixed:

• Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
• Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
• usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682)
• NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506)
• NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503)
• eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255)
• usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527)

• Use max host physical address if -cpu max is used (bsc#1188299)

This update for SUSEConnect contains the following fix:

• Update to 0.3.32: - Allow --regcode and --instance-data attributes at the same time. (jsc#PCT-164) - Document that 'debug' can also get set in the config file. - --status will also print the subscription name.

This update for samba fixes the following issues:

• CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
• CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).

This update for bind fixes the following issues:

• CVE-2021-25219: Fixed lame cache that could have been abused to severely degrade resolver performance (bsc#1192146).

This update for zypper fixes the following issues:

• Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
• Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
• Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
• Protect against strict/relaxed user umask via sudo. (bsc#1183589)
• xml summary: Add solvables repository alias. (bsc#1182372)
• Allow trusted repos to add additional signing keys. (bsc#1184326)
• MediaCurl: Fix logging of redirects.
• Let negative values wait forever for the zypp lock. (bsc#1184399)
• Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
• Fix service detection with cgroupv2. (bsc#1184997)
• Add hints to 'trust GPG key' prompt.
• Enhance XML output of repo GPG options
• Add optional attributes showing the raw values actually present in the '.repo' file.
• Link all executables with -pie (bsc#1186447)
• Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
• Fix solver jobs for PTFs. (bsc#1186503)
• choice rules: treat orphaned packages as newest. (bc#1190465)
• Add need reboot/restart hint to XML install summary. (bsc#1188435)
• Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
• Fix obs:// platform guessing for Leap. (bsc#1187425)
• Fix purge-kernels fails. (bsc#1187738)
• Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
• Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
• Do not check of signatures and keys two times(redundant). (bsc#1190059)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Show key fpr from signature when signature check fails. (bsc#1187224)
• Make sure to keep states alives while transitioning. (bsc#1190199)
• Fix crashes in logging code when shutting down. (bsc#1189031)
• Manpage: Improve description about patch updates. (bsc#1187466)
• Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
• Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
• Disable logger in the child after fork (bsc#1192436)
• Check log writer before accessing it (bsc#1192337)
• Allow uname-r format in purge kernels keepspec
• zypper should keep cached files if transaction is aborted (bsc#1190356)
• Require a minimum number of mirrors for multicurl (bsc#1191609)
• Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
• Fix translations (bsc#1191370)
• RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

This update for xfsprogs fixes the following issues:

• Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566)
• Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675)
• xfs_io: include support for label command (bsc#1191500)
• xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983)
• xfs_admin: add support for external log devices (bsc#1189984)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for systemd fixes the following issues:

• Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
• Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
• shutdown: Reduce log level of unmounts (bsc#1191252)
• pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
• core: rework how we connect to the bus (bsc#1190325)
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• virt: detect Amazon EC2 Nitro instance (bsc#1190440)
• Several fixes for umount
• busctl: use usec granularity for the timestamp printed by the busctl monitor command
• fix unitialized fields in MountPoint in dm_list_get()
• shutdown: explicitly set a log target
• mount-util: add mount_option_mangle()
• dissect: automatically mark partitions read-only that have a read-only file system
• build-sys: require proper libmount version
• systemd-shutdown: use log_set_prohibit_ipc(true)
• rationalize interface for opening/closing logging
• pid1: when we can't log to journal, remember our fallback log target
• log: remove LOG_TARGET_SAFE pseudo log target
• log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
• log: add new 'prohibit_ipc' flag to logging system
• log: make log_set_upgrade_syslog_to_journal() take effect immediately
• dbus: split up bus_done() into seperate functions
• machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
• virt: if we detect Xen by DMI, trust that over CPUID

This update for grub2 fixes the following issues:

• Fix boot failure as journaled data not get drained due to abrupt power off after grub-install (bsc#1167756)
• Fix boot failure after kdump due to the content of grub.cfg to pending modificaton in xfs journal (bsc#1186975)

This update for glibc fixes the following issues:

• libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
• CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

This update for ruby2.5 fixes the following issues:

• CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
• CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
• CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).

