The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
The SUSE Linux Enterprise 15 SP2 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues:
libsolv:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:
supportutils-plugin-suse-public-cloud:
This update for supportutils-plugin-suse-public-cloud contains the following fix:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bug was fixed:
| Advisory ID | SUSE-RU-2020:2651-1
|
| Released | Wed Sep 16 14:42:55 2020 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1175811,1175830,1175831 |
Description:
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
| Advisory ID | SUSE-RU-2020:2684-1
|
| Released | Fri Sep 18 15:01:24 2020 |
| Summary | Recommended update for grub2 |
| Type | recommended |
| Severity | important |
| References | 1176134,1176591 |
Description:
This update for grub2 fixes the following issues:
- Make efi hand off the default entry point of the linux command (bsc#1176134)
| Advisory ID | SUSE-RU-2020:2704-1
|
| Released | Tue Sep 22 15:06:36 2020 |
| Summary | Recommended update for krb5 |
| Type | recommended |
| Severity | moderate |
| References | 1174079 |
Description:
This update for krb5 fixes the following issue:
- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)
| Advisory ID | SUSE-SU-2020:2712-1
|
| Released | Tue Sep 22 17:08:03 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1175568,CVE-2020-8027 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
| Advisory ID | SUSE-SU-2020:2729-1
|
| Released | Wed Sep 23 16:00:48 2020 |
| Summary | Security update for cifs-utils |
| Type | security |
| Severity | moderate |
| References | 1152930,1174477,CVE-2020-14342 |
Description:
This update for cifs-utils fixes the following issues:
- CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477).
- Fixed an invalid free in mount.cifs; (bsc#1152930).
| Advisory ID | SUSE-SU-2020:2730-1
|
| Released | Wed Sep 23 16:35:31 2020 |
| Summary | Security update for samba |
| Type | security |
| Severity | important |
| References | 1176579,CVE-2020-1472 |
Description:
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Update to samba 4.11.13
+ s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403);
+ dsdb: Allow 'password hash userPassword schemes = CryptSHA256' to work
on RHEL7; (bso#14424);
+ dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450);
+ lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL;
(bso#14426);
+ s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428);
+ lib/util: do not install 'test_util_paths'; (bso#14370);
+ lib:util: Fix smbclient -l basename dir; (bso#14345);
+ s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428);
+ util: Allow symlinks in directory_create_or_exist; (bso#14166);
+ docs: Fix documentation for require_membership_of of pam_winbind;
(bso#14358);
+ s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal;
(bso#14425);
| Advisory ID | SUSE-RU-2020:2757-1
|
| Released | Fri Sep 25 19:45:40 2020 |
| Summary | Recommended update for nfs-utils |
| Type | recommended |
| Severity | moderate |
| References | 1173104 |
Description:
This update for nfs-utils fixes the following issue:
- Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104)
| Advisory ID | SUSE-RU-2020:2781-1
|
| Released | Tue Sep 29 11:29:34 2020 |
| Summary | Recommended update for openssh |
| Type | recommended |
| Severity | moderate |
| References | 1173799 |
Description:
This update for openssh fixes the following issues:
- This uses OpenSSL's RAND_bytes() directly instead of the internal
ChaCha20-based implementation to obtain random bytes for Ed25519
curve computations. This is required for FIPS compliance. (bsc#1173799).
| Advisory ID | SUSE-SU-2020:2791-1
|
| Released | Tue Sep 29 14:13:44 2020 |
| Summary | Security update for xen |
| Type | security |
| Severity | important |
| References | 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604 |
Description:
This update for xen fixes the following issues:
- CVE-2020-25602: Fixed an issue where there was a crash when
handling guest access to MSR_MISC_ENABLE was thrown (bsc#1176339,XSA-333)
- CVE-2020-25598: Added a missing unlock in XENMEM_acquire_resource error path
(bsc#1176341,XSA-334)
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- Various other fixes (bsc#1027519)
| Advisory ID | SUSE-RU-2020:2819-1
|
| Released | Thu Oct 1 10:39:16 2020 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 |
Description:
This update for libzypp, zypper provides the following fixes:
Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.
Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
(bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.
| Advisory ID | SUSE-RU-2020:2825-1
|
| Released | Fri Oct 2 08:44:28 2020 |
| Summary | Recommended update for suse-build-key |
| Type | recommended |
| Severity | moderate |
| References | 1170347,1176759 |
Description:
This update for suse-build-key fixes the following issues:
- The SUSE Notary Container key is different from the build signing
key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)
- The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)
| Advisory ID | SUSE-RU-2020:2850-1
|
| Released | Fri Oct 2 12:26:03 2020 |
| Summary | Recommended update for lvm2 |
| Type | recommended |
| Severity | moderate |
| References | 1175110 |
Description:
This update for lvm2 fixes the following issues:
- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)
| Advisory ID | SUSE-RU-2020:2852-1
|
| Released | Fri Oct 2 16:55:39 2020 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1173470,1175844 |
Description:
This update for openssl-1_1 fixes the following issues:
FIPS:
- Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
- Add shared secret KAT to FIPS DH selftest (bsc#1175844).
| Advisory ID | SUSE-SU-2020:2864-1
|
| Released | Tue Oct 6 10:34:14 2020 |
| Summary | Security update for gnutls |
| Type | security |
| Severity | moderate |
| References | 1176086,1176181,1176671,CVE-2020-24659 |
Description:
This update for gnutls fixes the following issues:
- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)
| Advisory ID | SUSE-RU-2020:2869-1
|
| Released | Tue Oct 6 16:13:20 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1011548,1153943,1153946,1161239,1171762 |
Description:
This update for aaa_base fixes the following issues:
- DIR_COLORS (bug#1006973):
- add screen.xterm-256color
- add TERM rxvt-unicode-256color
- sort and merge TERM entries in etc/DIR_COLORS
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
| Advisory ID | SUSE-SU-2020:2877-1
|
| Released | Wed Oct 7 14:43:20 2020 |
| Summary | Security update for qemu |
| Type | security |
| Severity | important |
| References | 1174386,1174641,1174863,1175370,1175441,1176494,CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352 |
Description:
This update for qemu fixes the following issues:
- CVE-2020-14364: Fixed an OOB access while processing USB packets (bsc#1175441,bsc#1176494).
- CVE-2020-16092: Fixed a denial of service in packet processing of various emulated NICs (bsc#1174641).
- CVE-2020-15863: Fixed a buffer overflow in the XGMAC device (bsc#1174386).
- CVE-2020-24352: Fixed an out-of-bounds read/write in ati-vga device emulation in ati_2d_blt (bsc#1175370).
- Allow to IPL secure guests with -no-reboot (bsc#1174863)
| Advisory ID | SUSE-SU-2020:2879-1
|
| Released | Thu Oct 8 15:05:03 2020 |
| Summary | Security update for the Linux Kernel |
| Type | security |
| Severity | important |
| References | 1055186,1058115,1065600,1065729,1094244,1136666,1152148,1152472,1152489,1153274,1154353,1155518,1155798,1156395,1167527,1170232,1170774,1171000,1171068,1171073,1171558,1171688,1171742,1172419,1172757,1172873,1173017,1173060,1173115,1173267,1173746,1174029,1174110,1174111,1174358,1174484,1174486,1174899,1175263,1175667,1175718,1175749,1175787,1175882,1175952,1175996,1175997,1175998,1175999,1176000,1176001,1176019,1176022,1176038,1176063,1176137,1176235,1176236,1176237,1176242,1176278,1176357,1176358,1176359,1176360,1176361,1176362,1176363,1176364,1176365,1176366,1176367,1176381,1176423,1176449,1176482,1176486,1176507,1176536,1176537,1176538,1176539,1176540,1176541,1176542,1176544,1176545,1176546,1176548,1176558,1176559,1176587,1176588,1176659,1176698,1176699,1176700,1176721,1176722,1176725,1176732,1176763,1176775,1176788,1176789,1176833,1176869,1176877,1176925,1176962,1176980,1176990,1177021,1177030,CVE-2020-0404,CVE-2020-0427,CVE-2020-0431,CVE-2020-0432,CVE-2020-14385,CVE-2020-14390,CVE-2020-25212,CVE-2020-25284,CVE-2020-26088 |
Description:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2020-14385: Fixed a failure of the file system metadata validator in XFS which could have caused an inode with a valid, user-creatable extended attribute to be flagged as corrupt (bsc#1176137).
The following non-security bugs were fixed:
- ALSA: asihpi: fix iounmap in error handler (git-fixes).
- ALSA: ca0106: fix error code handling (git-fixes).
- ALSA: firewire-digi00x: exclude Avid Adrenaline from detection (git-fixes).
- ALSA: firewire-tascam: exclude Tascam FE-8 from detection (git-fixes).
- ALSA: hda: Fix 2 channel swapping for Tegra (git-fixes).
- ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled (git-fixes).
- ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO (git-fixes).
- ALSA: hda: fixup headset for ASUS GX502 laptop (git-fixes).
- ALSA: hda: hdmi - add Rocketlake support (git-fixes).
- ALSA: hda/hdmi: always check pin power status in i915 pin fixup (git-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A (git-fixes).
- ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged (git-fixes).
- ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 (git-fixes).
- ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen (git-fixes).
- ALSA: hda/realtek - The Mic on a RedmiBook does not work (git-fixes).
- ALSA: hda/tegra: Program WAKEEN register for Tegra (git-fixes).
- ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check (git-fixes).
- ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2 (git-fixes).
- ALSA: usb-audio: Add delay quirk for H570e USB headsets (git-fixes).
- ALSA: usb-audio: Add implicit feedback quirk for UR22C (git-fixes).
- ALSA: usb-audio: Disable autosuspend for Lenovo ThinkStation P620 (git-fixes).
- arm64: paravirt: Initialize steal time when cpu is online (bsc#1176833).
- ASoC: img: Fix a reference count leak in img_i2s_in_set_fmt (git-fixes).
- ASoC: img-parallel-out: Fix a reference count leak (git-fixes).
- ASoC: meson: axg-toddr: fix channel order on g12 platforms (git-fixes).
- ASoC: qcom: common: Fix refcount imbalance on error (git-fixes).
- ASoC: qcom: Set card->owner to avoid warnings (git-fixes).
- ASoC: SOF: Intel: add PCI ID for CometLake-S (git-fixes).
- ASoC: tegra: Fix reference count leaks (git-fixes).
- ata: ahci: use ata_link_info() instead of ata_link_printk() (jsc#SLE-14459).
- batman-adv: Add missing include for in_interrupt() (git-fixes).
- batman-adv: Avoid uninitialized chaddr when handling DHCP (git-fixes).
- batman-adv: bla: fix type misuse for backbone_gw hash indexing (git-fixes).
- batman-adv: bla: use netif_rx_ni when not in interrupt context (git-fixes).
- batman-adv: Fix own OGM check in aggregated OGMs (git-fixes).
- batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh (git-fixes).
- batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN (git-fixes).
- batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh (git-fixes).
- batman-adv: mcast/TT: fix wrongly dropped or rerouted packets (git-fixes).
- bcache: allocate meta data pages as compound pages (bsc#1172873).
- bitfield.h: do not compile-time validate _val in FIELD_FIT (git fixes (bitfield)).
- blktrace: fix debugfs use after free (git fixes (block drivers)).
- block: add docs for gendisk / request_queue refcount helpers (git fixes (block drivers)).
- block: check queue's limits.discard_granularity in __blkdev_issue_discard() (bsc#1152148).
- block: improve discard bio alignment in __blkdev_issue_discard() (bsc#1152148).
- block: revert back to synchronous request_queue removal (git fixes (block drivers)).
- block: Use non _rcu version of list functions for tag_set_list (git-fixes).
- Bluetooth: btrtl: Add support for RTL8761B (bsc#1177021).
- bnxt: do not enable NAPI until rings are ready (git-fixes).
- bnxt_en: Check for zero dir entries in NVRAM (git-fixes).
- bnxt_en: Do not query FW when netif_running() is false (git-fixes).
- bnxt_en: Fix completion ring sizing with TPA enabled (networking-stable-20_07_29).
- bnxt_en: fix HWRM error when querying VF temperature (git-fixes).
- bnxt_en: Fix PCI AER error recovery flow (git-fixes).
- bnxt_en: Fix possible crash in bnxt_fw_reset_task() (jsc#SLE-8371 bsc#1153274).
- bnxt_en: Fix race when modifying pause settings (networking-stable-20_07_29).
- bonding: check error value of register_netdevice() immediately (networking-stable-20_07_29).
- bonding: check return value of register_netdevice() in bond_newlink() (networking-stable-20_07_29).
- bonding: fix a potential double-unregister (git-fixes).
- bpf: Fix a rcu warning for bpffs map pretty-print (bsc#1155518).
- bpf: map_seq_next should always increase position index (bsc#1155518).
- btrfs: add a leak check for roots (bsc#1176019).
- btrfs: add __cold attribute to more functions (bsc#1176019).
- btrfs: add dedicated members for start and length of a block group (bsc#1176019).
- btrfs: Add read_backup_root (bsc#1176019).
- btrfs: block-group: Refactor btrfs_read_block_groups() (bsc#1176019).
- btrfs: block-group: Reuse the item key from caller of read_one_block_group() (bsc#1176019).
- btrfs: Cleanup and simplify find_newest_super_backup (bsc#1176019).
- btrfs: clear DEAD_RELOC_TREE before dropping the reloc root (bsc#1176019).
- btrfs: do not init a reloc root if we are not relocating (bsc#1176019).
- btrfs: Do not use objectid_mutex during mount (bsc#1176019).
- btrfs: drop block from cache on error in relocation (bsc#1176019).
- btrfs: drop create parameter to btrfs_get_extent() (bsc#1176019).
- btrfs: drop unused parameter is_new from btrfs_iget (bsc#1176019).
- btrfs: export and rename free_fs_info (bsc#1176019).
- btrfs: export and use btrfs_read_tree_root for tree-log (bsc#1176019).
- btrfs: Factor out tree roots initialization during mount (bsc#1176019).
- btrfs: fix setting last_trans for reloc roots (bsc#1176019).
- btrfs: free more things in btrfs_free_fs_info (bsc#1176019).
- btrfs: free the reloc_control in a consistent way (bsc#1176019).
- btrfs: handle NULL roots in btrfs_put/btrfs_grab_fs_root (bsc#1176019).
- btrfs: hold a ref for the root in btrfs_find_orphan_roots (bsc#1176019).
- btrfs: hold a ref on fs roots while they're in the radix tree (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_check_uuid_tree_entry (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_ioctl_get_subvol_info (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_ioctl_send (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_recover_log_trees (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_recover_relocation (bsc#1176019).
- btrfs: hold a ref on the root in __btrfs_run_defrag_inode (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_search_path_in_tree (bsc#1176019).
- btrfs: hold a ref on the root in btrfs_search_path_in_tree_user (bsc#1176019).
- btrfs: hold a ref on the root in build_backref_tree (bsc#1176019).
- btrfs: hold a ref on the root in create_pending_snapshot (bsc#1176019).
- btrfs: hold a ref on the root in create_reloc_inode (bsc#1176019).
- btrfs: hold a ref on the root in create_subvol (bsc#1176019).
- btrfs: hold a ref on the root in find_data_references (bsc#1176019).
- btrfs: hold a ref on the root in fixup_tree_root_location (bsc#1176019).
- btrfs: hold a ref on the root in get_subvol_name_from_objectid (bsc#1176019).
- btrfs: hold a ref on the root in merge_reloc_roots (bsc#1176019).
- btrfs: hold a ref on the root in open_ctree (bsc#1176019).
- btrfs: hold a ref on the root in prepare_to_merge (bsc#1176019).
- btrfs: hold a ref on the root in record_reloc_root_in_trans (bsc#1176019).
- btrfs: hold a ref on the root in resolve_indirect_ref (bsc#1176019).
- btrfs: hold a ref on the root in scrub_print_warning_inode (bsc#1176019).
- btrfs: hold a ref on the root in search_ioctl (bsc#1176019).
- btrfs: hold a ref on the root->reloc_root (bsc#1176019).
- btrfs: hold a root ref in btrfs_get_dentry (bsc#1176019).
- btrfs: hold ref on root in btrfs_ioctl_default_subvol (bsc#1176019).
- btrfs: implement full reflink support for inline extents (bsc#1176019).
- btrfs: make btrfs_find_orphan_roots use btrfs_get_fs_root (bsc#1176019).
- btrfs: make relocation use btrfs_read_tree_root() (bsc#1176019).
- btrfs: make the fs root init functions static (bsc#1176019).
- btrfs: make the init of static elements in fs_info separate (bsc#1176019).
- btrfs: move all reflink implementation code into its own file (bsc#1176019).
- btrfs: move block_group_item::flags to block group (bsc#1176019).
- btrfs: move block_group_item::used to block group (bsc#1176019).
- btrfs: move fs_info init work into it's own helper function (bsc#1176019).
- btrfs: move fs root init stuff into btrfs_init_fs_root (bsc#1176019).
- btrfs: open code btrfs_read_fs_root_no_name (bsc#1176019).
- btrfs: push btrfs_grab_fs_root into btrfs_get_fs_root (bsc#1176019).
- btrfs: push grab_fs_root into read_fs_root (bsc#1176019).
- btrfs: push __setup_root into btrfs_alloc_root (bsc#1176019).
- btrfs: reloc: clean dirty subvols if we fail to start a transaction (bsc#1176019).
- btrfs: remove a BUG_ON() from merge_reloc_roots() (bsc#1176019).
- btrfs: Remove block_rsv parameter from btrfs_drop_snapshot (bsc#1176019).
- btrfs: remove btrfs_read_fs_root, not used anymore (bsc#1176019).
- btrfs: remove embedded block_group_cache::item (bsc#1176019).
- btrfs: Remove newest_gen argument from find_oldest_super_backup (bsc#1176019).
- btrfs: Remove unused next_root_backup function (bsc#1176019).
- btrfs: rename block_group_item on-stack accessors to follow naming (bsc#1176019).
- btrfs: rename btrfs_block_group_cache (bsc#1176019).
- btrfs: rename btrfs_put_fs_root and btrfs_grab_fs_root (bsc#1176019).
- btrfs: rename extent buffer block group item accessors (bsc#1176019).
- btrfs: Rename find_oldest_super_backup to init_backup_root_slot (bsc#1176019).
- btrfs: require only sector size alignment for parent eb bytenr (bsc#1176789).
- btrfs: reset tree root pointer after error in init_tree_roots (bsc#1176019).
- btrfs: simplify inline extent handling when doing reflinks (bsc#1176019).
- btrfs: stop clearing EXTENT_DIRTY in inode I/O tree (bsc#1176019).
- btrfs: Streamline btrfs_fs_info::backup_root_index semantics (bsc#1176019).
- btrfs: tree-checker: fix the error message for transid error (bsc#1176788).
- btrfs: unset reloc control if we fail to recover (bsc#1176019).
- btrfs: use bool argument in free_root_pointers() (bsc#1176019).
- btrfs: use btrfs_block_group_cache_done in update_block_group (bsc#1176019).
- btrfs: use btrfs_put_fs_root to free roots always (bsc#1176019).
- ceph: do not allow setlease on cephfs (bsc#1176537).
- ceph: fix potential mdsc use-after-free crash (bsc#1176538).
- ceph: fix use-after-free for fsc->mdsc (bsc#1176539).
- ceph: handle zero-length feature mask in session messages (bsc#1176540).
- ceph: set sec_context xattr on symlink creation (bsc#1176541).
- ceph: use frag's MDS in either mode (bsc#1176542).