This update for suse-module-tools fixes the following issues:

• rpm-script: fix bad exit status in OpenQA (bsc#1191922)
• cert-script: Deal with existing $cert.delete file (bsc#1191804)
• cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480)
• cert-script: Only print mokutil output in verbose mode
• inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200)
• kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
• rpm-script: link config also into /boot (bsc#1189879)
• Import kernel scriptlets from kernel-source (bsc#1189841, bsc#1190598)

The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

• Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)

• CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192045).
• CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
• CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
• CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
• CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
• CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
• CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
• CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
• CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
• CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
• CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
• CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
• CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
• CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
• CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
• CVE-2021-42252: An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes (bnc#1190479).
• CVE-2021-41864: prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel allowed unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write (bnc#1191317).
• CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
• CVE-2021-3759: Unaccounted ipc objects could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
• CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
• CVE-2021-3752: Fixed a use after free vulnerability in the bluetooth module. (bsc#1190023)
• CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
• CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
• CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
• CVE-2020-12770: An issue was discovered in the Linux kernel sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040 (bnc#1171420).
• CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
• CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario (bnc#1133374).
• CVE-2019-3874: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. (bnc#1129898).
• CVE-2018-9517: In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108488).
• CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
• CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
• CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
• CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399).
• CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
• CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
• CVE-2021-3679: A lack of CPU resource in the tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
• CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#0 bnc#1177666 bnc#1181158).
• CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
• CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
• CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838 bnc#1190276).
• CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation (bnc#1186482 bnc#1190276).
• CVE-2021-33909: fs/seq_file.c did not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05 (bnc#1188062 bnc#1188063).

• Add arch-dependent support markers in supported.conf (bsc#1186672)
• Add the support for kernel-FLAVOR-optional subpackage (jsc#SLE-11796)
• bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913)
• bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
• ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1191888).
• config: disable unprivileged BPF by default (jsc#SLE-22913)
• cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
• drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
• ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
• gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
• hisax: fix spectre issues (bsc#1192802).
• hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726).
• hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
• hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
• hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
• infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
• infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
• ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
• iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
• kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
• kernel-binary.spec: Fix up usrmerge for non-modular kernels.
• kernel-binary.spec.in: build-id check requires elfutils.
• kernel-binary.spec.in: Regenerate makefile when not using mkmakefile.
• kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no longer had a mkmakefile script
• kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is repleced by echo on newer kernel
• kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.
• media: dvb_ca_en50221: prevent using slot_info for Spectre attacs (bsc#1192802).
• media: dvb_ca_en50221: sanity check slot number from userspace (bsc#1192802).
• media: wl128x: get rid of a potential spectre issue (bsc#1192802).
• memcg: enable accounting for file lock caches (bsc#1190115).
• mm/memory.c: do_fault: avoid usage of stale vm_area_struct (bsc#1136513).
• mpt3sas: fix spectre issues (bsc#1192802).
• net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
• net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
• net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800).
• net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
• net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
• net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
• net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
• net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
• net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
• net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28).
• net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
• net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802).
• NFS: Do uncached readdir when we're seeking a cookie in an empty page cache (bsc#1191628).
• objtool: Do not fail on missing symbol table (bsc#1192379).
• osst: fix spectre issue in osst_verify_frame (bsc#1192802).
• ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846).
• ovl: filter of trusted xattr results in audit (bsc#1189846).
• ovl: fix dentry leak in ovl_get_redirect (bsc#1189846).
• ovl: initialize error in ovl_copy_xattr (bsc#1189846).
• ovl: relax WARN_ON() on rename to self (bsc#1189846).
• PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
• Revert 'memcg: enable accounting for file lock caches (bsc#1190115).' This reverts commit 912b4421a3e9bb9f0ef1aadc64a436666259bd4d. It's effectively upstream commit 3754707bcc3e190e5dadc978d172b61e809cb3bd applied to kernel-source (to avoid proliferation of patches). Make a note in blacklist.conf too.
• s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
• s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
• s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
• s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
• s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
• scripts/git_sort/git_sort.py: add bpf git repo
• scripts/git_sort/git_sort.py: Update nvme repositories
• scsi: libfc: Fix array index out of bound exception (bsc#1188616).
• scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1191349).
• scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling (bsc#1191349 bsc#1191457).
• scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1191349 bsc#1191457).
• scsi: target: avoid using lun_tg_pt_gp after unlock (bsc#1186078).
• sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
• sctp: fully initialize v4 addr in some functions (bsc#1188563).
• sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802).
• target: core: Fix sense key for invalid XCOPY request (bsc#1186078).
• Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
• Use /usr/lib/modules as module dir when usermerge is active in the target distro.
• UsrMerge the kernel (boo#1184804)
• x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
• xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377).

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for aaa_base fixes the following issues:

• Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
• Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
• Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
• Support xz compressed kernel (bsc#1162581)

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:

• CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for openssh fixes the following issues:

• CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

This update for suse-module-tools fixes the following issues:

• Blacklist isst_if_mbox_msr driver because uses hardware information based on CPU family and model, which is too unspecific. On large systems, this causes a lot of failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196)

This update for python3 fixes the following issues:

• CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
• CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
• CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)

• Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338).

This update for openssl-1_1 fixes the following issues:

• Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995)

This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails (bsc#1192849).

This update for systemd fixes the following issues:

• Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates

This update for p11-kit fixes the following issues:

• CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

This update for runc fixes the following issues:
Update to runc v1.0.3.

• CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
• Fixed inability to start when read-only /dev in set in spec.
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd.
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes).

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

This update for apparmor fixes the following issues:

• Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

This update for libzypp fixes the following issues:

• Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
• Fix wrong encoding of URI compontents of ISO images (bsc#954813)
• When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
• Introduce zypp-curl as a sublibrary for CURL related code
• zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
• Save all signatures associated with a public key in its PublicKeyData

This update for mozilla-nss and MozillaFirefox fix the following issues:
mozilla-nss:

• Update from version 3.68.1 to 3.68.2 (bsc#1193845)
• Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation

• Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
• Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains

This update for dosfstools fixes the following issues:

• To be able to create filesystems compatible with previous version, add -g command line option to mkfs (bsc#1188401)
• BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use '-a' command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use 'file -s $IMAGE', check its 'sectors/track' and 'heads', and use them in the newly introduced '-g' command line argument.

This update for cloud-netconfig fixes the following issues:

• Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

This update for json-c fixes the following issues:

• CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)

SUSE-IU-2021:413-1

This update for systemd fixes the following issues:

• Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
• Fix for an issue when container start causes interference in other containers. (bsc#1178775)

This update for lvm2 fixes the following issue:

• Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533)
• Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691)
• Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738)
• Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326)

This update for cups fixes the following issues:

• CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520).
• CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671).

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for lvm2 fixes the following issues:

• lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691).

This update for libselinux fixes the following issues:

• Corrected the license to public domain (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

SUSE-IU-2021:2-1

This update for google-osconfig-agent fixes the following issues:
This update ships the google-osconfig-agent in version 20200929.00 (bsc#1176427, bsc#1178249, jsc#ECO-2702, jsc#PM-2203)

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

• CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
• CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
• CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
• CVE-2020-27777: Restrict RTAS requests from userspace (bsc#1179107).
• CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
• CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
• CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