- cfg80211: regulatory: reject invalid hints (bsc#1176699).
- char: virtio: Select VIRTIO from VIRTIO_CONSOLE (bsc#1175667).
- cifs: Fix leak when handling lease break for cached root fid (bsc#1176242).
- cifs/smb3: Fix data inconsistent when punch hole (bsc#1176544).
- cifs/smb3: Fix data inconsistent when zero file range (bsc#1176536).
- clk: davinci: Use the correct size when allocating memory (git-fixes).
- clk: rockchip: Fix initialization of mux_pll_src_4plls_p (git-fixes).
- crypto: ecdh - check validity of Z before export (bsc#1175718).
- crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718).
- crypto: dh - check validity of Z before export (bsc#1175718).
- crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718).
- cxgb4: fix thermal zone device registration (git-fixes).
- dax: do not print error message for non-persistent memory block device (bsc#1171073).
- dax: print error message by pr_info() in __generic_fsdax_supported() (bsc#1171073).
- debugfs: Fix module state check condition (bsc#1173746).
- debugfs: Fix module state check condition (git-fixes).
- dev: Defer free of skbs in flush_backlog (networking-stable-20_07_29).
- device property: Fix the secondary firmware node handling in set_primary_fwnode() (git-fixes).
- dmaengine: acpi: Put the CSRT table after using it (git-fixes).
- dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() (git-fixes).
- dmaengine: dw-edma: Fix scatter-gather address calculation (git-fixes).
- dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling (git-fixes).
- dmaengine: pl330: Fix burst length if burst size is smaller than bus width (git-fixes).
- dm: do not call report zones for more than the user requested (git fixes (block drivers)).
- dm integrity: fix integrity recalculation that is improperly skipped (git fixes (block drivers)).
- dm rq: do not call blk_mq_queue_stopped() in dm_stop_queue() (git fixes (block drivers)).
- dm writecache: add cond_resched to loop in persistent_memory_claim() (git fixes (block drivers)).
- dm writecache: correct uncommitted_block when discarding uncommitted entry (git fixes (block drivers)).
- dm zoned: assign max_io_len correctly (git fixes (block drivers)).
- dpaa2-eth: Fix passing zero to 'PTR_ERR' warning (networking-stable-20_08_08).
- dpaa_eth: Fix one possible memleak in dpaa_eth_probe (bsc#1175996).
- driver-core: Introduce DEVICE_ATTR_ADMIN_{RO,RW} (bsc#1176486 ltc#188130).
- Drivers: hv: Specify receive buffer size using Hyper-V page size (bsc#1176877).
- Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload (git-fixes).
- Drivers: hv: vmbus: hibernation: do not hang forever in vmbus_bus_resume() (git-fixes).
- drivers/net/wan/x25_asy: Fix to make it work (networking-stable-20_07_29).
- drm/amd/display: fix ref count leak in amdgpu_drm_ioctl (git-fixes).
- drm/amd/display: Switch to immediate mode for updating infopackets (git-fixes).
- drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails (git-fixes).
- drm/amdgpu: Fix buffer overflow in INFO ioctl (git-fixes).
- drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config (git-fixes).
- drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms (git-fixes).
- drm/amdgpu/gfx10: refine mgcg setting (git-fixes).
- drm/amdkfd: Fix reference count leaks (git-fixes).
- drm/amd/pm: correct the thermal alert temperature limit settings (git-fixes).
- drm/amd/pm: correct Vega10 swctf limit setting (git-fixes).
- drm/amd/pm: correct Vega12 swctf limit setting (git-fixes).
- drm/amd/pm: correct Vega20 swctf limit setting (git-fixes).
- drm/amd/powerplay: correct UVD/VCE PG state on custom pptable uploading (git-fixes).
- drm/amd/powerplay: correct Vega20 cached smu feature state (git-fixes).
- drm/amd/powerplay: Fix hardmins not being sent to SMU for RV (git-fixes).
- drm/ast: Initialize DRAM type before posting GPU (bsc#1152472) * context changes
- drm/mgag200: Remove declaration of mgag200_mmap() from header file (bsc#1152472) * context changes
- drm/msm/a6xx: fix crashdec section name typo (git-fixes).
- drm/msm/adreno: fix updating ring fence (git-fixes).
- drm/msm/gpu: make ringbuffer readonly (git-fixes).
- drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open (git-fixes).
- drm/nouveau: Fix reference count leak in nouveau_connector_detect (git-fixes).
- drm/nouveau: fix reference count leak in nv50_disp_atomic_commit (git-fixes).
- drm/radeon: fix multiple reference count leak (git-fixes).
- drm/radeon: Prefer lower feedback dividers (git-fixes).
- drm/sched: Fix passing zero to 'PTR_ERR' warning v2 (git-fixes).
- drm/sun4i: add missing put_device() call in (bsc#1152472)
- drm/sun4i: backend: Disable alpha on the lowest plane on the A20 (bsc#1152472)
- drm/sun4i: backend: Support alpha property on lowest plane (bsc#1152472)
- drm/sun4i: Fix dsi dcs long write function (bsc#1152472)
- drm/virtio: fix missing dma_fence_put() in (bsc#1152489) * context changes
- drm/xen-front: Fix misused IS_ERR_OR_NULL checks (bsc#1065600).
- EDAC/amd64: Add AMD family 17h model 60h PCI IDs (bsc#1152489).
- EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1152489).
- EDAC: Fix reference count leaks (bsc#1152489).
- efi: Add support for EFI_RT_PROPERTIES table (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: avoid error message when booting under Xen (bsc#1172419).
- efi/efivars: Expose RT service availability via efivars abstraction (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: libstub/tpm: enable tpm eventlog function for ARM platforms (bsc#1173267).
- efi: Mark all EFI runtime services as unsupported on non-EFI boot (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: Register EFI rtc platform device only when available (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: Store mask of supported runtime services in struct efi (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: Use EFI ResetSystem only when available (bsc#1174029, bsc#1174110, bsc#1174111).
- efi: Use more granular check for availability for variable services (bsc#1174029, bsc#1174110, bsc#1174111).
- enetc: Remove the mdio bus on PF probe bailout (networking-stable-20_07_29).
- epoll: atomically remove wait entry on wake up (bsc#1176236).
- epoll: call final ep_events_available() check under the lock (bsc#1176237).
- ext4: handle read only external journal device (bsc#1176063).
- fbcon: prevent user font height or width change from causing potential out-of-bounds access (git-fixes).
- felix: Fix initialization of ioremap resources (bsc#1175997).
- Fix build error when CONFIG_ACPI is not set/enabled: (bsc#1065600).
- HID: core: Add printk_once variants to hid_warn() etc (bsc#1176775).
- HID: core: Correctly handle ReportSize being zero (git-fixes).
- HID: core: fix dmesg flooding if report field larger than 32bit (bsc#1176775).
- HID: core: reformat and reduce hid_printk macros (bsc#1176775).
- HID: core: Sanitize event code and type when mapping input (git-fixes).
- HID: elan: Fix memleak in elan_input_configured (git-fixes).
- HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() (git-fixes).
- HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands (git-fixes).
- HID: microsoft: Add rumble support for the 8bitdo SN30 Pro+ controller (git-fixes).
- HID: quirks: add NOGET quirk for Logitech GROUP (git-fixes).
- HID: quirks: Always poll three more Lenovo PixArt mice (git-fixes).
- HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for all Saitek X52 devices (git-fixes).
- hsr: use netdev_err() instead of WARN_ONCE() (bsc#1176659).
- hv_netvsc: do not use VF device if link is down (git-fixes).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (git-fixes).
- hv_netvsc: Remove 'unlikely' from netvsc_select_queue (git-fixes).
- hv_utils: drain the timesync packets on onchannelcallback (bsc#1176877).
- hv_utils: return error if host timesysnc update is stale (bsc#1176877).
- i2c: algo: pca: Reapply i2c bus settings after reset (git-fixes).
- i2c: core: Do not fail PRP0001 enumeration when no ID table exist (git-fixes).
- i2c: i801: Fix resume bug (git-fixes).
- i2c: mxs: use MXS_DMA_CTRL_WAIT4END instead of DMA_CTRL_ACK (git-fixes).
- i2c: rcar: in slave mode, clear NACK earlier (git-fixes).
- i40e: Fix crash during removing i40e driver (git-fixes).
- i40e: Set RX_ONLY mode for unicast promiscuous on VLAN (git-fixes).
- ibmvnic: add missing parenthesis in do_reset() (bsc#1176700 ltc#188140).
- iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak (git-fixes).
- iio: accel: kxsd9: Fix alignment of local buffer (git-fixes).
- iio:accel:mma7455: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:accel:mma8452: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:adc:ina2xx Fix timestamp alignment issue (git-fixes).
- iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes).
- iio: adc: mcp3422: fix locking on error path (git-fixes).
- iio: adc: mcp3422: fix locking scope (git-fixes).
- iio:adc:ti-adc081c Fix alignment and data leak issues (git-fixes).
- iio:adc:ti-adc084s021 Fix alignment and data leak issues (git-fixes).
- iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set (git-fixes).
- iio:chemical:ccs811: Fix timestamp alignment and prevent data leak (git-fixes).
- iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() (git-fixes).
- iio:light:ltr501 Fix timestamp alignment issue (git-fixes).
- iio:light:max44000 Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magnetometer:ak8975 Fix alignment and data leak issues (git-fixes).
- iio:proximity:mb1232: Fix timestamp alignment and prevent data leak (git-fixes).
- include/asm-generic/vmlinux.lds.h: align ro_after_init (git-fixes).
- include/linux/bitops.h: avoid clang shift-count-overflow warnings (git-fixes).
- include/linux/poison.h: remove obsolete comment (git-fixes).
- infiniband: hfi1: Use EFI GetVariable only when available (bsc#1174029, bsc#1174110, bsc#1174111).
- initramfs: remove clean_rootfs (git-fixes).
- initramfs: remove the populate_initrd_image and clean_rootfs stubs (git-fixes).
- Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists (git-fixes).
- Input: trackpoint - add new trackpoint variant IDs (git-fixes).
- integrity: Check properly whether EFI GetVariable() is available (bsc#1174029, bsc#1174110, bsc#1174111).
- iommu/amd: Do not force direct mapping when SME is active (bsc#1174358).
- iommu/amd: Do not use IOMMUv2 functionality when SME is active (bsc#1174358).
- iommu/amd: Print extended features in one line to fix divergent log levels (bsc#1176357).
- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (bsc#1176358).
- iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE (bsc#1176359).
- iommu/omap: Check for failure of a call to omap_iommu_dump_ctx (bsc#1176360).
- iommu/vt-d: Fix PASID devTLB invalidation (bsc#1176361).
- iommu/vt-d: Handle 36bit addressing for x86-32 (bsc#1176362).
- iommu/vt-d: Handle non-page aligned address (bsc#1176367).
- iommu/vt-d: Remove global page support in devTLB flush (bsc#1176363).
- iommu/vt-d: Serialize IOMMU GCMD register modifications (bsc#1176364).
- iommu/vt-d: Support flushing more translation cache types (bsc#1176365).
- ipv4: Silence suspicious RCU usage warning (networking-stable-20_08_08).
- ipv6: fix memory leaks on IPV6_ADDRFORM path (networking-stable-20_08_08).
- ipv6: Fix nexthop refcnt leak when creating ipv6 route info (networking-stable-20_08_08).
- irqdomain/treewide: Free firmware node after domain removal (git-fixes).
- irqdomain/treewide: Keep firmware node unconditionally allocated (git-fixes).
- kABI: Fix kABI after EFI_RT_PROPERTIES table backport (bsc#1174029, bsc#1174110, bsc#1174111).
- kABI: net: dsa: microchip: call phy_remove_link_mode during probe (kabi).
- kabi/severities: ignore kABI for net/ethernet/mscc/ References: bsc#1176001,bsc#1175999 Exported symbols from drivers/net/ethernet/mscc/ are only used by drivers/net/dsa/ocelot/
- kernel/cpu_pm: Fix uninitted local in cpu_pm (git fixes (kernel/pm)).
- kernel-syms.spec.in: Also use bz compression (boo#1175882).
- libnvdimm: cover up struct nvdimm changes (bsc#1171742).
- libnvdimm: cover up nvdimm_security_ops changes (bsc#1171742).
- libnvdimm/security: fix a typo (bsc#1171742 bsc#1167527).
- libnvdimm/security: Introduce a 'frozen' attribute (bsc#1171742).
- libbpf: Fix readelf output parsing on powerpc with recent binutils (bsc#1155518).
- libbpf: Fix readelf output parsing for Fedora (bsc#1155518).
- libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks (jsc#SLE-14459).
- lib/mpi: Add mpi_sub_ui() (bsc#1175718).
- md: raid0/linear: fix dereference before null check on pointer mddev (git fixes (block drivers)).
- media: cedrus: Add missing v4l2_ctrl_request_hdl_put() (git-fixes).
- media: davinci: vpif_capture: fix potential double free (git-fixes).
- media: gpio-ir-tx: improve precision of transmitted signal due to scheduling (git-fixes).
- media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() (git-fixes).
- mei: fix CNL itouch device number to match the spec (bsc#1175952).
- mei: me: disable mei interface on LBG servers (bsc#1175952).
- mei: me: disable mei interface on Mehlow server platforms (bsc#1175952).
- mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs (git-fixes).
- mlx4: disable device on shutdown (git-fixes).
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (networking-stable-20_07_29).
- mmc: dt-bindings: Add resets/reset-names for Mediatek MMC bindings (git-fixes).
- mmc: mediatek: add optional module reset property (git-fixes).
- mmc: sdhci-acpi: Clear amd_sdhci_host on reset (git-fixes).
- mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040 (git-fixes).
- mmc: sdhci-msm: Add retries when all tuning phases are found valid (git-fixes).
- mmc: sdhci-of-esdhc: Do not walk device-tree on every interrupt (git-fixes).
- mmc: sdio: Use mmc_pre_req() / mmc_post_req() (git-fixes).
- mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)).
- mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/pgalloc)).
- mm/page_alloc: silence a KASAN false positive (git fixes (mm/pgalloc)).
- mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() (git fixes (mm/compaction)).
- mm/shuffle: do not move pages between zones and do not read garbage memmaps (git fixes (mm/pgalloc)).
- mm/sparse: rename pfn_present() to pfn_in_present_section() (git fixes (mm/pgalloc)).
- mm, thp: fix defrag setting if newline is not used (git fixes (mm/thp)).
- net: dsa: felix: send VLANs on CPU port as egress-tagged (bsc#1175998).
- net: dsa: microchip: call phy_remove_link_mode during probe (networking-stable-20_07_29).
- net: dsa: ocelot: the MAC table on Felix is twice as large (bsc#1175999).
- net: enetc: fix an issue about leak system resources (bsc#1176000).
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() (git-fixes).
- net: ethernet: mtk_eth_soc: fix MTU warnings (networking-stable-20_08_08).
- netfilter: ipset: Fix forceadd evaluation path (bsc#1176587).
- net: Fix potential memory leak in proto_register() (networking-stable-20_08_15).
- net: gre: recompute gre csum for sctp over gre tunnels (networking-stable-20_08_08).
- net: initialize fastreuse on inet_inherit_port (networking-stable-20_08_15).
- net: mscc: ocelot: fix untagged packet drops when enslaving to vlan aware bridge (bsc#1176001).
- net/nfc/rawsock.c: add CAP_NET_RAW check (networking-stable-20_08_15).
- net: refactor bind_bucket fastreuse into helper (networking-stable-20_08_15).
- net: sched: initialize with 0 before setting erspan md->u (bsc#1154353).
- net: Set fput_needed iff FDPUT_FPUT is set (networking-stable-20_08_15).
- net/smc: put slot when connection is killed (git-fixes).
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs (networking-stable-20_07_29).
- net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task() (networking-stable-20_08_08).
- net/tls: Fix kmap usage (networking-stable-20_08_15).
- net: udp: Fix wrong clean up for IS_UDPLITE macro (networking-stable-20_07_29).
- NFC: st95hf: Fix memleak in st95hf_in_send_cmd (git-fixes).
- nvme-fc: set max_segments to lldd max value (bsc#1176038).
- nvme-pci: override the value of the controller's numa node (bsc#1176507).
- obsolete_kmp: provide newer version than the obsoleted one (boo#1170232).
- omapfb: fix multiple reference count leaks due to pm_runtime_get_sync (git-fixes).
- openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() (networking-stable-20_08_08).
- PCI: Add device even if driver attach failed (git-fixes).
- PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect (git-fixes).
- PCI: Fix pci_create_slot() reference count leak (git-fixes).
- PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken (git-fixes).
- platform/x86: dcdbas: Check SMBIOS for protected buffer address (jsc#SLE-14407).
- PM: sleep: core: Fix the handling of pending runtime resume requests (git-fixes).
- powerpc/64: mark emergency stacks valid to unwind (bsc#1156395).
- powerpc/64s: machine check do not trace real-mode handler (bsc#1094244 ltc#168122).
- powerpc/64s: machine check interrupt update NMI accounting (bsc#1094244 ltc#168122).
- powerpc: Add cputime_to_nsecs() (bsc#1065729).
- powerpc/book3s64/radix: Add kernel command line option to disable radix GTSE (bsc#1055186 ltc#153436 jsc#SLE-13512).
- powerpc/book3s64/radix: Fix boot failure with large amount of guest memory (bsc#1176022 ltc#187208).
- powerpc: Do not flush caches when adding memory (bsc#1176980 ltc#187962).
- powerpc: Implement ftrace_enabled() helpers (bsc#1094244 ltc#168122).
- powerpc/kernel: Cleanup machine check function declarations (bsc#1065729).
- powerpc/kernel: Enables memory hot-remove after reboot on pseries guests (bsc#1177030 ltc#187588).
- powerpc/mm: Enable radix GTSE only if supported (bsc#1055186 ltc#153436 jsc#SLE-13512).
- powerpc/mm: Limit resize_hpt_for_hotplug() call to hash guests only (bsc#1177030 ltc#187588).
- powerpc/mm/radix: Create separate mappings for hot-plugged memory (bsc#1055186 ltc#153436).
- powerpc/mm/radix: Fix PTE/PMD fragment count for early page table mappings (bsc#1055186 ltc#153436).
- powerpc/mm/radix: Free PUD table when freeing pagetable (bsc#1055186 ltc#153436).
- powerpc/mm/radix: Remove split_kernel_mapping() (bsc#1055186 ltc#153436).
- powerpc/numa: Early request for home node associativity (bsc#1171068 ltc#183935).
- powerpc/numa: Offline memoryless cpuless node 0 (bsc#1171068 ltc#183935).
- powerpc/numa: Prefer node id queried from vphn (bsc#1171068 ltc#183935).
- powerpc/numa: Set numa_node for all possible cpus (bsc#1171068 ltc#183935).
- powerpc/numa: Use cpu node map of first sibling thread (bsc#1171068 ltc#183935).
- powerpc/papr_scm: Limit the readability of 'perf_stats' sysfs attribute (bsc#1176486 ltc#188130).
- powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1156395).
- powerpc/prom: Enable Radix GTSE in cpu pa-features (bsc#1055186 ltc#153436 jsc#SLE-13512).
- powerpc/pseries: Limit machine check stack to 4GB (bsc#1094244 ltc#168122).
- powerpc/pseries: Machine check use rtas_call_unlocked() with args on stack (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: Avoid calling rtas_token() in NMI paths (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: Fix FWNMI_VALID off by one (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi avoid modifying r3 in error case (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi sreset should not interlock (bsc#1094244 ltc#168122).