• ACPI: GED: fix -Wformat (git-fixes).
• ALSA: ctl: fix error path at adding user-defined element set (git-fixes).
• ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() (git-fixes).
• ALSA: mixart: Fix mutex deadlock (git-fixes).
• arm64: KVM: Fix system register enumeration (bsc#1174726).
• arm/arm64: KVM: Add PSCI version selection API (bsc#1174726).
• ASoC: qcom: lpass-platform: Fix memory leak (git-fixes).
• ath10k: Acquire tx_lock in tx error paths (git-fixes).
• batman-adv: set .owner to THIS_MODULE (git-fixes).
• Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth controllers (git-fixes).
• Bluetooth: hci_bcm: fix freeing not-requested IRQ (git-fixes).
• bpf: Zero-fill re-used per-cpu map element (git-fixes).
• btrfs: account ticket size at add/delete time (bsc#1178897).
• btrfs: add helper to obtain number of devices with ongoing dev-replace (bsc#1178897).
• btrfs: check rw_devices, not num_devices for balance (bsc#1178897).
• btrfs: do not delete mismatched root refs (bsc#1178962).
• btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1178897).
• btrfs: fix force usage in inc_block_group_ro (bsc#1178897).
• btrfs: fix invalid removal of root ref (bsc#1178962).
• btrfs: fix reclaim counter leak of space_info objects (bsc#1178897).
• btrfs: fix reclaim_size counter leak after stealing from global reserve (bsc#1178897).
• btrfs: kill min_allocable_bytes in inc_block_group_ro (bsc#1178897).
• btrfs: rework arguments of btrfs_unlink_subvol (bsc#1178962).
• btrfs: split dev-replace locking helpers for read and write (bsc#1178897).
• can: af_can: prevent potential access of uninitialized member in canfd_rcv() (git-fixes).
• can: af_can: prevent potential access of uninitialized member in can_rcv() (git-fixes).
• can: dev: can_restart(): post buffer from the right context (git-fixes).
• can: gs_usb: fix endianess problem with candleLight firmware (git-fixes).
• can: m_can: fix nominal bitiming tseg2 min for version >= 3.1 (git-fixes).
• can: m_can: m_can_handle_state_change(): fix state change (git-fixes).
• can: m_can: m_can_stop(): set device to software init mode before closing (git-fixes).
• can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() (git-fixes).
• can: peak_usb: fix potential integer overflow on shift of a int (git-fixes).
• ceph: add check_session_state() helper and make it global (bsc#1179259).
• ceph: check session state after bumping session->s_seq (bsc#1179259).
• ceph: fix race in concurrent __ceph_remove_cap invocations (bsc#1178635).
• cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
• cifs: remove bogus debug code (bsc#1179427).
• cifs: Return the error from crypt_message when enc/dec key not found (bsc#1179426).
• Convert trailing spaces and periods in path components (bsc#1179424).
• docs: ABI: stable: remove a duplicated documentation (git-fixes).
• docs: ABI: sysfs-c2port: remove a duplicated entry (git-fixes).
• Drivers: hv: vmbus: Remove the unused 'tsc_page' from struct hv_context (git-fixes).
• drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes).
• drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() (git-fixes).
• Drop sysctl files for dropped archs, add ppc64le and arm64 (bsc#1178838). Also fix the ppc64 page size.
• efi: cper: Fix possible out-of-bounds access (git-fixes).
• efi/efivars: Add missing kobject_put() in sysfs entry creation error path (git-fixes).
• efi/esrt: Fix reference count leak in esre_create_sysfs_entry (git-fixes).
• efi: provide empty efi_enter_virtual_mode implementation (git-fixes).
• efivarfs: fix memory leak in efivarfs_create() (git-fixes).
• efivarfs: revert 'fix memory leak in efivarfs_create()' (git-fixes).
• efi/x86: Do not panic or BUG() on non-critical error conditions (git-fixes).
• efi/x86: Free efi_pgd with free_pages() (bsc#1112178).
• efi/x86: Ignore the memory attributes table on i386 (git-fixes).
• efi/x86: Map the entire EFI vendor string before copying it (git-fixes).
• fs/proc/array.c: allow reporting eip/esp for all coredumping threads (bsc#1050549).
• fuse: fix page dereference after free (bsc#1179213).
• futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1067665).
• futex: Handle transient 'ownerless' rtmutex state correctly (bsc#1067665).
• hv_balloon: disable warning when floor reached (git-fixes).
• hv_netvsc: deal with bpf API differences in 4.12 (bsc#1177819, bsc#1177820).
• hv_netvsc: make recording RSS hash depend on feature flag (bsc#1178853, bsc#1178854).
• hv_netvsc: record hardware hash in skb (bsc#1178853, bsc#1178854).
• i40iw: Fix error handling in i40iw_manage_arp_cache() (bsc#1111666)
• i40iw: fix null pointer dereference on a null wqe pointer (bsc#1111666)
• i40iw: Report correct firmware version (bsc#1111666)
• IB/cma: Fix ports memory leak in cma_configfs (bsc#1111666)
• IB/core: Set qp->real_qp before it may be accessed (bsc#1111666)
• IB/hfi1: Add missing INVALIDATE opcodes for trace (bsc#1111666)
• IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats (bsc#1111666)
• IB/hfi1: Add software counter for ctxt0 seq drop (bsc#1111666)
• IB/hfi1: Avoid hardlockup with flushlist_lock (bsc#1111666)
• IB/hfi1: Call kobject_put() when kobject_init_and_add() fails (bsc#1111666)
• IB/hfi1: Check for error on call to alloc_rsm_map_table (bsc#1111666)
• IB/hfi1: Close PSM sdma_progress sleep window (bsc#1111666)
• IB/hfi1: Define variables as unsigned long to fix KASAN warning (bsc#1111666)
• IB/hfi1: Ensure full Gen3 speed in a Gen4 system (bsc#1111666)
• IB/hfi1: Fix memory leaks in sysfs registration and unregistration (bsc#1111666)
• IB/hfi1: Fix Spectre v1 vulnerability (bsc#1111666)
• IB/hfi1: Handle port down properly in pio (bsc#1111666)
• IB/hfi1: Handle wakeup of orphaned QPs for pio (bsc#1111666)
• IB/hfi1: Insure freeze_work work_struct is canceled on shutdown (bsc#1111666)
• IB/hfi1, qib: Ensure RCU is locked when accessing list (bsc#1111666)
• IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM (bsc#1111666)
• IB/hfi1: Remove unused define (bsc#1111666)
• IB/hfi1: Silence txreq allocation warnings (bsc#1111666)
• IB/hfi1: Validate page aligned for a given virtual address (bsc#1111666)
• IB/hfi1: Wakeup QPs orphaned on wait list after flush (bsc#1111666)
• IB/ipoib: drop useless LIST_HEAD (bsc#1111666)
• IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode (bsc#1111666)
• IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start (bsc#1111666)
• IB/iser: Fix dma_nents type definition (bsc#1111666)
• IB/iser: Pass the correct number of entries for dma mapped SGL (bsc#1111666)
• IB/mad: Fix use-after-free in ib mad completion handling (bsc#1111666)
• IB/mlx4: Add and improve logging (bsc#1111666)
• IB/mlx4: Add support for MRA (bsc#1111666)
• IB/mlx4: Adjust delayed work when a dup is observed (bsc#1111666)
• IB/mlx4: Fix leak in id_map_find_del (bsc#1111666)
• IB/mlx4: Fix memory leak in add_gid error flow (bsc#1111666)
• IB/mlx4: Fix race condition between catas error reset and aliasguid flows (bsc#1111666)
• IB/mlx4: Fix starvation in paravirt mux/demux (bsc#1111666)
• IB/mlx4: Follow mirror sequence of device add during device removal (bsc#1111666)
• IB/mlx4: Remove unneeded NULL check (bsc#1111666)
• IB/mlx4: Test return value of calls to ib_get_cached_pkey (bsc#1111666)
• IB/mlx5: Add missing XRC options to QP optional params mask (bsc#1111666)
• IB/mlx5: Compare only index part of a memory window rkey (bsc#1111666)
• IB/mlx5: Do not override existing ip_protocol (bsc#1111666)
• IB/mlx5: Fix clean_mr() to work in the expected order (bsc#1111666)
• IB/mlx5: Fix implicit MR release flow (bsc#1111666)
• IB/mlx5: Fix outstanding_pi index for GSI qps (bsc#1111666)
• IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification (bsc#1111666)
• IB/mlx5: Fix unreg_umr to ignore the mkey state (bsc#1111666)
• IB/mlx5: Improve ODP debugging messages (bsc#1111666)
• IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache (bsc#1111666)
• IB/mlx5: Prevent concurrent MR updates during invalidation (bsc#1111666)
• IB/mlx5: Reset access mask when looping inside page fault handler (bsc#1111666)
• IB/mlx5: Set correct write permissions for implicit ODP MR (bsc#1111666)
• IB/mlx5: Use direct mkey destroy command upon UMR unreg failure (bsc#1111666)
• IB/mlx5: Use fragmented QP's buffer for in-kernel users (bsc#1111666)
• IB/mlx5: WQE dump jumps over first 16 bytes (bsc#1111666)
• IB/mthca: fix return value of error branch in mthca_init_cq() (bsc#1111666)
• IB/qib: Call kobject_put() when kobject_init_and_add() fails (bsc#1111666)
• IB/qib: Fix an error code in qib_sdma_verbs_send() (bsc#1111666)
• IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value (bsc#1111666)
• IB/qib: Remove a set-but-not-used variable (bsc#1111666)
• IB/rdmavt: Convert timers to use timer_setup() (bsc#1111666)
• IB/rdmavt: Fix alloc_qpn() WARN_ON() (bsc#1111666)
• IB/rdmavt: Fix sizeof mismatch (bsc#1111666)
• IB/rdmavt: Reset all QPs when the device is shut down (bsc#1111666)
• IB/rxe: Fix incorrect cache cleanup in error flow (bsc#1111666)
• IB/rxe: Make counters thread safe (bsc#1111666)
• IB/srpt: Fix memory leak in srpt_add_one (bsc#1111666)
• IB/umad: Avoid additional device reference during open()/close() (bsc#1111666)
• IB/umad: Avoid destroying device while it is accessed (bsc#1111666)
• IB/umad: Do not check status of nonseekable_open() (bsc#1111666)
• IB/umad: Fix kernel crash while unloading ib_umad (bsc#1111666)
• IB/umad: Refactor code to use cdev_device_add() (bsc#1111666)
• IB/umad: Simplify and avoid dynamic allocation of class (bsc#1111666)
• IB/usnic: Fix out of bounds index check in query pkey (bsc#1111666)
• IB/uverbs: Fix OOPs upon device disassociation (bsc#1111666)
• iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode (git-fixes).
• iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum (git-fixes).
• inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() (git-fixes).
• Input: adxl34x - clean up a data type in adxl34x_probe() (git-fixes).
• iw_cxgb4: fix ECN check on the passive accept (bsc#1111666)
• iw_cxgb4: only reconnect with MPAv1 if the peer aborts (bsc#1111666)