- powerpc/traps: Do not trace system reset (bsc#1094244 ltc#168122).
- powerpc/traps: Make unrecoverable NMIs die instead of panic (bsc#1094244 ltc#168122).
- powerpc/xmon: Use `dcbf` inplace of `dcbi` instruction for 64bit Book3S (bsc#1065729).
- qrtr: orphan socket in qrtr_release() (networking-stable-20_07_29).
- RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1173017).
- RDMA/bnxt_re: Fix the qp table indexing (bsc#1173017).
- RDMA/bnxt_re: Remove set but not used variable 'qplib_ctx' (bsc#1170774).
- RDMA/bnxt_re: Remove the qp from list only if the qp destroy succeeds (bsc#1170774).
- RDMA/bnxt_re: Restrict the max_gids to 256 (bsc#1173017).
- RDMA/bnxt_re: Static NQ depth allocation (bsc#1170774).
- RDMA/mlx4: Read pkey table length instead of hardcoded value (git-fixes).
- RDMA/siw: Suppress uninitialized var warning (jsc#SLE-8381).
- regulator: core: Fix slab-out-of-bounds in regulator_unlock_recursive() (git-fixes).
- regulator: fix memory leak on error path of regulator_register() (git-fixes).
- regulator: plug of_node leak in regulator_register()'s error path (git-fixes).
- regulator: push allocation in regulator_ena_gpio_request() out of lock (git-fixes).
- regulator: push allocation in regulator_init_coupling() outside of lock (git-fixes).
- regulator: push allocation in set_consumer_device_supply() out of lock (git-fixes).
- regulator: push allocations in create_regulator() outside of lock (git-fixes).
- regulator: pwm: Fix machine constraints application (git-fixes).
- regulator: remove superfluous lock in regulator_resolve_coupling() (git-fixes).
- Revert 'xen/balloon: Fix crash when ballooning on x86 32 bit PAE' (bsc#1065600).
- rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules (bsc#1176869 ltc#188243).
- rpm/kernel-binary.spec.in: Also sign ppc64 kernels (jsc#SLE-15857 jsc#SLE-13618).
- rpm/kernel-binary.spec.in: pack .ipa-clones files for live patching When -fdump-ipa-clones option is enabled, GCC reports about its cloning operation during IPA optimizations. We use the information for live patches preparation, because it is crucial to know if and how functions are optimized. Currently, we create the needed .ipa-clones dump files manually. It is unnecessary, because the files may be created automatically during our kernel build. Prepare for the step and provide the resulting files in -livepatch-devel package.
- rpm/kernel-cert-subpackage: add CA check on key enrollment (bsc#1173115) To avoid the unnecessary key enrollment, when enrolling the signing key of the kernel package, '--ca-check' is added to mokutil so that mokutil will ignore the request if the CA of the signing key already exists in MokList or UEFI db. Since the macro, %_suse_kernel_module_subpackage, is only defined in a kernel module package (KMP), it's used to determine whether the %post script is running in a kernel package, or a kernel module package.
- rpm/kernel-source.spec.in: Also use bz compression (boo#1175882).
- rpm/macros.kernel-source: pass -c proerly in kernel module package (bsc#1176698) The '-c' option wasn't passed down to %_kernel_module_package so the ueficert subpackage wasn't generated even if the certificate is specified in the spec file.
- rtlwifi: rtl8192cu: Prevent leaking urb (git-fixes).
- rxrpc: Fix race between recvmsg and sendmsg on immediate call failure (networking-stable-20_08_08).
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA (networking-stable-20_07_29).
- s390: Change s390_kernel_write() return type to match memcpy() (bsc#1176449). Prerequisite for bsc#1176449.
- s390/dasd: fix inability to use DASD with DIAG driver (git-fixes).
- s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig (git-fixes).
- s390/maccess: add no DAT mode to kernel_write (bsc#1176449).
- s390/mm: fix huge pte soft dirty copying (git-fixes).
- s390/qeth: do not process empty bridge port events (git-fixes).
- s390/qeth: integrate RX refill worker with NAPI (git-fixes).
- s390/qeth: tolerate pre-filled RX buffer (git-fixes).
- s390/setup: init jump labels before command line parsing (git-fixes).
- sbitmap: Consider cleared bits in sbitmap_bitmap_show() (git fixes (block drivers)).
- sched: Add a tracepoint to track rq->nr_running (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched: Better document ttwu() (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/cputime: Improve cputime_adjust() (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/debug: Add new tracepoints to track util_est (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/debug: Fix the alignment of the show-state debug output (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: fix NOHZ next idle balance (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: Remove unused 'sd' parameter from scale_rt_capacity() (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: update_pick_idlest() Select group with lowest group_util when idle_cpus are equal (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched: Fix use of count for nr_running tracepoint (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched: nohz: stop passing around unused 'ticks' parameter (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/numa: Check numa balancing information only when enabled (bsc#1176588).
- sched/numa: Avoid creating large imbalances at task creation time (bsc#1176588).
- sched/pelt: Remove redundant cap_scale() definition (bnc#1155798 (CPU scheduler functional and performance backports)).
- scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() (bsc#1174899).
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot (bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of __attribute__() (bsc#1176962 ltc#188304).
- scsi: iscsi: Use EFI GetVariable only when available (bsc#1174029, bsc#1174110, bsc#1174111).
- scsi: libfc: Fix for double free() (bsc#1174899).
- scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases (bsc#1174899).
- scsi: lpfc: Add and rename a whole bunch of function parameter descriptions (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Add dependency on CPU_FREQ (git-fixes).
- scsi: lpfc: Add description for lpfc_release_rpi()'s 'ndlpl param (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Add missing misc_deregister() for lpfc_init() (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Avoid another null dereference in lpfc_sli4_hba_unset() (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Correct some pretty obvious misdocumentation (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Ensure variable has the same stipulations as code using it (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix a bunch of kerneldoc misdemeanors (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix FCoE speed reporting (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix kerneldoc parameter formatting/misnaming/missing issues (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix LUN loss after cable pull (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix no message shown for lpfc_hdw_queue out of range value (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix oops when unloading driver while running mds diags (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix retry of PRLI when status indicates its unsupported (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix RSCN timeout due to incorrect gidft counter (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix setting IRQ affinity with an empty CPU mask (git-fixes).
- scsi: lpfc: Fix some function parameter descriptions (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix typo in comment for ULP (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix-up around 120 documentation issues (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix-up formatting/docrot where appropriate (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Fix validation of bsg reply lengths (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: NVMe remote port devloss_tmo from lldd (bcs#1173060 bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: nvmet: Avoid hang / use-after-free again when destroying targetport (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Provide description for lpfc_mem_alloc()'s 'align' param (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Quieten some printks (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Remove unused variable 'pg_addr' (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Update lpfc version to 12.8.0.3 (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: lpfc: Use __printf() format notation (bsc#1171558 bsc#1136666 bsc#1174486 bsc#1175787 bsc#1171000 jsc#SLE-15796 jsc#SLE-15449).
- scsi: qla2xxx: Fix regression on sparc64 (git-fixes).
- scsi: qla2xxx: Fix the return value (bsc#1171688).
- scsi: qla2xxx: Fix the size used in a 'dma_free_coherent()' call (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() (bsc#1171688).
- scsi: qla2xxx: Log calling function name in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Remove pci-dma-compat wrapper API (bsc#1171688).
- scsi: qla2xxx: Remove redundant variable initialization (bsc#1171688).
- scsi: qla2xxx: Remove superfluous memset() (bsc#1171688).
- scsi: qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Suppress two recently introduced compiler warnings (git-fixes).
- scsi: qla2xxx: Warn if done() or free() are called on an already freed srb (bsc#1171688).
- scsi: zfcp: Fix use-after-free in request timeout handlers (git-fixes).
- sctp: shrink stream outq only when new outcnt < old outcnt (networking-stable-20_07_29).
- sctp: shrink stream outq when fails to do addstream reconf (networking-stable-20_07_29).
- sdhci: tegra: Add missing TMCLK for data timeout (git-fixes).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra186 (git-fixes).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra210 (git-fixes).
- selftests/net: relax cpu affinity requirement in msg_zerocopy test (networking-stable-20_08_08).
- serial: 8250_pci: Add Realtek 816a and 816b (git-fixes).
- Set VIRTIO_CONSOLE=y (bsc#1175667).
- SMB3: Honor 'handletimeout' flag for multiuser mounts (bsc#1176558).
- SMB3: Honor persistent/resilient handle flags for multiuser mounts (bsc#1176546).
- SMB3: Honor 'posix' flag for multiuser mounts (bsc#1176559).
- SMB3: Honor 'seal' flag for multiuser mounts (bsc#1176545).
- SMB3: warn on confusing error scenario with sec=krb5 (bsc#1176548).
- soundwire: fix double free of dangling pointer (git-fixes).
- spi: Fix memory leak on splited transfers (git-fixes).
- spi: spi-loopback-test: Fix out-of-bounds read (git-fixes).
- spi: stm32: always perform registers configuration prior to transfer (git-fixes).
- spi: stm32: clear only asserted irq flags on interrupt (git-fixes).
- spi: stm32: fix fifo threshold level in case of short transfer (git-fixes).
- spi: stm32: fix pm_runtime_get_sync() error checking (git-fixes).
- spi: stm32: fix stm32_spi_prepare_mbr in case of odd clk_rate (git-fixes).
- spi: stm32h7: fix race condition at end of transfer (git-fixes).
- taprio: Fix using wrong queues in gate mask (bsc#1154353).
- tcp: apply a floor of 1 for RTT samples from TCP timestamps (networking-stable-20_08_08).
- tcp: correct read of TFO keys on big endian systems (networking-stable-20_08_15).
- test_kmod: avoid potential double free in trigger_config_run_type() (git-fixes).
- tg3: Fix soft lockup when tg3_reset_task() fails (git-fixes).
- thermal: qcom-spmi-temp-alarm: Do not suppress negative temp (git-fixes).
- thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 (git-fixes).
- tracing: fix double free (git-fixes).
- Update patches.suse/btrfs-add-dedicated-members-for-start-and-length-of-.patch (bsc#1176019).
- Update patches.suse/btrfs-Move-free_pages_out-label-in-inline-extent-han.patch (bsc#1174484).
- USB: cdc-acm: rework notification_buffer resizing (git-fixes).
- USB: core: fix slab-out-of-bounds Read in read_descriptors (git-fixes).
- USB: Fix out of sync data toggle if a configured device is reconfigured (git-fixes).
- USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() (git-fixes).
- USB: gadget: f_tcm: Fix some resource leaks in some error paths (git-fixes).
- USB: gadget: u_f: add overflow checks to VLA macros (git-fixes).
- USB: gadget: u_f: Unbreak offset calculation in VLAs (git-fixes).
- USB: host: ohci-exynos: Fix error handling in exynos_ohci_probe() (git-fixes).
- USB: host: xhci: fix ep context print mismatch in debugfs (git-fixes).
- USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge (git-fixes).
- USB: lvtest: return proper error code in probe (git-fixes).
- USB: quirks: Add no-lpm quirk for another Raydium touchscreen (git-fixes).
- USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook (git-fixes).
- USB: quirks: Ignore duplicate endpoint on Sound Devices MixPre-D (git-fixes).
- USB: rename USB quirk to USB_QUIRK_ENDPOINT_IGNORE (git-fixes).
- USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter (git-fixes).
- USB: serial: ftdi_sio: clean up receive processing (git-fixes).
- USB: serial: ftdi_sio: fix break and sysrq handling (git-fixes).
- USB: serial: ftdi_sio: make process-packet buffer unsigned (git-fixes).
- USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules (git-fixes).
- USB: serial: option: support dynamic Quectel USB compositions (git-fixes).
- USB: sisUSBvga: Fix a potential UB casued by left shifting a negative value (git-fixes).
- USB: storage: Add unusual_uas entry for Sony PSZ drives (git-fixes).
- USB: typec: ucsi: acpi: Check the _DEP dependencies (git-fixes).
- USB: typec: ucsi: Prevent mode overrun (git-fixes).
- USB: uas: Add quirk for PNY Pro Elite (git-fixes).
- USB: UAS: fix disconnect by unplugging a hub (git-fixes).
- USB: yurex: Fix bad gfp argument (git-fixes).
- vfio-pci: Avoid recursive read-lock usage (bsc#1176366).
- virtio-blk: free vblk-vqs in error path of virtblk_probe() (git fixes (block drivers)).
- virtio_pci_modern: Fix the comment of virtio_pci_find_capability() (git-fixes).
- vsock/virtio: annotate 'the_virtio_vsock' RCU pointer (networking-stable-20_07_29).
- vt: defer kfree() of vc_screenbuf in vc_do_resize() (git-fixes).
- vxlan: Ensure FDB dump is performed under RCU (networking-stable-20_08_08).
- wireguard: noise: take lock when removing handshake entry from table (git-fixes).
- wireguard: peerlookup: take lock before checking hash in replace operation (git-fixes).
- workqueue: require CPU hotplug read exclusion for apply_workqueue_attrs (bsc#1176763).
- x86/hotplug: Silence APIC only after all interrupts are migrated (git-fixes).
- x86/ima: Use EFI GetVariable only when available (bsc#1174029, bsc#1174110, bsc#1174111).
- x86/mce/inject: Fix a wrong assignment of i_mce.status (bsc#1152489).
- x86, sched: Bail out of frequency invariance if turbo_freq/base_freq gives 0 (bsc#1176925).
- x86, sched: Bail out of frequency invariance if turbo frequency is unknown (bsc#1176925).
- x86, sched: check for counters overflow in frequency invariant accounting (bsc#1176925).
- x86/stacktrace: Fix reliable check for empty user task stacks (bsc#1058115).
- x86/unwind/orc: Fix ORC for newly forked tasks (bsc#1058115).
- xen/balloon: fix accounting in alloc_xenballooned_pages error path (bsc#1065600).
- xen/balloon: make the balloon wait interruptible (bsc#1065600).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/gntdev: Fix dmabuf import with non-zero sgt offset (bsc#1065600).
- XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (bsc#1065600).
- xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed (git-fixes).
- xhci: Do warm-reset when both CAS and XDEV_RESUME are set (git-fixes).
| Advisory ID | SUSE-RU-2020:2890-1
|
| Released | Mon Oct 12 11:07:00 2020 |
| Summary | Recommended update for multipath-tools |
| Type | recommended |
| Severity | important |
| References | 1125043,1139837,1161923,1165786,1172157,1172429,1173060,1173064,1176644,1176670 |
Description:
This update for multipath-tools fixes the following issues:
- Fixed an issue where mapping two WWID's to the same multipath led to a data corruption (bsc#1172429)
- Improved logging of some failure cases (bsc#1173060, bsc#1173064)
- Limited the PRIN allocation length to 8192 bytes (bsc#1165786)
- Added '-e' option to enable foreign libraries (bsc#1139837)
- Fixed an issue when handling synthetic uevents (bsc#1161923)
- Fix handling of hardware properties for maps without paths (bsc#1176644)
- Fixed an issue where all paths were dropped from a storage array (bsc#1125043)
- Fixed handling of incompletely initialized udev devices (bsc#1172157)
| Advisory ID | SUSE-RU-2020:2893-1
|
| Released | Mon Oct 12 14:14:55 2020 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1177479 |
Description:
This update for openssl-1_1 fixes the following issues:
- Restore private key check in EC_KEY_check_key (bsc#1177479)
| Advisory ID | SUSE-SU-2020:2901-1
|
| Released | Tue Oct 13 14:22:43 2020 |
| Summary | Security update for libproxy |
| Type | security |
| Severity | important |
| References | 1176410,1177143,CVE-2020-25219,CVE-2020-26154 |
Description:
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
| Advisory ID | SUSE-SU-2020:2914-1
|
| Released | Tue Oct 13 17:25:20 2020 |
| Summary | Security update for bind |
| Type | security |
| Severity | moderate |
| References | 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 |
Description:
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
incorrectly treated as 'zonesub' rules, which allowed
keys used in 'subdomain' rules to update names outside
of the specified subdomains. The problem was fixed by
making sure 'subdomain' rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll ' did not limit the number of saved files to .
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the 'named' group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.
| Advisory ID | SUSE-RU-2020:2936-1
|
| Released | Thu Oct 15 13:41:33 2020 |
| Summary | Recommended update for iproute2 |
| Type | recommended |
| Severity | moderate |
| References | 1175281 |
Description:
This update for iproute2 provides the following fix:
- Add the iproute2-arpd sub-package to the SLE Basesystem module. (bsc#1175281)
| Advisory ID | SUSE-SU-2020:2947-1
|
| Released | Fri Oct 16 15:23:07 2020 |
| Summary | Security update for gcc10, nvptx-tools |
| Type | security |
| Severity | moderate |
| References | 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 |
Description:
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
| Advisory ID | SUSE-RU-2020:2953-1
|
| Released | Mon Oct 19 06:25:15 2020 |
| Summary | Recommended update for gettext-runtime |
| Type | recommended |
| Severity | moderate |
| References | 1176142 |
Description:
This update for gettext-runtime fixes the following issues:
- Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142)
| Advisory ID | SUSE-RU-2020:2958-1
|
| Released | Tue Oct 20 12:24:55 2020 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1158830 |
Description:
This update for procps fixes the following issues:
- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
| Advisory ID | SUSE-SU-2020:2980-1
|
| Released | Wed Oct 21 13:28:37 2020 |
| Summary | Security update for the Linux Kernel |
| Type | security |
| Severity | critical |
| References | 1065600,1065729,1155798,1165692,1168468,1171675,1171688,1174003,1174098,1175599,1175621,1175807,1176019,1176400,1176907,1176979,1177090,1177109,1177121,1177193,1177194,1177206,1177258,1177271,1177283,1177284,1177285,1177286,1177297,1177384,1177511,1177617,1177681,1177683,1177687,1177694,1177697,1177719,1177724,1177725,1177726,954532,CVE-2020-12351,CVE-2020-12352,CVE-2020-24490,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645 |
Description:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).
- CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka 'BleedingTooth' aka 'BadVibes' (bsc#1177726).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' aka 'BadChoice' (bsc#1177725).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
The following non-security bugs were fixed:
- 9p: Fix memory leak in v9fs_mount (git-fixes).
- ACPI: EC: Reference count query handlers under lock (git-fixes).
- airo: Fix read overflows sending packets (git-fixes).
- ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
- arm64: Enable PCI write-combine resources under sysfs (bsc#1175807).
- ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes).
- ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes).
- ASoC: kirkwood: fix IRQ error handling (git-fixes).
- ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes).
- ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes).
- ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 (git-fixes).
- ath10k: fix array out-of-bounds access (git-fixes).
- ath10k: fix memory leak for tpc_stats_final (git-fixes).
- ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
- Bluetooth: Fix refcount use-after-free issue (git-fixes).
- Bluetooth: guard against controllers sending zero'd events (git-fixes).
- Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes).
- Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes).
- Bluetooth: prefetch channel before killing sock (git-fixes).
- brcmfmac: Fix double freeing in the fmac usb data path (git-fixes).
- btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019).
- btrfs: block-group: fix free-space bitmap threshold (bsc#1176019).
- btrfs: block-group: refactor how we delete one block group item (bsc#1176019).
- btrfs: block-group: refactor how we insert a block group item (bsc#1176019).
- btrfs: block-group: refactor how we read one block group item (bsc#1176019).