• kABI: add back flush_dcache_range (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• kABI workaround for usermodehelper changes (bsc#1179406).
• KVM: arm64: Add missing #include of - in guest.c (bsc#1174726).
• KVM: arm64: Factor out core register ID enumeration (bsc#1174726).
• KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST (bsc#1174726).
• KVM: arm64: Refactor kvm_arm_num_regs() for easier maintenance (bsc#1174726).
• KVM: arm64: Reject ioctl access to FPSIMD V-regs on SVE vcpus (bsc#1174726).
• KVM host: kabi fixes for psci_version (bsc#1174726).
• libnvdimm/nvdimm/flush: Allow architecture to override the flush barrier (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• locking/lockdep: Add debug_locks check in __lock_downgrade() (bsc#1050549).
• locking/percpu-rwsem: Use this_cpu_{inc,dec}() for read_count (bsc#1050549).
• locktorture: Print ratio of acquisitions, not failures (bsc#1050549).
• mac80211: always wind down STA state (git-fixes).
• mac80211: free sta in sta_info_insert_finish() on errors (git-fixes).
• mac80211: minstrel: fix tx status processing corner case (git-fixes).
• mac80211: minstrel: remove deferred sampling code (git-fixes).
• mm: always have io_remap_pfn_range() set pgprot_decrypted() (bsc#1112178).
• net: ena: Capitalize all log strings and improve code readability (bsc#1177397).
• net: ena: Change license into format to SPDX in all files (bsc#1177397).
• net: ena: Change log message to netif/dev function (bsc#1177397).
• net: ena: Change RSS related macros and variables names (bsc#1177397).
• net: ena: ethtool: Add new device statistics (bsc#1177397).
• net: ena: ethtool: add stats printing to XDP queues (bsc#1177397).
• net: ena: ethtool: convert stat_offset to 64 bit resolution (bsc#1177397).
• net: ena: Fix all static chekers' warnings (bsc#1177397).
• net: ena: Remove redundant print of placement policy (bsc#1177397).
• net: ena: xdp: add queue counters for xdp actions (bsc#1177397).
• netfilter: nat: can't use dst_hold on noref dst (bsc#1178878).
• net/mlx4_core: Fix init_hca fields offset (git-fixes).
• nfc: s3fwrn5: use signed integer for parsing GPIO numbers (git-fixes).
• NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
• NFS: only invalidate dentrys that are clearly invalid (bsc#1178669 bsc#1170139).
• NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION (bsc#1170630).
• PCI: pci-hyperv: Fix build errors on non-SYSFS config (git-fixes).
• pinctrl: amd: fix incorrect way to disable debounce filter (git-fixes).
• pinctrl: amd: use higher precision for 512 RtcClk (git-fixes).
• pinctrl: aspeed: Fix GPI only function problem (git-fixes).
• platform/x86: toshiba_acpi: Fix the wrong variable assignment (git-fixes).
• powerpc/32: define helpers to get L1 cache sizes (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/64: flush_inval_dcache_range() becomes flush_dcache_range() (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/64: reuse PPC32 static inline flush_dcache_range() (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc: Chunk calls to flush_dcache_range in arch_*_memory (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964 git-fixes).
• powerpc: define helpers to get L1 icache sizes (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/mm: Flush cache on memory hot(un)plug (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Add flush routines using new pmem store and sync instruction (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Add new instructions for persistent storage and sync (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Avoid the barrier in flush routines (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Fix kernel crash due to wrong range value usage in flush_dcache_range (jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Initialize pmem device on newer hardware (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Restrict papr_scm to P8 and above (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• powerpc/pmem: Update ppc64 to use the new barrier instruction (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
• RDMA/bnxt_re: Fix lifetimes in bnxt_re_task (bsc#1111666)
• RDMA/bnxt_re: Fix Send Work Entry state check while polling completions (bsc#1111666)
• RDMA/bnxt_re: Fix sizeof mismatch for allocation of pbl_tbl. (bsc#1111666)
• RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message (bsc#1111666)
• RDMA/cma: add missed unregister_pernet_subsys in init failure (bsc#1111666)
• RDMA/cm: Add missing locking around id.state in cm_dup_req_handler (bsc#1111666)
• RDMA/cma: Fix false error message (bsc#1111666)
• RDMA/cma: fix null-ptr-deref Read in cma_cleanup (bsc#1111666)
• RDMA/cma: Protect bind_list and listen_list while finding matching cm id (bsc#1111666)
• RDMA/cm: Fix checking for allowed duplicate listens (bsc#1111666)
• RDMA/cm: Remove a race freeing timewait_info (bsc#1111666)
• RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow (bsc#1111666)
• RDMA/core: Do not depend device ODP capabilities on kconfig option (bsc#1111666)
• RDMA/core: Fix invalid memory access in spec_filter_size (bsc#1111666)
• RDMA/core: Fix locking in ib_uverbs_event_read (bsc#1111666)
• RDMA/core: Fix protection fault in ib_mr_pool_destroy (bsc#1111666)
• RDMA/core: Fix race between destroy and release FD object (bsc#1111666)
• RDMA/core: Fix race when resolving IP address (bsc#1111666)
• RDMA/core: Prevent mixed use of FDs between shared ufiles (bsc#1111666)
• RDMA/cxgb3: Delete and properly mark unimplemented resize CQ function (bsc#1111666)
• RDMA: Directly cast the sockaddr union to sockaddr (bsc#1111666)
• RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN (bsc#1111666)
• RDMA/hns: Correct typo of hns_roce_create_cq() (bsc#1111666)
• RDMA/hns: Remove unsupported modify_port callback (bsc#1111666)
• RDMA/hns: Set the unsupported wr opcode (bsc#1111666)
• RDMA/i40iw: fix a potential NULL pointer dereference (bsc#1111666)
• RDMA/i40iw: Set queue pair state when being queried (bsc#1111666)
• RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() (bsc#1111666)
• RDMA/ipoib: Remove check for ETH_SS_TEST (bsc#1111666)
• RDMA/ipoib: Return void from ipoib_ib_dev_stop() (bsc#1111666)
• RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces (bsc#1111666)
• RDMA/iwcm: Fix a lock inversion issue (bsc#1111666)
• RDMA/iwcm: Fix iwcm work deallocation (bsc#1111666)
• RDMA/iwcm: move iw_rem_ref() calls out of spinlock (bsc#1111666)
• RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case (bsc#1111666)
• RDMA/iw_cxgb4: Fix the unchecked ep dereference (bsc#1111666)
• RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() (bsc#1111666)
• RDMA/mlx4: Initialize ib_spec on the stack (bsc#1111666)
• RDMA/mlx4: Read pkey table length instead of hardcoded value (bsc#1111666)
• RDMA/mlx5: Clear old rate limit when closing QP (bsc#1111666)
• RDMA/mlx5: Delete unreachable handle_atomic code by simplifying SW completion (bsc#1111666)
• RDMA/mlx5: Fix access to wrong pointer while performing flush due to error (bsc#1111666)
• RDMA/mlx5: Fix a race with mlx5_ib_update_xlt on an implicit MR (bsc#1111666)
• RDMA/mlx5: Fix function name typo 'fileds' -> 'fields' (bsc#1111666)
• RDMA/mlx5: Return proper error value (bsc#1111666)
• RDMA/mlx5: Set GRH fields in query QP on RoCE (bsc#1111666)
• RDMA/mlx5: Verify that QP is created with RQ or SQ (bsc#1111666)
• RDMA/nes: Remove second wait queue initialization call (bsc#1111666)
• RDMA/netlink: Do not always generate an ACK for some netlink operations (bsc#1111666)
• RDMA/ocrdma: Fix out of bounds index check in query pkey (bsc#1111666)
• RDMA/ocrdma: Remove unsupported modify_port callback (bsc#1111666)
• RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() (bsc#1111666)
• RDMA/qedr: Endianness warnings cleanup (bsc#1111666)
• RDMA/qedr: Fix doorbell setting (bsc#1111666)
• RDMA/qedr: Fix memory leak in user qp and mr (bsc#1111666)
• RDMA/qedr: Fix reported firmware version (bsc#1111666)
• RDMA/qedr: Fix use of uninitialized field (bsc#1111666)
• RDMA/qedr: Remove unsupported modify_port callback (bsc#1111666)
• RDMA/qedr: SRQ's bug fixes (bsc#1111666)
• RDMA/qib: Delete extra line (bsc#1111666)
• RDMA/qib: Remove all occurrences of BUG_ON() (bsc#1111666)
• RDMA/qib: Validate ->show()/store() callbacks before calling them (bsc#1111666)
• RDMA/rxe: Drop pointless checks in rxe_init_ports (bsc#1111666)
• RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM (bsc#1111666)
• RDMA/rxe: Fix configuration of atomic queue pair attributes (bsc#1111666)
• RDMA/rxe: Fix memleak in rxe_mem_init_user (bsc#1111666)
• RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later (bsc#1111666)
• RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq (bsc#1111666)
• RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars (bsc#1111666)
• RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue (bsc#1111666)
• RDMA/rxe: Remove unused rxe_mem_map_pages (bsc#1111666)
• RDMA/rxe: Remove useless rxe_init_device_param assignments (bsc#1111666)
• RDMA/rxe: Return void from rxe_init_port_param() (bsc#1111666)
• RDMA/rxe: Return void from rxe_mem_init_dma() (bsc#1111666)
• RDMA/rxe: Set default vendor ID (bsc#1111666)
• RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices (bsc#1111666)
• RDMA/rxe: Skip dgid check in loopback mode (bsc#1111666)
• RDMA/rxe: Use for_each_sg_page iterator on umem SGL (bsc#1111666)
• RDMA/srp: Rework SCSI device reset handling (bsc#1111666)
• RDMA/srpt: Fix typo in srpt_unregister_mad_agent docstring (bsc#1111666)
• RDMA/srpt: Report the SCSI residual to the initiator (bsc#1111666)
• RDMA/ucma: Add missing locking around rdma_leave_multicast() (bsc#1111666)
• RDMA/ucma: Put a lock around every call to the rdma_cm layer (bsc#1111666)
• RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated (bsc#1111666)
• RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove (bsc#1111666)
• RDMA/vmw_pvrdma: Use atomic memory allocation in create AH (bsc#1111666)
• reboot: fix overflow parsing reboot cpu number (bsc#1179421).
• regulator: avoid resolve_supply() infinite recursion (git-fixes).