- btrfs: block-group: rename write_one_cache_group() (bsc#1176019).
- btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687).
- btrfs: do not set the full sync flag on the inode during page release (bsc#1177687).
- btrfs: do not take an extra root ref at allocation time (bsc#1176019).
- btrfs: drop logs when we've aborted a transaction (bsc#1176019).
- btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019).
- Btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019).
- btrfs: fix race between page release and a fast fsync (bsc#1177687).
- btrfs: free block groups after free'ing fs trees (bsc#1176019).
- btrfs: hold a ref on the root on the dead roots list (bsc#1176019).
- btrfs: kill the subvol_srcu (bsc#1176019).
- btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019).
- btrfs: make inodes hold a ref on their roots (bsc#1176019).
- btrfs: make the extent buffer leak check per fs info (bsc#1176019).
- btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019).
- btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019).
- btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019).
- btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687).
- btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687).
- btrfs: reduce contention on log trees when logging checksums (bsc#1177687).
- btrfs: release old extent maps during page release (bsc#1177687).
- btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019).
- btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687).
- btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019).
- btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019).
- btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687).
- bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes).
- clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes).
- clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes).
- clk: tegra: Always program PLL_E when enabled (git-fixes).
- clk/ti/adpll: allocate room for terminating null (git-fixes).
- clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes).
- clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes).
- create Storage / NVMe subsection
- crypto: algif_aead - Do not set MAY_BACKLOG on the async path (git-fixes).
- crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes).
- crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes).
- crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes).
- crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes).
- crypto: omap-sham - fix digcnt register handling with export/import (git-fixes).
- crypto: picoxcell - Fix potential race condition bug (git-fixes).
- crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA (git-fixes).
- cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes).
- Disable CONFIG_LIVEPATCH_IPA_CLONES where not needed Explicitly disable CONFIG_LIVEPATCH_IPA_CLONES in configs where it is not needed to avoid confusion and unwanted values due to fragment config files.
- dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes).
- dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
- dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
- dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes).
- dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
- dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes).
- drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes).
- drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes).
- drm/radeon: revert 'Prefer lower feedback dividers' (bsc#1177384).
- drop Storage / bsc#1171688 subsection No effect on expanded tree.
- e1000: Do not perform reset in reset_task if we are already down (git-fixes).
- ftrace: Move RCU is watching check after recursion check (git-fixes).
- fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193).
- gpio: mockup: fix resource leak in error path (git-fixes).
- gpio: rcar: Fix runtime PM imbalance on error (git-fixes).
- gpio: siox: explicitly support only threaded irqs (git-fixes).
- gpio: sprd: Clear interrupt when setting the type as edge (git-fixes).
- gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
- hwmon: (applesmc) check status earlier (git-fixes).
- hwmon: (mlxreg-fan) Fix double 'Mellanox' (git-fixes).
- hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} (git-fixes).
- i2c: aspeed: Mask IRQ status to relevant bits (git-fixes).
- i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes).
- i2c: cpm: Fix i2c_ram structure (git-fixes).
- i2c: i801: Exclude device from suspend direct complete optimization (git-fixes).
- i2c: meson: fix clock setting overwrite (git-fixes).
- i2c: meson: fixup rate calculation with filter delay (git-fixes).
- i2c: owl: Clear NACK and BUS error bits (git-fixes).
- i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes).
- i2c: tegra: Restore pinmux on system resume (git-fixes).
- ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
- ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
- iio: adc: qcom-spmi-adc5: fix driver name (git-fixes).
- ima: extend boot_aggregate with kernel measurements (bsc#1177617).
- Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532).
- iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297).
- iommu/amd: Fix potential @entry null deref (bsc#1177283).
- iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284).
- iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285).
- iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286).
- iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400).
- kabi fix for NFS: Fix flexfiles read failover (git-fixes).
- kabi: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- kabi/severities: ignore kABI for target_core_rbd Match behaviour for all other Ceph specific modules.
- kernel-binary.spec.in: Exclude .config.old from kernel-devel - use tar excludes for .kernel-binary.spec.buildenv
- kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.
- leds: mlxreg: Fix possible buffer overflow (git-fixes).
- libceph-add-support-for-CMPEXT-compare-extent-reques.patch: (bsc#1177090).
- mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes).
- mac80211: skip mpath lookup also for control port tx (git-fixes).
- mac802154: tx: fix use-after-free (git-fixes).
- macsec: avoid use-after-free in macsec_handle_frame() (git-fixes).
- media: camss: Fix a reference count leak (git-fixes).
- media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes).
- media: mc-device.c: fix memleak in media_device_register_entity (git-fixes).
- media: mx2_emmaprp: Fix memleak in emmaprp_probe (git-fixes).
- media: omap3isp: Fix memleak in isp_probe (git-fixes).
- media: ov5640: Correct Bit Div register in clock tree diagram (git-fixes).
- media: platform: fcp: Fix a reference count leak (git-fixes).
- media: rcar-csi2: Allocate v4l2_async_subdev dynamically (git-fixes).
- media: rcar-vin: Fix a reference count leak (git-fixes).
- media: rc: do not access device via sysfs after rc_unregister_device() (git-fixes).
- media: rc: uevent sysfs file races with rc_unregister_device() (git-fixes).
- media: Revert 'media: exynos4-is: Add missed check for pinctrl_lookup_state()' (git-fixes).
- media: rockchip/rga: Fix a reference count leak (git-fixes).
- media: s5p-mfc: Fix a reference count leak (git-fixes).
- media: smiapp: Fix error handling at NVM reading (git-fixes).
- media: staging/intel-ipu3: css: Correctly reset some memory (git-fixes).
- media: stm32-dcmi: Fix a reference count leak (git-fixes).
- media: tc358743: cleanup tc358743_cec_isr (git-fixes).
- media: tc358743: initialize variable (git-fixes).
- media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
- media: ti-vpe: Fix a missing check and reference count leak (git-fixes).
- media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes).
- media: usbtv: Fix refcounting mixup (git-fixes).
- media: uvcvideo: Set media controller entity functions (git-fixes).
- media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes).
- media: v4l2-async: Document asd allocation requirements (git-fixes).
- mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes).
- mm: call cond_resched() from deferred_init_memmap() (git fixes (mm/init), bsc#1177697).
- mmc: core: do not set limits.discard_granularity as 0 (git-fixes).
- mmc: core: Rework wp-gpio handling (git-fixes).
- mm, compaction: fully assume capture is not NULL in compact_zone_order() (git fixes (mm/compaction), bsc#1177681).
- mm, compaction: make capture control handling safe wrt interrupts (git fixes (mm/compaction), bsc#1177681).
- mmc: sdhci-acpi: AMDI0040: Set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes).
- mmc: sdhci: Add LTR support for some Intel BYT based controllers (git-fixes).
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes).
- mm/debug.c: always print flags in dump_page() (git fixes (mm/debug)).
- mm: initialize deferred pages with interrupts enabled (git fixes (mm/init), bsc#1177697).
- mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() (bsc#1177694).
- mm/migrate.c: also overwrite error when it is bigger than zero (git fixes (mm/move_pages), bsc#1177683).
- mm: move_pages: report the number of non-attempted pages (git fixes (mm/move_pages), bsc#1177683).
- mm: move_pages: return valid node id in status if the page is already on the target node (git fixes (mm/move_pages), bsc#1177683).
- mm/pagealloc.c: call touch_nmi_watchdog() on max order boundaries in deferred init (git fixes (mm/init), bsc#1177697).
- mm, slab/slub: move and improve cache_from_obj() (mm/slub bsc#1165692). mm, slab/slub: improve error reporting and overhead of cache_from_obj() (mm/slub bsc#1165692).
- mm, slub: extend checks guarded by slub_debug static key (mm/slub bsc#1165692).
- mm, slub: extend slub_debug syntax for multiple blocks (mm/slub bsc#1165692).
- mm, slub: introduce kmem_cache_debug_flags() (mm/slub bsc#1165692).
- mm, slub: introduce static key for slub_debug() (mm/slub bsc#1165692).
- mm, slub: make reclaim_account attribute read-only (mm/slub bsc#1165692).
- mm, slub: make remaining slub_debug related attributes read-only (mm/slub bsc#1165692).
- mm, slub: make some slub_debug related attributes read-only (mm/slub bsc#1165692).
- mm, slub: remove runtime allocation order changes (mm/slub bsc#1165692).
- mm, slub: restore initial kmem_cache flags (mm/slub bsc#1165692).
- Move upstreamed intel-vbtn patch into sorted section
- mt76: add missing locking around ampdu action (git-fixes).
- mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes).
- mt76: do not use devm API for led classdev (git-fixes).
- mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes).
- mt76: fix LED link time failure (git-fixes).
- mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes).
- mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes).
- mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes).
- net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes).
- nfsd4: fix NULL dereference in nfsd/clients display code (git-fixes).
- NFS: Do not move layouts to plh_return_segs list while in use (git-fixes).
- NFS: Do not return layout segments that are in use (git-fixes).
- NFS: ensure correct writeback errors are returned on close() (git-fixes).
- NFS: Fix flexfiles read failover (git-fixes).
- NFS: Fix security label length not being reset (bsc#1176381).
- NFS: nfs_file_write() should check for writeback errors (git-fixes).
- NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes).
- nvme-multipath: retry commands for dying queues (bsc#1171688).
- patches.suse/target-compare-and-write-backend-driver-sense-handli.patch: (bsc#1177719).
- patches.suse/target-rbd-detect-stripe_unit-SCSI-block-size-misali.patch (bsc#1177090).
- patches.suse/target-rbd-support-COMPARE_AND_WRITE.patch: (fate#318836, bsc#1177090).
- PCI: Avoid double hpmemsize MMIO window assignment (git-fixes).
- PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- PCI: tegra194: Fix runtime PM imbalance on error (git-fixes).
- PCI: tegra: Fix runtime PM imbalance on error (git-fixes).
- phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes).
- pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB (git-fixes).
- pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
- Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes).
- platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes).
- platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes).
- platform/x86: intel_pmc_core: do not create a static struct device (git-fixes).
- platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599).
- platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes).
- platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes).
- pNFS/flexfiles: Ensure we initialise the mirror bsizes correctly on read (git-fixes).
- powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729).
- power: supply: max17040: Correct voltage reading (git-fixes).
- qla2xxx: Return EBUSY on fcport deletion (bsc#1171688).
- r8169: fix data corruption issue on RTL8402 (bsc#1174098).
- rbd-add-rbd_img_fill_cmp_and_write_from_bvecs.patch: (bsc#1177090).
- rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch: (bsc#1177090).
- RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request (bsc#1175621).
- Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675).
- regulator: axp20x: fix LDO2/4 description (git-fixes).
- regulator: resolve supply after creating regulator (git-fixes).
- rename Other drivers / Intel IOMMU subsection to IOMMU
- Rename patches to the same name as in SLE15-SP3.
- Rename scsi-fnic-do-not-call-scsi_done-for-unhandled-commands.patch Fix typo in patch file name.
- rtc: ds1374: fix possible race condition (git-fixes).
- rtc: sa1100: fix possible race condition (git-fixes).
- s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)).
- scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258).
- scsi: qla2xxx: Add IOCB resource tracking (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Add rport fields in debugfs (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Add SLER and PI control support (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix memory size truncation (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix MPI reset needed message (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix reset of MPI firmware (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Performance tweak (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1171688 bsc#1174003).
- serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes).
- serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes).
- serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
- serial: uartps: Wait for tx_empty in console setup (git-fixes).
- spi: dw-pci: free previously allocated IRQs if desc->setup() fails (git-fixes).
- spi: fsl-espi: Only process interrupts for expected events (git-fixes).
- spi: omap2-mcspi: Improve performance waiting for CHSTAT (git-fixes).
- spi: sprd: Release DMA channel also on probe deferral (git-fixes).
- spi: stm32: Rate-limit the 'Communication suspended' message (git-fixes).
- svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (git-fixes).
- target-rbd-add-emulate_legacy_capacity-dev-attribute.patch: (bsc#1177109).
- target-rbd-add-WRITE-SAME-support.patch: (bsc#1177090).
- target-rbd-conditionally-fix-off-by-one-bug-in-get_b.patch: (bsc#1177109).
- target-rbd-fix-unmap-discard-block-size-conversion.patch: (bsc#1177271).
- target-rbd-fix-unmap-handling-with-unmap_zeroes_data.patch: (bsc#1177271).
- thermal: rcar_thermal: Handle probe error gracefully (git-fixes).
- Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194).
- USB: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes).
- USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
- USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes).
- USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
- vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979).
- virtio-net: do not disable guest csum when disable LRO (git-fixes).
- vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes).
- wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes).
- wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes).
- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1176907).
- xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
- xprtrdma: fix incorrect header size calculations (git-fixes).
- yam: fix possible memory leak in yam_init_driver (git-fixes).
| Advisory ID | SUSE-RU-2020:2983-1
|
| Released | Wed Oct 21 15:03:03 2020 |
| Summary | Recommended update for file |
| Type | recommended |
| Severity | moderate |
| References | 1176123 |
Description:
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
| Advisory ID | SUSE-RU-2020:2989-1
|
| Released | Thu Oct 22 08:53:10 2020 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1171806 |
Description:
This update for chrony fixes the following issues:
- Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)
| Advisory ID | SUSE-SU-2020:2995-1
|
| Released | Thu Oct 22 10:03:09 2020 |
| Summary | Security update for freetype2 |
| Type | security |
| Severity | important |
| References | 1177914,CVE-2020-15999 |
Description:
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
| Advisory ID | SUSE-RU-2020:3048-1
|
| Released | Tue Oct 27 16:04:52 2020 |
| Summary | Recommended update for libsolv, libzypp, yaml-cpp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 |
Description:
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}= to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
| Advisory ID | SUSE-SU-2020:3049-1
|
| Released | Tue Oct 27 16:08:27 2020 |
| Summary | Security update for xen |
| Type | security |
| Severity | important |
| References | 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 |
Description:
This update for xen fixes the following issues:
- bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)
| Advisory ID | SUSE-RU-2020:3058-1
|
| Released | Wed Oct 28 06:11:14 2020 |
| Summary | Recommended update for catatonit |
| Type | recommended |
| Severity | moderate |
| References | 1176155 |
Description:
This update for catatonit fixes the following issues:
- Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155)
| Advisory ID | SUSE-RU-2020:3059-1
|
| Released | Wed Oct 28 06:11:23 2020 |
| Summary | Recommended update for sysconfig |
| Type | recommended |
| Severity | moderate |
| References | 1173391,1176285,1176325 |
Description:
This update for sysconfig fixes the following issues:
- Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285)
- Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325)
- Fix for 'chrony helper' calling in background. (bsc#1173391)
- Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566)
| Advisory ID | SUSE-SU-2020:3081-1
|
| Released | Thu Oct 29 11:00:34 2020 |
| Summary | Security update for samba |
| Type | security |
| Severity | important |
| References | 1173902,1173994,1177613,CVE-2020-14318,CVE-2020-14323,CVE-2020-14383 |
Description:
This update for samba fixes the following issues:
Update to samba 4.11.14
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
- lib/util: Do not install /usr/bin/test_util
- smbd: don't log success as error
- idmap_ad does not deal properly with a RFC4511 section 4.4.1 response;
- winbind: Fix a memleak
- idmap_ad: Pass tldap debug messages on to DEBUG()
- lib/replace: Move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to REPLACE_HOSTCC_SOURCE
- ctdb disable/enable can fail due to race condition
| Advisory ID | SUSE-RU-2020:3099-1
|
| Released | Thu Oct 29 19:33:41 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
- timezone update 2020b (bsc#1177460)
* Revised predictions for Morocco's changes starting in 2023.
* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
* Macquarie Island has stayed in sync with Tasmania since 2011.
* Casey, Antarctica is at +08 in winter and +11 in summer.
* zic no longer supports -y, nor the TYPE field of Rules.
| Advisory ID | SUSE-SU-2020:3122-1
|
| Released | Tue Nov 3 09:46:29 2020 |
| Summary | Security update for the Linux Kernel |
| Type | security |
| Severity | important |
| References | 1055014,1055186,1061843,1065729,1077428,1129923,1134760,1152489,1174748,1174969,1175052,1175898,1176485,1176713,1177086,1177353,1177410,1177411,1177470,1177739,1177749,1177750,1177754,1177755,1177765,1177814,1177817,1177854,1177855,1177856,1177861,1178002,1178079,1178246,CVE-2020-14351,CVE-2020-16120,CVE-2020-25285 |
Description:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485).
- CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file. (bsc#1177470)
- CVE-2020-14351: Fixed a race condition in the perf_mmap_close() function (bsc#1177086).
The following non-security bugs were fixed:
- ACPI: Always build evged in (git-fixes).
- ACPI: button: fix handling lid state changes when input device closed (git-fixes).
- ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes).
- acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes).
- ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes).
- Add CONFIG_CHECK_CODESIGN_EKU
- ALSA: ac97: (cosmetic) align argument names (git-fixes).
- ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes).
- ALSA: asihpi: fix spellint typo in comments (git-fixes).
- ALSA: atmel: ac97: clarify operator precedence (git-fixes).
- ALSA: bebob: potential info leak in hwdep_read() (git-fixes).
- ALSA: compress_offload: remove redundant initialization (git-fixes).
- ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes).
- ALSA: core: pcm: simplify locking for timers (git-fixes).
- ALSA: core: timer: clarify operator precedence (git-fixes).
- ALSA: core: timer: remove redundant assignment (git-fixes).
- ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes).
- ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes).
- ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes).
- ALSA: hda: (cosmetic) align function parameters (git-fixes).
- ALSA: hda - Do not register a cb func if it is registered already (git-fixes).
- ALSA: hda - Fix the return value if cb func is already registered (git-fixes).
- ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes).
- ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes).
- ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes).
- ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes).
- ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes).
- ALSA: hda: use semicolons rather than commas to separate statements (git-fixes).
- ALSA: hdspm: Fix typo arbitary (git-fixes).
- ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes).
- ALSA: portman2x4: fix repeated word 'if' (git-fixes).
- ALSA: rawmidi: (cosmetic) align function parameters (git-fixes).
- ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes).
- ALSA: sparc: dbri: fix repeated word 'the' (git-fixes).
- ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes).
- ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes).
- ALSA: usb-audio: fix spelling mistake 'Frequence' -> 'Frequency' (git-fixes).
- ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes).
- ALSA: usb: scarless_gen2: fix endianness issue (git-fixes).
- ALSA: vx: vx_core: clarify operator precedence (git-fixes).
- ALSA: vx: vx_pcm: remove redundant assignment (git-fixes).
- ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes).
- ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes).
- ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes).
- ASoC: qcom: lpass-platform: fix memory leak (git-fixes).
- ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes).
- ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes).
- ata: sata_rcar: Fix DMA boundary mask (git-fixes).
- ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes).
- ath10k: provide survey info as accumulated data (git-fixes).
- ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes).
- ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes).
- ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes).
- ath9k_htc: Use appropriate rs_datalen type (git-fixes).
- backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes).
- blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750).
- block: ensure bdi->io_pages is always initialized (bsc#1177749).
- block: Fix page_is_mergeable() for compound pages (bsc#1177814).
- Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes).
- Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes).
- brcmfmac: check ndev pointer (git-fixes).
- btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861).
- can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes).
- can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes).
- can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes).
- clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes).
- clk: at91: remove the checking of parent_name (git-fixes).
- clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes).
- clk: imx8mq: Fix usdhc parents order (git-fixes).
- clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes).
- clk: meson: g12a: mark fclk_div2 as critical (git-fixes).
- clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes).
- cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes).
- dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817).
- dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743).
- dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743).
- dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743).
- dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743).
- dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743).
- dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743).
- dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743).
- dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743).
- dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743).
- dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743).
- dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743).
- dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes).
- dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes).
- dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743).
- dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743).
- dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743).
- dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743).
- dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743).
- dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743).
- dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743).
- dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743).
- dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743).
- dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743).
- dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743).
- dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743).
- dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743).
- dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743).
- dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743).
- dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743).
- dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743).
- dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743).
- dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743).
- dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743).
- dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743).
- dm: Call proper helper to determine dax support (bsc#1177817).
- dm/dax: Fix table reference counts (bsc#1178246).
- docs: driver-api: remove a duplicated index entry (git-fixes).
- EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489).
- extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes).
- HID: hid-input: fix stylus battery reporting (git-fixes).
- HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes).
- HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes).
- i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes).
- i2c: imx: Fix external abort on interrupt in exit paths (git-fixes).
- i2c: rcar: Auto select RESET_CONTROLLER (git-fixes).
- i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes).
- i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes).
- ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes).
- ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes).
- ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes).
- ida: Free allocated bitmap in error path (git-fixes).
- iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes).
- iio: adc: gyroadc: fix leak of device node iterator (git-fixes).
- iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes).
- iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes).
- iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes).
- iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes).
- iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes).
- ima: Do not ignore errors from crypto_shash_update() (git-fixes).
- ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes).
- Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes).
- Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes).
- Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: stmfts - fix a & vs && typo (git-fixes).
- Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes).
- Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes).
- iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739).
- ipmi_si: Fix wrong return value in try_smi_init() (git-fixes).
- iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes).
- kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353).
- leds: mt6323: move period calculation (git-fixes).
- lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes).
- memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes).
- memory: omap-gpmc: Fix a couple off by ones (git-fixes).
- memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes).
- mfd: sm501: Fix leaks in probe() (git-fixes).
- misc: mic: scif: Fix error handling path (git-fixes).
- mm: do not panic when links can't be created in sysfs (bsc#1178002).
- mm: do not rely on system state to detect hot-plug operations (bsc#1178002).
- mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)).
- mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)).
- mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)).
- mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)).
- mm: replace memmap_context by meminit_context (bsc#1178002).
- mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)).
- mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)).
- mtd: lpddr: Fix bad logic in print_drs_error (git-fixes).
- mtd: lpddr: fix excessive stack usage with clang (git-fixes).
- mtd: mtdoops: Do not write panic data twice (git-fixes).
- mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes).
- mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes).
- mtd: spinand: gigadevice: Add QE Bit (git-fixes).
- mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes).
- mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes).
- mwifiex: fix double free (git-fixes).
- mwifiex: remove function pointer check (git-fixes).
- mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes).
- net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes).
- nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes).
- nl80211: fix non-split wiphy information (git-fixes).
- NTB: hw: amd: fix an issue about leak system resources (git-fixes).
- ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes).
- nvme-rdma: fix crash due to incorrect cqe (bsc#1174748).
- nvme-rdma: fix crash when connect rejected (bsc#1174748).
- overflow: Include header file with SIZE_MAX declaration (git-fixes).
- PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes).
- percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)).
- perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489).
- perf/x86: Fix n_pair for cancelled txn (bsc#1152489).
- pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes).
- pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes).
- PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353).
- platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes).
- PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079).
- powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes).
- powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729).
- powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729).
- powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729).
- powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729).
- powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes).
- powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729).
- powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729).
- powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729).
- powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes).
- powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes).
- powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729).
- pwm: img: Fix null pointer access in probe (git-fixes).
- pwm: lpss: Add range limit check for the base_unit register value (git-fixes).
- pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes).
- qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes).
- r8169: fix operation under forced interrupt threading (git-fixes).
- rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes).
- reset: sti: reset-syscfg: fix struct description warnings (git-fixes).
- ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes).
- rtc: rx8010: do not modify the global rtc ops (git-fixes).
- scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729).
- scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743).
- slimbus: core: check get_addr before removing laddr ida (git-fixes).
- slimbus: core: do not enter to clock pause mode in core (git-fixes).
- slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes).
- soc: fsl: qbman: Fix return value on success (git-fixes).
- staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes).
- staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes).
- tracing: Check return value of __create_val_fields() before using its result (git-fixes).
- tracing: Save normal string variables (git-fixes).
- USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes).
- USB: dwc2: Fix parameter type in function pointer prototype (git-fixes).
- USB: dwc3: core: add phy cleanup for probe error handling (git-fixes).
- USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes).
- USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes).
- USB: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes).
- USB: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes).
- USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes).
- USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes).
- usblp: fix race between disconnect() and read() (git-fixes).
- USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes).
- USB: serial: option: add Cellient MPL200 card (git-fixes).
- USB: serial: option: Add Telit FT980-KS composition (git-fixes).
- USB: serial: pl2303: add device-id for HP GC device (git-fixes).
- USB: serial: qcserial: fix altsetting probing (git-fixes).
- usb: xhci-mtk: Fix typo (git-fixes).
- VMCI: check return value of get_user_pages_fast() for errors (git-fixes).
- w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes).
- watchdog: Fix memleak in watchdog_cdev_register (git-fixes).
- watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes).
- watchdog: Use put_device on error (git-fixes).
- wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes).
- writeback: Avoid skipping inode writeback (bsc#1177755).
- writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755).
- writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755).
- X.509: Add CodeSigning extended key usage parsing (bsc#1177353).
- x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489).
- x86/ioapic: Unbreak check_timer() (bsc#1152489).
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765).
- x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743).
- x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xfs: force the log after remapping a synchronous-writes file (git-fixes).
- xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes).
| Advisory ID | SUSE-RU-2020:3123-1
|
| Released | Tue Nov 3 09:48:13 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | important |
| References | 1177460,1178346,1178350,1178353 |
Description:
This update for timezone fixes the following issues:
- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)
| Advisory ID | SUSE-RU-2020:3138-1
|
| Released | Tue Nov 3 12:14:03 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1104902,1154935,1165502,1167471,1173422,1176513,1176800 |
Description:
This update for systemd fixes the following issues:
- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471)
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)
| Advisory ID | SUSE-RU-2020:3157-1
|
| Released | Wed Nov 4 15:37:05 2020 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1177864 |
Description:
This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
- EE Certification Centre Root CA
- Taiwan GRCA
- Trustwave Global Certification Authority
- Trustwave Global ECC P256 Certification Authority
- Trustwave Global ECC P384 Certification Authority
| Advisory ID | SUSE-RU-2020:3199-1
|
| Released | Fri Nov 6 13:01:11 2020 |
| Summary | Recommended update for SUSEConnect |
| Type | recommended |
| Severity | moderate |
| References | 1155027 |
Description:
This update for SUSEConnect fixes the following issues:
- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
- Add 'rpmlintrc' to filter false-positive warning about patch not applied
- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)
| Advisory ID | SUSE-RU-2020:3253-1
|
| Released | Mon Nov 9 07:45:04 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1174697,1176173 |
Description:
This update for mozilla-nss fixes the following issues:
- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
NIST SP800-56Arev3 compliant (bsc#1176173).
| Advisory ID | SUSE-RU-2020:3270-1
|
| Released | Tue Nov 10 17:53:08 2020 |
| Summary | Recommended update for bind |
| Type | recommended |
| Severity | moderate |
| References | 1175894,1177603,1177790,1177913,1177915,1178078 |
Description:
This update for bind fixes the following issues:
- Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078)
- Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790)
- Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915)
- Added a comment for reference which should be removed in the future. (bsc#1177603)
- Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894)
- Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913)
| Advisory ID | SUSE-RU-2020:3286-1
|
| Released | Wed Nov 11 12:24:19 2020 |
| Summary | Recommended update for grub2 |
| Type | recommended |
| Severity | moderate |
| References | 1172952,1176062,1177957,1178278 |
Description:
This update for grub2 fixes the following issues:
- Fixed an issue, where the https boot was interrupted by an unrecognized network address
error message (bsc#1172952)
- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)
- Fixed an error in grub2-install where it exited with 'failed to get canonical path
of `/boot/grub2/i386-pc'.' (bsc#1177957)
- Fixed a boot failure issue on blocklist installations (bsc#1178278)
| Advisory ID | SUSE-RU-2020:3290-1
|
| Released | Wed Nov 11 12:25:32 2020 |
| Summary | Recommended update for findutils |
| Type | recommended |
| Severity | moderate |
| References | 1174232 |
Description:
This update for findutils fixes the following issues:
- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
| Advisory ID | SUSE-RU-2020:3294-1
|
| Released | Wed Nov 11 12:28:46 2020 |
| Summary | Recommended update for SLES-release |
| Type | recommended |
| Severity | moderate |
| References | 1177998 |
Description:
This update for SLES-release fixes the following issue:
- Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998)
| Advisory ID | SUSE-RU-2020:3301-1
|
| Released | Thu Nov 12 13:51:02 2020 |
| Summary | Recommended update for openssh |
| Type | recommended |
| Severity | moderate |
| References | 1177939 |
Description:
This update for openssh fixes the following issues:
- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).
| Advisory ID | SUSE-RU-2020:2779-1
|
| Released | Thu Nov 12 15:00:21 2020 |
| Summary | Recommended update for rsyslog |
| Type | recommended |
| Severity | moderate |
| References | 1173433,1178627 |
Description:
This update for rsyslog fixes the following issues:
- Fix the URL for bug reporting. (bsc#1173433)
- ship rsyslog-module-mmnormalize module which was forgotten in GA (bsc#1178627)
| Advisory ID | SUSE-SU-2020:3313-1
|
| Released | Thu Nov 12 16:07:37 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1178387,CVE-2020-25692 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
| Advisory ID | SUSE-RU-2020:3323-1
|
| Released | Fri Nov 13 15:25:55 2020 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | moderate |
| References | 1174443,1174444,1177526 |
Description:
This update for cloud-init contains the following fixes:
- Avoid exception if no gateway information is present and warning
is triggered for existing routing. (bsc#1177526)
Update to version 20.2 (bsc#1174443, bsc#1174444)
+ doc/format: reference make-mime.py instead of an inline script (#334)
+ Add docs about creating parent folders (#330) [Adrian Wilkins]
+ DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)
+ schema: ignore spurious pylint error (#332)
+ schema: add json schema for write_files module (#152)
+ BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder]
+ nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder]
+ cloudinit: drop dependencies on unittest2 and contextlib2 (#322)
+ distros: handle a potential mirror filtering error case (#328)
+ log: remove unnecessary import fallback logic (#327)
+ .travis.yml: don't run integration test on ubuntu/* branches (#321)
+ More unit test documentation (#314)
+ conftest: introduce disable_subp_usage autouse fixture (#304)
+ YAML align indent sizes for docs readability (#323) [Tak Nishigori]
+ network_state: add missing space to log message (#325)
+ tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)
+ test_mounts: expand happy path test for both happy paths (#319)
+ cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)
+ swap file 'size' being used before checked if str (#315) [Eduardo Otubo]
+ HACKING.rst: add pytest version gotchas section (#311)
+ docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]
+ readme: OpenBSD is now supported (#309) [Goneri Le Bouder]
+ net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)
+ Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)
+ openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder]
+ tools/.github-cla-signers: add beezly as CLA signer (#301)
+ util: remove unnecessary lru_cache import fallback (#299)
+ HACKING.rst: reorganise/update CLA signature info (#297)
+ distros: drop leading/trailing hyphens from mirror URL labels (#296)
+ HACKING.rst: add note about variable annotations (#295)
+ CiTestCase: stop using and remove sys_exit helper (#283)
+ distros: replace invalid characters in mirror URLs with hyphens (#291)
(LP: #1868232)
+ rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]
+ Fix cloud-init ignoring some misdeclared mimetypes in user-data.
[Kurt Garloff]
+ net: ubuntu focal prioritize netplan over eni even if both present
(#267) (LP: #1867029)
+ cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)
+ net/cmdline: replace type comments with annotations (#294)
+ HACKING.rst: add Type Annotations design section (#293)
+ net: introduce is_ip_address function (#288)
+ CiTestCase: remove now-unneeded parse_and_read helper method (#286)
+ .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)
+ sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)
+ setup.py: drop NIH check_output implementation (#282)
+ Identify SAP Converged Cloud as OpenStack [Silvio Knizek]
+ add Openbsd support (#147) [Goneri Le Bouder]
+ HACKING.rst: add examples of the two test class types (#278)
+ VMWware: support to update guest info gc status if enabled (#261)
[xiaofengw-vmware]
+ Add lp-to-git mapping for kgarloff (#279)
+ set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder]
+ HACKING.rst: add Unit Testing design section (#277)
+ util: read_cc_from_cmdline handle urlencoded yaml content (#275)
+ distros/tests/test_init: add tests for _get_package_mirror_info (#272)
+ HACKING.rst: add links to new Code Review Process doc (#276)
+ freebsd: ensure package update works (#273) [Goneri Le Bouder]
+ doc: introduce Code Review Process documentation (#160)
+ tools: use python3 (#274)
+ cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)
+ cc_apt_configure/util: combine search_for_mirror implementations (#271)
+ bsd: boottime does not depend on the libc soname (#269)
[Goneri Le Bouder]
+ test_oracle,DataSourceOracle: sort imports (#266)
+ DataSourceOracle: update .network_config docstring (#257)
+ cloudinit/tests: remove unneeded with_logs configuration (#263)
+ .travis.yml: drop stale comment (#255)
+ .gitignore: add more common directories (#258)
+ ec2: render network on all NICs and add secondary IPs as static (#114)
(LP: #1866930)
+ ec2 json validation: fix the reference to the 'merged_cfg' key (#256)
[Paride Legovini]
+ releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]
+ cloudinit: remove six from packaging/tooling (#253)
+ util/netbsd: drop six usage (#252)
+ workflows: introduce stale pull request workflow (#125)
+ cc_resolv_conf: introduce tests and stabilise output across Python
versions (#251)
+ fix minor issue with resolv_conf template (#144) [andreaf74]
+ doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder]
+ Add Netbsd support (#62) [Goneri Le Bouder]
+ tox.ini: avoid substition syntax that causes a traceback on xenial (#245)
+ Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]
+ Introduce and use of a list of GitHub usernames that have signed CLA
(#244)
+ workflows/cla.yml: use correct username for CLA check (#243)
+ tox.ini: use xenial version of jsonpatch in CI (#242)
+ workflows: CLA validation altered to fail status on pull_request (#164)
+ tox.ini: bump pyflakes version to 2.1.1 (#239)
+ cloudinit: move to pytest for running tests (#211)
+ instance-data: add cloud-init merged_cfg and sys_info keys to json
(#214) (LP: #1865969)
+ ec2: Do not fallback to IMDSv1 on EC2 (#216)
+ instance-data: write redacted cfg to instance-data.json (#233)
(LP: #1865947)
+ net: support network-config:disabled on the kernel commandline (#232)
(LP: #1862702)
+ ec2: only redact token request headers in logs, avoid altering request
(#230) (LP: #1865882)
+ docs: typo fixed: dta → data [Alexey Vazhnov]
+ Fixes typo on Amazon Web Services (#217) [Nick Wales]
+ Fix docs for OpenStack DMI Asset Tag (#228)
[Mark T. Voelker] (LP: #1669875)
+ Add physical network type: cascading to openstack helpers (#200)
[sab-systems]
+ tests: add focal integration tests for ubuntu (#225)
- From 20.1 (first vesrion after 19.4)
+ ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)
(LP: #1863943)
+ utils: use SystemRandom when generating random password. (#204)
[Dimitri John Ledkov]
+ docs: mount_default_files is a list of 6 items, not 7 (#212)
+ azurecloud: fix issues with instances not starting (#205) (LP: #1861921)
+ unittest: fix stderr leak in cc_set_password random unittest
output. (#208)
+ cc_disk_setup: add swap filesystem force flag (#207)
+ import sysvinit patches from freebsd-ports tree (#161) [Igor Galić]
+ docs: fix typo (#195) [Edwin Kofler]
+ sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
[Robert Schweikert] (LP: #1800854)
+ cloudinit: replace 'from six import X' imports (except in util.py) (#183)
+ run-container: use 'test -n' instead of 'test ! -z' (#202)
[Paride Legovini]
+ net/cmdline: correctly handle static ip= config (#201)
[Dimitri John Ledkov] (LP: #1861412)
+ Replace mock library with unittest.mock (#186)
+ HACKING.rst: update CLA link (#199)
+ Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
[Louis Bouchard]
+ cloudinit/cmd/devel/net_convert.py: add missing space (#191)
+ tools/run-container: drop support for python2 (#192) [Paride Legovini]
+ Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
+ Make the RPM build use Python 3 (#190) [Paride Legovini]
+ cc_set_password: increase random pwlength from 9 to 20 (#189)
(LP: #1860795)
+ .travis.yml: use correct Python version for xenial tests (#185)
+ cloudinit: remove ImportError handling for mock imports (#182)
+ Do not use fallocate in swap file creation on xfs. (#70)
[Eduardo Otubo] (LP: #1781781)
+ .readthedocs.yaml: install cloud-init when building docs (#181)
(LP: #1860450)
+ Introduce an RTD config file, and pin the Sphinx version to the RTD
default (#180)
+ Drop most of the remaining use of six (#179)
+ Start removing dependency on six (#178)
+ Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
+ docs: add proposed SRU testing procedure (#167)
+ util: rename get_architecture to get_dpkg_architecture (#173)
+ Ensure util.get_architecture() runs only once (#172)
+ Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]
+ freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder]
+ ssh_auth_key_fingerprints_disable test: fix capitalization (#165)
[Paride Legovini]
+ util: move uptime's else branch into its own boottime function (#53)
[Igor Galić] (LP: #1853160)
+ workflows: add contributor license agreement checker (#155)
+ net: fix rendering of 'static6' in network config (#77) (LP: #1850988)
+ Make tests work with Python 3.8 (#139) [Conrad Hoffmann]
+ fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]
+ freebsd: fix create_group() cmd (#146) [Goneri Le Bouder]
+ doc: make apt_update example consistent (#154)
+ doc: add modules page toc with links (#153) (LP: #1852456)
+ Add support for the amazon variant in cloud.cfg.tmpl (#119)
[Frederick Lefebvre]
+ ci: remove Python 2.7 from CI runs (#137)
+ modules: drop cc_snap_config config module (#134)
+ migrate-lp-user-to-github: ensure Launchpad repo exists (#136)
+ docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]
+ doc: update cc_set_hostname frequency and descrip (#109)
[Joshua Powers] (LP: #1827021)
+ freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder]
+ cc_snappy: remove deprecated module (#127)
+ HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)
+ freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder]
+ cloud-init: fix capitalisation of SSH (#126)
+ doc: update cc_ssh clarify host and auth keys
[Joshua Powers] (LP: #1827021)
+ ci: emit names of tests run in Travis (#120)
| Advisory ID | SUSE-SU-2020:3273-1
|
| Released | Sat Nov 14 08:21:39 2020 |
| Summary | Security update for the Linux Kernel |
| Type | security |
| Severity | important |
| References | 1065600,1066382,1149032,1163592,1164648,1170415,1175721,1175749,1176354,1177281,1177766,1177799,1177801,1178166,1178173,1178175,1178176,1178177,1178183,1178184,1178185,1178186,1178190,1178191,1178255,1178307,1178330,1178395,CVE-2020-25656,CVE-2020-25705,CVE-2020-8694 |
Description:
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721)
The following non-security bugs were fixed:
- act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24).
- ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes).
- ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes).
- block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes).
- Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes).
- Bluetooth: Only mark socket zapped after unlocking (git-fixes).
- bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes).
- bonding: show saner speed for broadcast mode (networking-stable-20_08_24).
- brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes).
- brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes).
- btrfs: allocate scrub workqueues outside of locks (bsc#1178183).
- btrfs: do not force read-only after error in drop snapshot (bsc#1176354).
- btrfs: drop path before adding new uuid tree entry (bsc#1178176).
- btrfs: fix filesystem corruption after a device replace (bsc#1178395).
- btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190).
- btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191).
- btrfs: fix space cache memory leak after transaction abort (bsc#1178173).
- btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395).
- btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395).
- btrfs: set the correct lockdep class for new nodes (bsc#1178184).
- btrfs: set the lockdep class for log tree extent buffers (bsc#1178186).
- can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes).
- ceph: promote to unsigned long long before shifting (bsc#1178175).
- crypto: ccp - fix error handling (git-fixes).
- cxgb4: fix memory leak during module unload (networking-stable-20_09_24).
- cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24).
- Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes
- Disable module compression on SLE15 SP2 (bsc#1178307)
- dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes).
- eeprom: at25: set minimum read/write access stride to 1 (git-fixes).
- futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648).
- futex: Consistently use fshared as boolean (bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1149032).
- futex: Remove put_futex_key() (bsc#1149032).
- futex: Remove unused or redundant includes (bsc#1149032).
- gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24).
- gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11).
- HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes).
- ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897).
- ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes).
- icmp: randomize the global rate limiter (git-fixes).
- ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24).
- ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24).
- ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes).
- ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24).
- ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24).
- ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11).
- ipvlan: fix device features (networking-stable-20_08_24).
- kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes).
- kbuild: enforce -Werror=return-type (bsc#1177281).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes).
- libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177).
- mac80211: handle lack of sband->bitrates in rates (git-fixes).
- mailbox: avoid timer start from callback (git-fixes).
- media: ati_remote: sanity check for both endpoints (git-fixes).
- media: bdisp: Fix runtime PM imbalance on error (git-fixes).
- media: exynos4-is: Fix a reference count leak (git-fixes).
- media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes).
- media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes).
- media: firewire: fix memory leak (git-fixes).
- media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes).
- media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes).
- media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes).
- media: media/pci: prevent memory leak in bttv_probe (git-fixes).
- media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes).
- media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes).
- media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes).
- media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes).
- media: saa7134: avoid a shift overflow (git-fixes).
- media: st-delta: Fix reference count leak in delta_run_work (git-fixes).
- media: sti: Fix reference count leaks (git-fixes).
- media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes).
- media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes).
- media: vsp1: Fix runtime PM imbalance on error (git-fixes).
- mic: vop: copy data to kernel space then write to io memory (git-fixes).
- misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes).
- misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes).
- mm: fix a race during THP splitting (bsc#1178255).
- mm: madvise: fix vma user-after-free (git-fixes).
- mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes).
- module: Correctly truncate sysfs sections output (git-fixes).
- module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes).
- module: Refactor section attr into bin attribute (git-fixes).
- module: statically initialize init section freeing data (git-fixes).
- mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes).
- net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes).
- net/mlx5: Fix FTE cleanup (networking-stable-20_09_24).
- net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24).
- net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24).
- net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24).
- net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24).
- net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24).
- net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24).
- net: disable netpoll on fresh napis (networking-stable-20_09_11).
- net: dsa: b53: check for timeout (networking-stable-20_08_24).
- net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24).
- net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24).
- net: Fix bridge enslavement failure (networking-stable-20_09_24).
- net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24).
- net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11).
- net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24).
- net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24).
- net: lantiq: Use napi_complete_done() (networking-stable-20_09_24).
- net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24).
- net: lantiq: Wake TX queue again (networking-stable-20_09_24).
- net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24).
- net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24).
- net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24).
- net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24).
- net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24).
- net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11).
- net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11).
- net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes).
- net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes).
- netlabel: fix problems with mapping removal (networking-stable-20_09_11).
- nfp: use correct define to return NONE fec (networking-stable-20_09_24).
- PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes).
- r8169: fix issue with forced threading in combination with shared interrupts (git-fixes).
- rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files.
- rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592)
- rtl8xxxu: prevent potential memory leak (git-fixes).
- rtw88: increse the size of rx buffer size (git-fixes).
- s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733).
- s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735).
- scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226).
- sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11).
- selftests/timers: Turn off timeout setting (git-fixes).
- spi: spi-s3c64xx: Check return values (git-fixes).
- spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes).
- taprio: Fix allowing too small intervals (networking-stable-20_09_24).
- time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648).
- tipc: fix memory leak caused by tipc_buf_append() (git-fixes).
- tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24).
- tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24).
- tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11).
- tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes).
- tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24).
- tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24).
- tty: ipwireless: fix error handling (git-fixes).
- tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes).
- usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes).
- usb: cdc-acm: handle broken union descriptors (git-fixes).
- usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes).
- usb: core: Solve race condition in anchor cleanup functions (git-fixes).
- usb: dwc3: simple: add support for Hikey 970 (git-fixes).
- usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes).
- usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes).
- usb: ohci: Default to per-port over-current protection (git-fixes).
- x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749).
- xen/gntdev.c: Mark pages as dirty (bsc#1065600).
- xfs: fix high key handling in the rt allocator's query_range function (git-fixes).
- xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes).
- xfs: limit entries returned when counting fsmap records (git-fixes).
| Advisory ID | SUSE-SU-2020:3358-1
|
| Released | Tue Nov 17 13:17:10 2020 |
| Summary | Security update for tcpdump |
| Type | security |
| Severity | moderate |
| References | 1178466,CVE-2020-8037 |
Description:
This update for tcpdump fixes the following issues:
- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).
| Advisory ID | SUSE-SU-2020:3377-1
|
| Released | Thu Nov 19 09:29:32 2020 |
| Summary | Security update for krb5 |
| Type | security |
| Severity | moderate |
| References | 1178512,CVE-2020-28196 |
Description:
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
| Advisory ID | SUSE-RU-2020:3381-1
|
| Released | Thu Nov 19 10:53:38 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1177458,1177490,1177510 |
Description:
This update for systemd fixes the following issues:
- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
This allows to drop the workaround that consisted in cleaning journal-upload files and
{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
| Advisory ID | SUSE-RU-2020:3382-1
|
| Released | Thu Nov 19 11:03:01 2020 |
| Summary | Recommended update for dmidecode |
| Type | recommended |
| Severity | moderate |
| References | 1174257 |
Description:
This update for dmidecode fixes the following issues:
- Add partial support for SMBIOS 3.4.0. (bsc#1174257)
- Skip details of uninstalled memory modules. (bsc#1174257)
| Advisory ID | SUSE-SU-2020:3412-1
|
| Released | Thu Nov 19 12:44:57 2020 |
| Summary | Security update for xen |
| Type | security |
| Severity | important |
| References | 1027519,1177950,1178591,CVE-2020-28368 |
Description:
This update for xen fixes the following issues:
Security issue fixed:
- CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591).
Non-security issues fixed:
- Updated to Xen 4.13.2 bug fix release (bsc#1027519).
- Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519).
- Adjusted help for --max_iters, default is 5 (bsc#1177950).
| Advisory ID | SUSE-RU-2020:3420-1
|
| Released | Thu Nov 19 13:40:55 2020 |
| Summary | Recommended update for multipath-tools |
| Type | recommended |
| Severity | moderate |
| References | 1162896,1178354 |
Description:
This update for multipath-tools fixes the following issues:
- Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896)
- Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354)
| Advisory ID | SUSE-RU-2020:3461-1
|
| Released | Fri Nov 20 13:09:07 2020 |
| Summary | Recommended update for bind |
| Type | recommended |
| Severity | low |
| References | 1177983 |
Description:
This update for bind fixes the following issue:
- Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983)
| Advisory ID | SUSE-RU-2020:3462-1
|
| Released | Fri Nov 20 13:14:35 2020 |
| Summary | Recommended update for pam and sudo |
| Type | recommended |
| Severity | moderate |
| References | 1174593,1177858,1178727 |
Description:
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
| Advisory ID | SUSE-SU-2020:3478-1
|
| Released | Mon Nov 23 09:33:17 2020 |
| Summary | Security update for c-ares |
| Type | security |
| Severity | moderate |
| References | 1178882,CVE-2020-8277 |
Description:
This update for c-ares fixes the following issues:
- Version update to 1.17.0
* CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882)
* For further details see https://c-ares.haxx.se/changelog.html
| Advisory ID | SUSE-OU-2020:3481-1
|
| Released | Mon Nov 23 11:17:09 2020 |
| Summary | Optional update for vim |
| Type | optional |
| Severity | low |
| References | 1166602,1173256,1174564,1176549 |
Description:
This update for vim doesn't fix any user visible issues and it is optional to install.
- Introduce vim-small package with reduced requirements for small installations (bsc#1166602).
- Stop owning /etc/vimrc so the old, distro provided config actually gets removed.
- Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256)
- Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549)
| Advisory ID | SUSE-RU-2020:3498-1
|
| Released | Tue Nov 24 13:07:16 2020 |
| Summary | Recommended update for dracut |
| Type | recommended |
| Severity | moderate |
| References | 1164076,1177811,1178217 |
Description:
This update for dracut fixes the following issues:
- Update from version 049.1+suse.156.g7d852636 to version 049.1+suse.171.g65b2addf:
- dracut.sh: FIPS workaround for openssl-libs (bsc#1178217)
- 01fips: turn info calls into fips_info calls (bsc#1164076)
- 00systemd: add missing cryptsetup-related targets (bsc#1177811)
| Advisory ID | SUSE-RU-2020:3517-1
|
| Released | Wed Nov 25 13:36:40 2020 |
| Summary | Recommended update for cpupower |
| Type | recommended |
| Severity | moderate |
| References | 1177394 |
Description:
This update for cpupower fixes the following issue:
- Add AMD Family 19h support. (bsc#1177394)
Family 19h processors have the same RAPL (Running average power limit) hardware register interface as Family
17h processors. Change the family checks to succeed for Family 17h and above to enable core and package energy
measurement on Family 19h machines.
| Advisory ID | SUSE-RU-2020:3534-1
|
| Released | Thu Nov 26 15:12:41 2020 |
| Summary | Recommended update for kdump |
| Type | recommended |
| Severity | important |
| References | 1173914,1177196 |
Description:
This update for kdump fixes the following issues:
- Remove `console=hvc0` from command line. (bsc#1173914)
- Set serial console from Xen command line. (bsc#1173914)
- Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)
| Advisory ID | SUSE-RU-2020:3540-1
|
| Released | Thu Nov 26 15:57:16 2020 |
| Summary | Recommended update for wicked |
| Type | recommended |
| Severity | moderate |
| References | 1168155,1171234,1172082,1174099,959556 |
Description:
This update for wicked fixes the following issues:
- Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099)
- Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770)
- Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082)
- Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234)
- Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556)
| Advisory ID | SUSE-SU-2020:3566-1
|
| Released | Mon Nov 30 16:56:52 2020 |
| Summary | Security update for python-setuptools |
| Type | security |
| Severity | important |
| References | 1176262,CVE-2019-20916 |
Description:
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
| Advisory ID | SUSE-RU-2020:3570-1
|
| Released | Mon Nov 30 17:14:35 2020 |
| Summary | Recommended update for rsyslog |
| Type | recommended |
| Severity | moderate |
| References | 1178288 |
Description:
This update for rsyslog fixes the following issue:
- Fix location and naming of journald dropin. (bsc#1178288)
| Advisory ID | SUSE-RU-2020:3581-1
|
| Released | Tue Dec 1 14:40:22 2020 |
| Summary | Recommended update for libusb-1_0 |
| Type | recommended |
| Severity | moderate |
| References | 1178376 |
Description:
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
| Advisory ID | SUSE-SU-2020:3592-1
|
| Released | Wed Dec 2 10:31:34 2020 |
| Summary | Security update for python-cryptography |
| Type | security |
| Severity | moderate |
| References | 1178168,CVE-2020-25659 |
Description:
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
| Advisory ID | SUSE-SU-2020:3593-1
|
| Released | Wed Dec 2 10:33:49 2020 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1176262,1179193,CVE-2019-20916 |
Description:
This update for python3 fixes the following issues:
Update to 3.6.12 (bsc#1179193), including:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
| Advisory ID | SUSE-RU-2020:3608-1
|
| Released | Wed Dec 2 18:16:12 2020 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | important |
| References | 1177526,1179150,1179151 |
Description:
This update for cloud-init contains the following fixes:
- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)
+ Properly set the password for the default user in all circumstances
- Patch the full package version into the cloud-init version file
- Update cloud-init-write-routes.patch (bsc#1177526)
+ Fix missing default route when dual stack network setup is used. Once
a default route was configured for Ipv6 or IPv4 the default route
configuration for the othre protocol was skipped.
| Advisory ID | SUSE-SU-2020:3615-1
|
| Released | Thu Dec 3 10:02:02 2020 |
| Summary | Security update for xen |
| Type | security |
| Severity | important |
| References | 1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 |
Description:
This update for xen fixes the following issues:
- bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355)
| Advisory ID | SUSE-RU-2020:3616-1
|
| Released | Thu Dec 3 10:56:12 2020 |
| Summary | Recommended update for c-ares |
| Type | recommended |
| Severity | moderate |
| References | 1178882 |
Description:
- Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).
| Advisory ID | SUSE-RU-2020:3620-1
|
| Released | Thu Dec 3 17:03:55 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `` characters length in
some form. This is enabled by the new parameter `usersubstr=`
| Advisory ID | SUSE-RU-2020:3626-1
|
| Released | Fri Dec 4 13:51:46 2020 |
| Summary | Recommended update for audit |
| Type | recommended |
| Severity | moderate |
| References | 1179515 |
Description:
This update for audit fixes the following issues:
- Enable Aarch64 processor support. (bsc#1179515)
SUSE-IU-2020:110-1
| Container Advisory ID | SUSE-IU-2020:110-1 |
| Container Tags | sles-15-sp2-chost-byos-v20201016:20201016 |
| Container Release | |
The following patches have been included in this update:
SUSE-IU-2020:89-1
| Container Advisory ID | SUSE-IU-2020:89-1 |
| Container Tags | sles-15-sp2-chost-byos-v20200922:20200922 |
| Container Release | |
The following patches have been included in this update:
SUSE-IU-2020:118-1
| Container Advisory ID | SUSE-IU-2020:118-1 |
| Container Tags | sles-15-sp2-chost-byos-v20200831:20200831 |
| Container Release | |
The following patches have been included in this update:
| Advisory ID | SUSE-SU-2018:1223-1
|
| Released | Tue Jun 26 11:41:00 2018 |
| Summary | Security update for gpg2 |
| Type | security |
| Severity | important |
| References | 1096745,CVE-2018-12020 |
Description:
This update for gpg2 fixes the following security issue:
- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
verification actions, which allowed remote attackers to spoof the output that
GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
option (bsc#1096745).
| Advisory ID | SUSE-SU-2018:1327-1
|
| Released | Tue Jul 17 08:07:24 2018 |
| Summary | Security update for perl |
| Type | security |
| Severity | moderate |
| References | 1096718,CVE-2018-12015 |
Description:
This update for perl fixes the following issues:
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
directory-traversal protection mechanism and overwrite arbitrary files
(bsc#1096718)
| Advisory ID | SUSE-RU-2018:1332-1
|
| Released | Tue Jul 17 09:01:19 2018 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1073299,1093392 |
Description:
This update for timezone provides the following fixes:
- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST offset to standard time used
in Winter. (bsc#1073299)
- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd
timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid
setting an incorrect timezone. (bsc#1093392)
| Advisory ID | SUSE-RU-2018:1333-1
|
| Released | Tue Jul 17 09:03:21 2018 |
| Summary | Recommended update for bind |
| Type | recommended |
| Severity | moderate |
| References | 901577,965748 |
Description:
This update for bind provides the following fix:
- Fixed ldapdump to use a temporary pseudo nameserver that conforms to BIND's
expected syntax. Prior versions would not work correctly with an LDAP backed
DNS server. (bsc#965748)
- Add SPF records in dnszone-schema file. (bsc#901577)
| Advisory ID | SUSE-RU-2018:1334-1
|
| Released | Tue Jul 17 09:06:41 2018 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1096515 |
Description:
This update for mozilla-nss provides the following fixes:
- Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515)
- Fix a problem that would cause connections to a server that was recently upgraded to TLS
1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Use relro linker option.
| Advisory ID | SUSE-SU-2018:1346-1
|
| Released | Thu Jul 19 09:25:08 2018 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 |
Description:
This update for glibc fixes the following security issues:
- CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not
correctly perform the overlapping memory check if the source memory range
spaned the middle of the address space, resulting in corrupt data being
produced by the copy operation. This may have disclosed information to
context-dependent attackers, resulted in a denial of service or code execution
(bsc#1094150).
- CVE-2018-11236: Prevent integer overflow on 32-bit architectures when
processing very long pathname arguments to the realpath function, leading to a
stack-based buffer overflow (bsc#1094161).
- CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function
may have writen data beyond the target buffer, leading to a buffer overflow in
__mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154).
| Advisory ID | SUSE-SU-2018:1353-1
|
| Released | Thu Jul 19 09:50:32 2018 |
| Summary | Security update for e2fsprogs |
| Type | security |
| Severity | moderate |
| References | 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 |
Description:
This update for e2fsprogs fixes the following issues:
Security issues fixed:
- CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
- CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).
Bug fixes:
- bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
- bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
- bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.
| Advisory ID | SUSE-RU-2018:1362-1
|
| Released | Thu Jul 19 12:47:33 2018 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1100415 |
Description:
ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415)
Following CAs were removed:
- S-TRUST_Universal_Root_CA
- TC_TrustCenter_Class_3_CA_II
- TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
| Advisory ID | SUSE-RU-2018:1409-1
|
| Released | Fri Jul 27 06:45:10 2018 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 |
Description:
This update for systemd provides the following fixes:
- systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973)
- systemctl: Check the existence of all units, not just the first one.
- scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099)
- device: Make sure to always retroactively start device dependencies. (bsc#1088052)
- locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files.
- Fix pattern to detect distribution.
- install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851)
- install: Search for preset files in /run (#7715)
- install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851)
- install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement.
- install: Only consider names in Alias= as 'enabling'.
- udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule
generator. (bsc#1083158)
- man: Updated systemd-analyze blame description for service-units with Type=simple.
(bsc#1091265)
- fileio: Support writing atomic files with timestamp.