• regulator: fix memory leak with repeated set_machine_constraints() (git-fixes).
• regulator: ti-abb: Fix array out of bound read access on the first transition (git-fixes).
• regulator: workaround self-referent regulators (git-fixes).
• Revert 'cdc-acm: hardening against malicious devices' (git-fixes).
• Revert 'kernel/reboot.c: convert simple_strtoul to kstrtoint' (bsc#1179418).
• RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() (bsc#1111666)
• rxe: correctly calculate iCRC for unaligned payloads (bsc#1111666)
• rxe: fix error completion wr_id and qp_num (bsc#1111666)
• s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177805 LTC#188737).
• s390/cpum_cf,perf: change DFLT_CCERROR counter name (bsc#1175916 LTC#187937).
• s390/dasd: Fix zero write for FBA devices (bsc#1177808 LTC#188739).
• s390: kernel/uv: handle length extension properly (bsc#1178940 LTC#189323).
• sched/core: Fix PI boosting between RT and DEADLINE tasks (bsc#1112178).
• sched/x86: SaveFLAGS on context switch (bsc#1112178).
• scripts/git_sort/git_sort.py: add ceph maintainers git tree
• scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported (git-fixes).
• scsi: RDMA/srpt: Fix a credit leak for aborted commands (bsc#1111666)
• Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode (git-fixes).
• staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids (git-fixes).
• time: Prevent undefined behaviour in timespec64_to_ns() (git-fixes).
• tracing: Fix out of bounds write in get_trace_buf (bsc#1179403).
• tty: serial: imx: keep console clocks always on (git-fixes).
• Update references in patches.suse/net-smc-tolerate-future-smcd-versions (bsc#1172542 LTC#186070 git-fixes).
• USB: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode (git-fixes).
• USB: core: driver: fix stray tabs in error messages (git-fixes).
• USB: core: Fix regression in Hercules audio card (git-fixes).
• USB: gadget: Fix memleak in gadgetfs_fill_super (git-fixes).
• USB: gadget: f_midi: Fix memleak in f_midi_alloc (git-fixes).
• USB: host: ehci-tegra: Fix error handling in tegra_ehci_probe() (git-fixes).
• USB: host: xhci-mtk: avoid runtime suspend when removing hcd (git-fixes).
• USB: serial: cyberjack: fix write-URB completion race (git-fixes).
• USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes).
• USB: serial: option: add Cellient MPL200 card (git-fixes).
• USB: serial: option: Add Telit FT980-KS composition (git-fixes).
• USB: serial: pl2303: add device-id for HP GC device (git-fixes).
• usermodehelper: reset umask to default before executing user process (bsc#1179406).
• video: hyperv_fb: Fix the cache type when mapping the VRAM (git-fixes).
• x86/hyperv: Clarify comment on x2apic mode (git-fixes).
• x86/hyperv: Make vapic support x2apic mode (git-fixes).
• x86/microcode/intel: Check patch signature before saving microcode for early loading (bsc#1112178).
• x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect (git-fixes).
• x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled (git-fixes).
• x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs (git-fixes).
• x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP (bsc#1112178).
• x86/sysfb_efi: Add quirks for some devices with swapped width and height (git-fixes).
• xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
• xfs: revert 'xfs: fix rmap key and record comparison functions' (git-fixes).

This update for openssl-1_1 fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for curl fixes the following issues:

• CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
• CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
• CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

This update for open-lldp fixes the following issue:

• Update from version 1.0.1+63.f977e67 to version v1.0.1+64.29d12e584af1

This update for kdump fixes the following issues:

• Remove `console=hvc0` from command line. (bsc#1173914)
• Set serial console from Xen command line. (bsc#1173914)
• Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)

This update for gzip fixes the following issues:
Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)

• Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
• Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)

• Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file. Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when used as part of a pipeline.
• A use of uninitialized memory on some malformed inputs has been fixed.
• A few theoretical race conditions in signal handlers have been fixed.
• Update gnulib for `libio.h` removal.

This update for rsyslog fixes the following issues:

• Fixes a crash for imfile (bsc#1176355)

This update for util-linux fixes the following issue:

• Do not trigger the automatic close of CDROM. (bsc#1084671)
• Try to automatically configure broken serial lines. (bsc#1175514)
• Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
• Build with `libudev` support to support non-root users. (bsc#1169006)
• Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)