- fileio.c: Fix incorrect mtime
- Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the
initrd even in container/chroot installations that don't have a kernel. For environments
where initrd matters, dracut should be pulled via a pattern. (bsc#1098569)
- An update broke booting with encrypted partitions on NVMe (bsc#1095096)
| Advisory ID | SUSE-SU-2018:1476-1
|
| Released | Thu Aug 2 14:20:03 2018 |
| Summary | Security update for cups |
| Type | security |
| Severity | moderate |
| References | 1096405,1096406,1096407,1096408,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183 |
Description:
This update for cups fixes the following issues:
The following security vulnerabilities were fixed:
- Fixed a local privilege escalation to root and sandbox bypasses in the
scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
(bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
(bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
(bsc#1096408)
| Advisory ID | SUSE-RU-2018:1754-1
|
| Released | Fri Aug 24 16:40:21 2018 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1104780 |
Description:
This update for ca-certificates-mozilla fixes the following issues:
Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)
- removed server auth rights from following CAs:
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- ComSign CA
- GlobalSign
| Advisory ID | SUSE-RU-2018:1756-1
|
| Released | Fri Aug 24 17:12:55 2018 |
| Summary | Recommended update for growpart |
| Type | recommended |
| Severity | moderate |
| References | 1097455,1098681 |
Description:
This update for growpart provides the following fix:
- Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)
| Advisory ID | SUSE-RU-2018:1760-1
|
| Released | Fri Aug 24 17:14:53 2018 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | moderate |
| References | 1072183 |
Description:
This update for libtirpc fixes the following issues:
- rpcinfo: send RPC getport call as specified via parameter (bsc#1072183)
| Advisory ID | SUSE-RU-2018:1775-1
|
| Released | Tue Aug 28 12:40:50 2018 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | important |
| References | 1089777,1105396 |
Description:
This update for xfsprogs fixes the following issues:
- avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777)
- repair: shift inode back into place if corrupted by bad log replay (bsc#1105396).
| Advisory ID | SUSE-RU-2018:1804-1
|
| Released | Fri Aug 31 13:02:24 2018 |
| Summary | Recommended update for docker |
| Type | recommended |
| Severity | moderate |
| References | 1065609,1073877,1099277,1100727 |
Description:
This update for docker fixes the following issues:
- Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727)
- Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277)
- Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877)
- Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609)
| Advisory ID | SUSE-RU-2018:1999-1
|
| Released | Tue Sep 25 08:20:35 2018 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1071321 |
Description:
This update for zlib provides the following fixes:
- Speedup zlib on power8. (fate#325307)
- Add safeguard against negative values in uInt. (bsc#1071321)
| Advisory ID | SUSE-RU-2018:2055-1
|
| Released | Thu Sep 27 14:30:14 2018 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1089640 |
Description:
This update for openldap2 provides the following fix:
- Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)
| Advisory ID | SUSE-RU-2018:2138-1
|
| Released | Thu Oct 4 15:52:15 2018 |
| Summary | Recommended update for sudo |
| Type | recommended |
| Severity | low |
| References | 1097643 |
Description:
This update for sudo fixes the following issues:
- fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643)
| Advisory ID | SUSE-RU-2018:2155-1
|
| Released | Fri Oct 5 14:41:17 2018 |
| Summary | Recommended update for ca-certificates |
| Type | recommended |
| Severity | moderate |
| References | 1101470 |
Description:
This update for ca-certificates fixes the following issues:
- Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470)
| Advisory ID | SUSE-RU-2018:2170-1
|
| Released | Mon Oct 8 10:31:14 2018 |
| Summary | Recommended update for python3 |
| Type | recommended |
| Severity | moderate |
| References | 1107030 |
Description:
This update for python3 fixes the following issues:
- Add -fwrapv to OPTS, which is default for python3 for bugs which
are caused by avoiding it. (bsc#1107030)
| Advisory ID | SUSE-RU-2018:2177-1
|
| Released | Tue Oct 9 09:00:13 2018 |
| Summary | Recommended update for bash |
| Type | recommended |
| Severity | moderate |
| References | 1095661,1095670,1100488 |
Description:
This update for bash provides the following fixes:
- Bugfix: Parse settings in inputrc for all screen TERM variables
starting with 'screen.' (bsc#1095661)
- Make the generation of bash.html reproducible. (bsc#1100488)
- Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670)
- Fix a problem that could cause hash table bash uses to store exit statuses from
asynchronous processes to develop loops in circumstances involving long-running scripts
that create and reap many processes.
- Fix a problem that could cause the shell to loop if a SIGINT is received inside of a
SIGINT trap handler.
- Fix cases where a failing readline command (e.g., delete-char at the end of a line) can
cause a multi-character key sequence to 'back up' and attempt to re-read some of the
characters in the sequence.
- Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT
handler to the default and typing ^C would cause the shell to exit.
| Advisory ID | SUSE-SU-2018:2182-1
|
| Released | Tue Oct 9 11:08:36 2018 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 |
Description:
This update for libxml2 fixes the following security issues:
- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
denial of service (infinite loop) via a crafted XML file that triggers
LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
(bsc#1105166)
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
function when parsing an invalid XPath expression in the XPATH_OP_AND or
XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)
| Advisory ID | SUSE-SU-2018:2340-1
|
| Released | Fri Oct 19 16:05:53 2018 |
| Summary | Security update for fuse |
| Type | security |
| Severity | moderate |
| References | 1101797,CVE-2018-10906 |
Description:
This update for fuse fixes the following issues:
- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
SELinux is active. This allowed non-root users to mount a FUSE file system with
the 'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE file
system, accessible by other users, and trick them into accessing files on that
file system, possibly causing Denial of Service or other unspecified effects
(bsc#1101797)
| Advisory ID | SUSE-RU-2018:2346-1
|
| Released | Mon Oct 22 09:40:46 2018 |
| Summary | Recommended update for logrotate |
| Type | recommended |
| Severity | moderate |
| References | 1093617 |
Description:
This update for logrotate provides the following fix:
- Ensure the HOME environment variable is set to /root when logrotate is started via
systemd. This allows mariadb to rotate its logs when the database has a root password
defined. (bsc#1093617)
| Advisory ID | SUSE-RU-2018:2370-1
|
| Released | Mon Oct 22 14:02:01 2018 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1102310,1104531 |
Description:
This update for aaa_base provides the following fixes:
- Let bash.bashrc work even for (m)ksh. (bsc#1104531)
- Fix an error at login if java system directory is empty. (bsc#1102310)
| Advisory ID | SUSE-RU-2018:2412-1
|
| Released | Tue Oct 23 17:28:04 2018 |
| Summary | Recommended update for gettext-runtime |
| Type | recommended |
| Severity | moderate |
| References | 1106843 |
Description:
This update for gettext-runtime provides the following fix:
- Reset the length of message string after a line has been removed to fix a crash in
msgfmt when writing java source code and the .po file has a POT-Creation-Date header.
(bsc#1106843)
| Advisory ID | SUSE-RU-2018:2463-1
|
| Released | Thu Oct 25 14:48:34 2018 |
| Summary | Recommended update for timezone, timezone-java |
| Type | recommended |
| Severity | moderate |
| References | 1104700,1112310 |
Description:
This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates
Other bugfixes:
- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)
| Advisory ID | SUSE-RU-2018:2485-1
|
| Released | Fri Oct 26 12:38:01 2018 |
| Summary | Recommended update for kmod |
| Type | recommended |
| Severity | moderate |
| References | 1112928 |
Description:
This update for kmod provides the following fixes:
- Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928)
| Advisory ID | SUSE-RU-2018:2486-1
|
| Released | Fri Oct 26 12:38:27 2018 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1105068 |
Description:
This update for xfsprogs fixes the following issues:
- Explictly disable systemd unit files for scrub (bsc#1105068).
| Advisory ID | SUSE-RU-2018:2487-1
|
| Released | Fri Oct 26 12:39:07 2018 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1102526 |
Description:
This update for glibc fixes the following issues:
- Fix build on aarch64 with binutils newer than 2.30.
- Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526)
| Advisory ID | SUSE-RU-2018:2550-1
|
| Released | Wed Oct 31 16:16:56 2018 |
| Summary | Recommended update for timezone, timezone-java |
| Type | recommended |
| Severity | moderate |
| References | 1113554 |
Description:
This update provides the latest time zone definitions (2018g), including the following change:
- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
| Advisory ID | SUSE-RU-2018:2569-1
|
| Released | Fri Nov 2 19:00:18 2018 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1110700 |
Description:
This update for pam fixes the following issues:
- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)
| Advisory ID | SUSE-SU-2018:2595-1
|
| Released | Wed Nov 7 11:14:42 2018 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 |
Description:
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665)
Non security issues fixed:
- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if 'missing ok' (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer (#7329)
- core: introduce systemd.early_core_pattern= kernel cmdline option
- core: add missing 'continue' statement
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
- detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197)
- emergency: make sure console password agents don't interfere with the emergency shell
- man: document that 'nofail' also has an effect on ordering
- journald: take leading spaces into account in syslog_parse_identifier
- journal: do not remove multiple spaces after identifier in syslog message
- syslog: fix segfault in syslog_parse_priority()
- journal: fix syslog_parse_identifier()
- install: drop left-over debug message (#6913)
- Ship systemd-sysv-install helper via the main package
This script was part of systemd-sysvinit sub-package but it was
wrong since systemd-sysv-install is a script used to redirect
enable/disable operations to chkconfig when the unit targets are
sysv init scripts. Therefore it's never been a SySV init tool.
- Add udev.no-partlabel-links kernel command-line option. This option can be used to disable
the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761)
- man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040)
- systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908)
- core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944)
- Enable or disable machines.target according to the presets (bsc#1107941)
- cryptsetup: add support for sector-size= option (fate#325697)
- nspawn: always use permission mode 555 for /sys (bsc#1107640)
- Bugfix for a race condition between daemon-reload and other commands (bsc#1105031)
- Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677)
- Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901)
- Does no longer adjust qgroups on existing subvolumes (bsc#1093753)
- cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135)
| Advisory ID | SUSE-RU-2018:2607-1
|
| Released | Wed Nov 7 15:42:48 2018 |
| Summary | Optional update for gcc8 |
| Type | recommended |
| Severity | low |
| References | 1084812,1084842,1087550,1094222,1102564 |
Description:
The GNU Compiler GCC 8 is being added to the Development Tools Module by this
update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html
| Advisory ID | SUSE-SU-2018:2620-1
|
| Released | Thu Nov 8 17:57:34 2018 |
| Summary | Security update for libxkbcommon |
| Type | security |
| Severity | low |
| References | 1105832,CVE-2018-15853,CVE-2018-15854,CVE-2018-15855,CVE-2018-15856,CVE-2018-15857,CVE-2018-15858,CVE-2018-15859,CVE-2018-15861,CVE-2018-15862,CVE-2018-15863,CVE-2018-15864 |
Description:
This update for libxkbcommon to version 0.8.2 fixes the following issues:
- Fix a few NULL-dereferences, out-of-bounds access and undefined behavior in
the XKB text format parser.
- CVE-2018-15853: Endless recursion could have been used by local attackers to
crash xkbcommon users by supplying a crafted keymap file that triggers boolean
negation (bsc#1105832).
- CVE-2018-15854: Unchecked NULL pointer usage could have been used by local
attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying
a crafted keymap file, because geometry tokens were desupported incorrectly
(bsc#1105832).
- CVE-2018-15855: Unchecked NULL pointer usage could have been used by local
attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying
a crafted keymap file, because the XkbFile for an xkb_geometry section was
mishandled (bsc#1105832).
- CVE-2018-15856: An infinite loop when reaching EOL unexpectedly could be used
by local attackers to cause a denial of service during parsing of crafted
keymap files (bsc#1105832).
- CVE-2018-15857: An invalid free in ExprAppendMultiKeysymList could have been
used by local attackers to crash xkbcommon keymap parsers or possibly have
unspecified other impact by supplying a crafted keymap file (bsc#1105832).
- CVE-2018-15858: Unchecked NULL pointer usage when handling invalid aliases in
CopyKeyAliasesToKeymap could have been used by local attackers to crash (NULL
pointer dereference) the xkbcommon parser by supplying a crafted keymap file
(bsc#1105832).
- CVE-2018-15859: Unchecked NULL pointer usage when parsing invalid atoms in
ExprResolveLhs could have been used by local attackers to crash (NULL pointer
dereference) the xkbcommon parser by supplying a crafted keymap file, because
lookup failures are mishandled (bsc#1105832).
- CVE-2018-15861: Unchecked NULL pointer usage in ExprResolveLhs could have
been used by local attackers to crash (NULL pointer dereference) the xkbcommon
parser by supplying a crafted keymap file that triggers an xkb_intern_atom
failure (bsc#1105832).
- CVE-2018-15862: Unchecked NULL pointer usage in LookupModMask could have been
used by local attackers to crash (NULL pointer dereference) the xkbcommon
parser by supplying a crafted keymap file with invalid virtual modifiers
(bsc#1105832).
- CVE-2018-15863: Unchecked NULL pointer usage in ResolveStateAndPredicate
could have been used by local attackers to crash (NULL pointer dereference) the
xkbcommon parser by supplying a crafted keymap file with a no-op modmask
expression (bsc#1105832).
- CVE-2018-15864: Unchecked NULL pointer usage in resolve_keysym could have
been used by local attackers to crash (NULL pointer dereference) the xkbcommon
parser by supplying a crafted keymap file, because a map access attempt can
occur for a map that was never created (bsc#1105832).
| Advisory ID | SUSE-RU-2018:2641-1
|
| Released | Mon Nov 12 20:39:30 2018 |
| Summary | Recommended update for nfsidmap |
| Type | recommended |
| Severity | moderate |
| References | 1098217 |
Description:
This update for nfsidmap fixes the following issues:
- Improve support for SAMBA with Active Directory. (bsc#1098217)
| Advisory ID | SUSE-RU-2018:2742-1
|
| Released | Thu Nov 22 13:28:36 2018 |
| Summary | Recommended update for rpcbind |
| Type | recommended |
| Severity | moderate |
| References | 969953 |
Description:
This update for rpcbind fixes the following issues:
- Fix tool stack buffer overflow aborting (bsc#969953)
| Advisory ID | SUSE-SU-2018:2825-1
|
| Released | Mon Dec 3 15:35:02 2018 |
| Summary | Security update for pam |
| Type | security |
| Severity | important |
| References | 1115640,CVE-2018-17953 |
Description:
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).
| Advisory ID | SUSE-SU-2018:2861-1
|
| Released | Thu Dec 6 14:32:01 2018 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | important |
| References | 1103320,1115929,CVE-2018-19211 |
Description:
This update for ncurses fixes the following issues:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
Non-security issue fixed:
- Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).
| Advisory ID | SUSE-SU-2018:2882-1
|
| Released | Mon Dec 10 08:07:44 2018 |
| Summary | Security update for cups |
| Type | security |
| Severity | important |
| References | 1115750,CVE-2018-4700 |
Description:
This update for cups fixes the following issues:
Security issue fixed:
- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).
| Advisory ID | SUSE-SU-2018:2945-1
|
| Released | Fri Dec 14 16:43:57 2018 |
| Summary | Security update for tcpdump |
| Type | security |
| Severity | moderate |
| References | 1117267,CVE-2018-19519 |
Description:
This update for tcpdump fixes the following issues:
Security issues fixed:
- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)
| Advisory ID | SUSE-SU-2018:2984-1
|
| Released | Wed Dec 19 11:32:39 2018 |
| Summary | Security update for perl |
| Type | security |
| Severity | moderate |
| References | 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 |
Description:
This update for perl fixes the following issues:
Secuirty issues fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
- CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675).
- CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681).
- CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686).
| Advisory ID | SUSE-SU-2018:2986-1
|
| Released | Wed Dec 19 13:53:22 2018 |
| Summary | Security update for libnettle |
| Type | security |
| Severity | moderate |
| References | 1118086,CVE-2018-16869 |
Description:
This update for libnettle fixes the following issues:
Security issues fixed:
- CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086)
| Advisory ID | SUSE-SU-2018:3044-1
|
| Released | Fri Dec 21 18:47:21 2018 |
| Summary | Security update for MozillaFirefox, mozilla-nspr and mozilla-nss |
| Type | security |
| Severity | important |
| References | 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 |
Description:
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
| Advisory ID | SUSE-SU-2018:3064-1
|
| Released | Fri Dec 28 18:39:08 2018 |
| Summary | Security update for containerd, docker and go |
| Type | security |
| Severity | important |
| References | 1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187 |
Description:
This update for containerd, docker and go fixes the following issues:
containerd and docker:
- Add backport for building containerd (bsc#1102522, bsc#1113313)
- Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce.
(bsc#1102522)
- Enable seccomp support on SLE12 (fate#325877)
- Update to containerd v1.1.1, which is the required version for the Docker
v18.06.0-ce upgrade. (bsc#1102522)
- Put containerd under the podruntime slice (bsc#1086185)
- 3rd party registries used the default Docker certificate (bsc#1084533)
- Handle build breakage due to missing 'export GOPATH' (caused by resolution of
boo#1119634). I believe Docker is one of the only packages with this problem.
go:
- golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
between versions no longer break. This ends up removing the need for go.sh
entirely (because GOPATH is also set automatically) (boo#1119634)
- Fix a regression that broke go get for import path patterns containing '...'
(bsc#1119706)
Additionally, the package go1.10 has been added.
| Advisory ID | SUSE-SU-2019:23-1
|
| Released | Mon Jan 7 16:30:33 2019 |
| Summary | Security update for gpg2 |
| Type | security |
| Severity | moderate |
| References | 1120346,CVE-2018-1000858 |
Description:
This update for gpg2 fixes the following issue:
Security issue fixed:
- CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr
that can result in Attacker controlled CSRF (bsc#1120346).
| Advisory ID | SUSE-RU-2019:44-1
|
| Released | Tue Jan 8 13:07:32 2019 |
| Summary | Recommended update for acl |
| Type | recommended |
| Severity | low |
| References | 953659 |
Description:
This update for acl fixes the following issues:
- test: Add helper library to fake passwd/group files.
- quote: Escape literal backslashes. (bsc#953659)
| Advisory ID | SUSE-RU-2019:62-1
|
| Released | Thu Jan 10 20:30:58 2019 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1119063 |
Description:
This update for xfsprogs fixes the following issues:
- Fix root inode's parent when it's bogus for sf directory (xfs repair).
(bsc#1119063)
| Advisory ID | SUSE-RU-2019:82-1
|
| Released | Fri Jan 11 17:16:48 2019 |
| Summary | Recommended update for suse-build-key |
| Type | recommended |
| Severity | moderate |
| References | 1044232 |
Description:
This update for suse-build-key fixes the following issues:
- Include the SUSE PTF GPG key in the key directory to avoid it being
stripped via %doc stripping in CAASP. (bsc#1044232)
| Advisory ID | SUSE-RU-2019:91-1
|
| Released | Tue Jan 15 14:14:43 2019 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1090767,1121045,1121207 |
Description:
This update for mozilla-nss fixes the following issues:
- The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)
| Advisory ID | SUSE-SU-2019:93-1
|
| Released | Tue Jan 15 14:48:33 2019 |
| Summary | Security update for wget |
| Type | security |
| Severity | important |
| References | 1120382,CVE-2018-20483 |
Description:
This update for wget fixes the following issues:
Security issue fixed:
- CVE-2018-20483: Fixed an information disclosure through file metadata (bsc#1120382)
| Advisory ID | SUSE-RU-2019:102-1
|
| Released | Tue Jan 15 18:02:58 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1120402 |
Description:
This update for timezone fixes the following issues:
- Update 2018i:
São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
Metlakatla, Alaska observes PST this winter only
Guess Morocco will continue to adjust clocks around Ramadan
Add predictions for Iran from 2038 through 2090
| Advisory ID | SUSE-RU-2019:104-1
|
| Released | Tue Jan 15 18:03:13 2019 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1117147 |
Description:
This update for chrony fixes the following issues:
- Generate chronyd sysconfig file. (bsc#1117147)
| Advisory ID | SUSE-SU-2019:137-1
|
| Released | Mon Jan 21 15:52:45 2019 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 |
Description:
This update for systemd provides the following fixes:
Security issues fixed:
- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919)
- Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)
Non-security issues fixed:
- pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498)
- systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933)
- systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723)
- Fixed installation issue with /etc/machine-id during update (bsc#1117063)
- btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753)
- logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
- udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3,
80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to
detect non-zvm environment. The systemd-detect-virt returns exit failure code when it
detected _none_ state. The exit failure code causes that the hot-add memory block can
not be set to online. (bsc#1076696)
| Advisory ID | SUSE-RU-2019:147-1
|
| Released | Wed Jan 23 17:57:31 2019 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1121446 |
Description:
This update for ca-certificates-mozilla fixes the following issues:
The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)
Removed Root CAs:
- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root
Added Root CAs:
- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)
| Advisory ID | SUSE-RU-2019:170-1
|
| Released | Fri Jan 25 13:43:29 2019 |
| Summary | Recommended update for kmod |
| Type | recommended |
| Severity | moderate |
| References | 1118629 |
Description:
This update for kmod fixes the following issues:
- Fixes module dependency file corruption on parallel invocation (bsc#1118629).
- Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option.
| Advisory ID | SUSE-SU-2019:215-1
|
| Released | Thu Jan 31 15:59:57 2019 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1120644,1122191,CVE-2018-20406,CVE-2019-5010 |
Description:
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)
| Advisory ID | SUSE-SU-2019:247-1
|
| Released | Wed Feb 6 07:18:45 2019 |
| Summary | Security update for lua53 |
| Type | security |
| Severity | moderate |
| References | 1123043,CVE-2019-6706 |
Description:
This update for lua53 fixes the following issues:
Security issue fixed:
- CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)
| Advisory ID | SUSE-SU-2019:273-1
|
| Released | Wed Feb 6 16:48:18 2019 |
| Summary | Security update for MozillaFirefox |
| Type | security |
| Severity | important |
| References | 1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505 |
Description:
This update for MozillaFirefox, mozilla-nss fixes the following issues:
Security issues fixed:
- CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983).
- CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983).
- CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983).
- CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069).
Non-security issue fixed:
- Update to MozillaFirefox ESR 60.5.0
- Update to mozilla-nss 3.41.1
| Advisory ID | SUSE-SU-2019:286-1
|
| Released | Thu Feb 7 13:45:27 2019 |
| Summary | Security update for docker |
| Type | security |
| Severity | moderate |
| References | 1001161,1112980,1115464,1118897,1118898,1118899,1118990,1121412,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875 |
Description:
This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues:
Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork:
- CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897)
- CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898)
- CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899)
Non-security issues fixed for docker:
- Disable leap based builds for kubic flavor (bsc#1121412)
- Allow users to explicitly specify the NIS domainname of a container (bsc#1001161)
- Update docker.service to match upstream and avoid rlimit problems (bsc#1112980)
- Allow docker images larger then 23GB (bsc#1118990)
- Docker version update to version 18.09.0-ce (bsc#1115464)
| Advisory ID | SUSE-SU-2019:362-1
|
| Released | Wed Feb 13 13:31:56 2019 |
| Summary | Security update for docker-runc |
| Type | security |
| Severity | important |
| References | 1121967,CVE-2019-5736 |
Description:
This update for docker-runc fixes the following issues:
Security issue fixed:
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid
write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967)
| Advisory ID | SUSE-RU-2019:369-1
|
| Released | Wed Feb 13 14:01:42 2019 |
| Summary | Recommended update for itstool |
| Type | recommended |
| Severity | moderate |
| References | 1065270,1111019 |
Description:
This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool
- Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python
- Fix segfault when parsing invalid data. (bsc#1065270)
| Advisory ID | SUSE-SU-2019:426-1
|
| Released | Mon Feb 18 17:46:55 2019 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 |
Description:
This update for systemd fixes the following issues:
- CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352)
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- logind: fix bad error propagation
- login: log session state 'closing' (as well as New/Removed)
- logind: fix borked r check
- login: don't remove all devices from PID1 when only one was removed
- login: we only allow opening character devices
- login: correct comment in session_device_free()
- login: remember that fds received from PID1 need to be removed eventually
- login: fix FDNAME in call to sd_pid_notify_with_fds()
- logind: fd 0 is a valid fd
- logind: rework sd_eviocrevoke()
- logind: check file is device node before using .st_rdev
- logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153)
- core: add a new sd_notify() message for removing fds from the FD store again
- logind: make sure we don't trip up on half-initialized session devices (bsc#1123727)
- fd-util: accept that kcmp might fail with EPERM/EACCES
- core: Fix use after free case in load_from_path() (bsc#1121563)
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- core: free lines after reading them (bsc#1123892)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
| Advisory ID | SUSE-RU-2019:464-1
|
| Released | Fri Feb 22 09:43:52 2019 |
| Summary | Recommended update for xkeyboard-config |
| Type | recommended |
| Severity | moderate |
| References | 1123784 |
Description:
This update for xkeyboard-config fixes the following issues:
- Fixes missing mappings for evdev keys KEY_RFKILL and KEY_WWAN. (bsc#1123784)
| Advisory ID | SUSE-SU-2019:480-1
|
| Released | Mon Feb 25 11:55:21 2019 |
| Summary | Security update for supportutils |
| Type | security |
| Severity | important |
| References | 1043311,1046681,1051797,1071545,1105849,1112461,1115245,1117776,1118460,1118462,1118463,1125609,1125666,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640 |
Description:
This update for supportutils fixes the following issues:
Security issues fixed:
- CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
Other issues fixed:
- Fixed invalid exit code commands (bsc#1125666).
- Included additional SUSE separation (bsc#1125609).
- Merged added listing of locked packes by zypper.
- Exclude pam.txt per GDPR by default (bsc#1112461).
- Clarified -x functionality in supportconfig(8) (bsc#1115245).
- udev service and provide the whole journal content in supportconfig (bsc#1051797).
- supportconfig collects tuned profile settings (bsc#1071545).
- sfdisk -d no disk device specified (bsc#1043311).
- Added vulnerabilites status check in basic-health.txt (bsc#1105849).
- Added only sched_domain from cpu0.
- Blacklist sched_domain from proc.txt (bsc#1046681).
- Added firewall-cmd info.
- Add ls -lA --time-style=long-iso /etc/products.d/
- Dump lsof errors.
- Added corosync status to ha_info.
- Dump find errors in ib_info.
| Advisory ID | SUSE-SU-2019:495-1
|
| Released | Tue Feb 26 16:42:35 2019 |
| Summary | Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc |
| Type | security |
| Severity | important |
| References | 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 |
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:
- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
breakout (bsc#1121967).
Other changes and fixes:
- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Update go requirements to >= go1.10
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.
| Advisory ID | SUSE-RU-2019:565-1
|
| Released | Thu Mar 7 17:46:16 2019 |
| Summary | Recommended update for supportutils |
| Type | recommended |
| Severity | moderate |
| References | 1094225,1109664,1120049,1121043,1127063,1127069 |
Description:
This update for supportutils fixes the following issues:
- Dont show error if /proc/fb is not present (bsc#1127069)
- Fixed issue where dasdview got called with wrong arguments (bsc#1109664)
- Clarified -t argument description in help output (bsc#1121043)
- Fixed grep error in NTP when /etc/cron.d is empty (bsc#1127063)
- Collect systemd journal logs with minimum installation (bsc#1094225)
- Fixed tar file generation (bsc#1120049)
| Advisory ID | SUSE-RU-2019:570-1
|
| Released | Thu Mar 7 17:50:46 2019 |
| Summary | Recommended update for bind |
| Type | recommended |
| Severity | moderate |
| References | 1094236 |
Description:
This update for bind fixes the following issues:
- Fixes dynamic DNS updates against samba and Microsoft DNS servers
(bsc#1094236).
| Advisory ID | SUSE-SU-2019:571-1
|
| Released | Thu Mar 7 18:13:46 2019 |
| Summary | Security update for file |
| Type | security |
| Severity | moderate |
| References | 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 |
Description:
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
readelf.c, which allowed remote attackers to cause a denial of service
(application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
| Advisory ID | SUSE-RU-2019:608-1
|
| Released | Wed Mar 13 15:21:02 2019 |
| Summary | Recommended update for cups |
| Type | recommended |
| Severity | moderate |
| References | 1118118 |
Description:
This update for cups fixes the following issues:
- Fixed validation of UTF-8 filenames to avoid crashes (bsc#1118118)
| Advisory ID | SUSE-RU-2019:641-1
|
| Released | Tue Mar 19 13:17:28 2019 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1112570,1114984,1114993 |
Description:
This update for glibc provides the following fixes:
- Fix Haswell CPU string flags. (bsc#1114984)
- Fix waiters-after-spinning case. (bsc#1114993)
- Do not relocate absolute symbols. (bsc#1112570)
- Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales.
(fate#326551)
- Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962)
- Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880,
fate#325881, fate#325882)
| Advisory ID | SUSE-RU-2019:700-1
|
| Released | Thu Mar 21 19:54:00 2019 |
| Summary | Recommended update for cyrus-sasl |
| Type | recommended |
| Severity | moderate |
| References | 1044840 |
Description:
This update for cyrus-sasl provides the following fix:
- Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'.
By server context the connection will be sent to the log function but the client content
does not have log level information, so there is no way to stop DEBUG level logs.
(bsc#1044840)
| Advisory ID | SUSE-RU-2019:713-1
|
| Released | Fri Mar 22 15:55:05 2019 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1063675,1126590 |
Description:
This update for glibc fixes the following issues:
- Add MAP_SYNC from Linux 4.15 (bsc#1126590)
- Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590)
- nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153)
| Advisory ID | SUSE-RU-2019:732-1
|
| Released | Mon Mar 25 14:10:04 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1088524,1118364,1128246 |
Description:
This update for aaa_base fixes the following issues:
- Restore old position of ssh/sudo source of profile (bsc#1118364).
- Update logic for JRE_HOME env variable (bsc#1128246)
| Advisory ID | SUSE-SU-2019:788-1
|
| Released | Thu Mar 28 11:55:06 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1119687,CVE-2018-20346 |
Description:
This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
Release notes: https://www.sqlite.org/releaselog/3_27_2.html
| Advisory ID | SUSE-RU-2019:790-1
|
| Released | Thu Mar 28 12:06:17 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1130557 |
Description:
This update for timezone fixes the following issues:
timezone was updated 2019a:
- Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
- Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
- Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
- zic now has an -r option to limit the time range of output data
| Advisory ID | SUSE-RU-2019:791-1
|
| Released | Thu Mar 28 12:06:50 2019 |
| Summary | Security update for libnettle |
| Type | recommended |
| Severity | moderate |
| References | 1129598 |
Description:
This update for libnettle to version 3.4.1 fixes the following issues:
Issues addressed and new features:
- Updated to 3.4.1 (fate#327114 and bsc#1129598)
- Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
- Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
- All functions using RSA private keys are now side-channel silent. This applies both to the
bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of
PKCS#1 padding needed for RSA decryption.
- Changes in behavior:
The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message
buffer, independent of the actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or length of the message.
Side-channel leakage from the caller's use of length and return value may still provide
an oracle useable for a Bleichenbacher-style chosen ciphertext attack.
Which is why the new function rsa_sec_decrypt is recommended.
| Advisory ID | SUSE-RU-2019:858-1
|
| Released | Wed Apr 3 15:50:37 2019 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | moderate |
| References | 1120689,1126096 |
Description:
This update for libtirpc fixes the following issues:
- Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096).
- add an option to enforce connection via protocol version 2 first (bsc#1120689).
| Advisory ID | SUSE-SU-2019:903-1
|
| Released | Mon Apr 8 15:41:44 2019 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1100396,1122729,1130045,CVE-2016-10739 |
Description:
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow
applications to incorrectly assume that had parsed a valid string, without the possibility of
embedded HTTP headers or other potentially dangerous substrings (bsc#1122729).
Other issue fixed:
- Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions
while maintained the robust mutex list due to missing compiler barriers (bsc#1130045).
- Added new Japanese Era name support (bsc#1100396).
| Advisory ID | SUSE-RU-2019:909-1
|
| Released | Tue Apr 9 08:04:44 2019 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1129914 |
Description:
This update for chrony fixes the following issues:
- Fix ordering and dependencies of chronyd.service, so that it is
started after name resolution is up (bsc#1129914).
| Advisory ID | SUSE-SU-2019:925-1
|
| Released | Wed Apr 10 16:32:50 2019 |
| Summary | Security update for wget |
| Type | security |
| Severity | important |
| References | 1131493,CVE-2019-5953 |
Description:
This update for wget fixes the following issues:
Security issue fixed:
- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).
| Advisory ID | SUSE-SU-2019:926-1
|
| Released | Wed Apr 10 16:33:12 2019 |
| Summary | Security update for tar |
| Type | security |
| Severity | moderate |
| References | 1120610,1130496,CVE-2018-20482,CVE-2019-9923 |
Description:
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
| Advisory ID | SUSE-RU-2019:966-1
|
| Released | Wed Apr 17 12:20:13 2019 |
| Summary | Recommended update for python-rpm-macros |
| Type | recommended |
| Severity | moderate |
| References | 1128323 |
Description:
This update for python-rpm-macros fixes the following issues:
The Python RPM macros were updated to version 20190408.32abece, fixing
bugs (bsc#1128323)
- Add missing $ expansion on the pytest call
- Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
- We should preserve existing PYTHONPATH.
- Add --ignore to pytest calls to ignore build directories.
- Actually make pytest into function to capture arguments as well
- Add pytest definitions.
- Use upstream-recommended %{_rpmconfigdir}/macros.d directory
for the rpm macros.
- Fix an issue with epoch printing having too many \
- add epoch while printing 'Provides:'
| Advisory ID | SUSE-SU-2019:971-1
|
| Released | Wed Apr 17 14:43:26 2019 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1129346,CVE-2019-9636 |
Description:
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).
| Advisory ID | SUSE-RU-2019:1002-1
|
| Released | Wed Apr 24 10:13:34 2019 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1110304,1129576 |
Description:
This update for zlib fixes the following issues:
- Fixes a segmentation fault error (bsc#1110304, bsc#1129576)
| Advisory ID | SUSE-RU-2019:1034-1
|
| Released | Thu Apr 25 13:39:50 2019 |
| Summary | Recommended update for docker-runc |
| Type | recommended |
| Severity | important |
| References | 1131314,1131553 |
Description:
This update for docker-runc fixes the following issues:
- Backport various upstream patches to fix some kernel regression related to
O_TMPFILE. bsc#1131314 bsc#1131553
| Advisory ID | SUSE-SU-2019:1040-1
|
| Released | Thu Apr 25 17:09:21 2019 |
| Summary | Security update for samba |
| Type | security |
| Severity | important |
| References | 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 |
Description:
This update for samba fixes the following issues:
Security issue fixed:
- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).
ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):
- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb
Non-security issues fixed:
- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
| Advisory ID | SUSE-SU-2019:1127-1
|
| Released | Thu May 2 09:39:24 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1130325,1130326,CVE-2019-9936,CVE-2019-9937 |
Description:
This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:
- CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix
queries inside transaction (bsc#1130326).
- CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in
a single transaction with an fts5 virtual table (bsc#1130325).
| Advisory ID | SUSE-SU-2019:1156-1
|
| Released | Mon May 6 13:46:07 2019 |
| Summary | Security update for python-Jinja2 |
| Type | security |
| Severity | important |
| References | 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 |
Description:
This update for python-Jinja2 to version 2.10.1 fixes the following issues:
Security issues fixed:
- CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815).
- CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).
| Advisory ID | SUSE-RU-2019:1160-1
|
| Released | Mon May 6 14:24:31 2019 |
| Summary | Recommended update for sg3_utils |
| Type | recommended |
| Severity | moderate |
| References | 1005063,1069384,1131482,1133418,840054 |
Description:
This update for sg3_utils fixes the following issues:
- Update to version 1.44~763+19.1ed0757:
* rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)
* 40-usb-blacklist.rules: use ID_SCSI_INQUIRY (bsc#840054, bsc#1131482)
* Changed versioning scheme (svn r763, pre-release of
upstream 1.44, plus 16 SUSE patches, SUSE git commit b2fedfa)
* 59-fc-wwpn-id.rules: fix rule syntax (bsc#1133418)
- Spec file: add fc_wwpn_id to generate by-path links for
fibrechannel (bsc#1005063)
| Advisory ID | SUSE-SU-2019:1206-1
|
| Released | Fri May 10 14:01:55 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | low |
| References | 985657,CVE-2016-3189 |
Description:
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).
| Advisory ID | SUSE-SU-2019:1234-1
|
| Released | Tue May 14 18:31:52 2019 |
| Summary | Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork |
| Type | security |
| Severity | important |
| References | 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 |
Description:
This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:
- CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
- CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).
Other changes and bug fixes:
- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
- docker-test: Improvements to test packaging (bsc#1128746).
- Move daemon.json file to /etc/docker directory (bsc#1114832).
- Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
- Fix go build failures (bsc#1121397).
| Advisory ID | SUSE-RU-2019:1312-1
|
| Released | Wed May 22 12:19:12 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1096191 |
Description:
This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers
(bsc#1096191)
| Advisory ID | SUSE-SU-2019:1352-1
|
| Released | Fri May 24 14:41:44 2019 |
| Summary | Security update for python3 |
| Type | security |
| Severity | moderate |
| References | 1130840,1133452,CVE-2019-9947 |
Description:
This update for python3 to version 3.6.8 fixes the following issues:
Security issue fixed:
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
Non-security issue fixed:
- Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452).
| Advisory ID | SUSE-SU-2019:1364-1
|
| Released | Tue May 28 10:51:38 2019 |
| Summary | Security update for systemd |
| Type | security |
| Severity | moderate |
| References | 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 |
Description:
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352).
- CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509).
Non-security issued fixed:
- logind: fix killing of scopes (bsc#1125604)
- namespace: make MountFlags=shared work again (bsc#1124122)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- Do not automatically online memory on s390x (bsc#1127557)
- Removed sg.conf (bsc#1036463)
| Advisory ID | SUSE-SU-2019:1368-1
|
| Released | Tue May 28 13:15:38 2019 |
| Summary | Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root |
| Type | security |
| Severity | important |
| References | 1134524,CVE-2019-5021 |
Description:
This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:
- CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)
| Advisory ID | SUSE-SU-2019:1372-1
|
| Released | Tue May 28 16:53:28 2019 |
| Summary | Security update for libtasn1 |
| Type | security |
| Severity | moderate |
| References | 1105435,CVE-2018-1000654 |
Description:
This update for libtasn1 fixes the following issues:
Security issue fixed:
- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
| Advisory ID | SUSE-RU-2019:1383-1
|
| Released | Thu May 30 08:11:26 2019 |
| Summary | Recommended update for supportutils |
| Type | recommended |
| Severity | moderate |
| References | 1081326,1088234,1100529,1120967,1125623,1132865,1133844,1134599 |
Description:
This update for supportutils fixes the following issues:
- Updated to version 3.1.3
+ Uses SUSE FTP servers (bsc#1132865)
+ btrfs quota #43
+ supportconfig: open-files: add file flags #44
+ Merged etc_info: Add support for .cfg files in /etc dir #46
+ Silence warning in rpm backup db collection path #47
+ Set files in tarball to 660 instead of 600 #48
+ SUSE separation finalized (bsc#1125623)
+ Default compression through xz, but -z forces bzip2
+ Updated man pages (bsc#1088234)
+ Changed VAR_OPTION_BIN_TIMEOUT_SEC from 300 to 120
+ Avoids some IO delays (bsc#1100529)
+ Corrected supported services help info for -U
+ Collects iSCSI Target information (bsc#1133844)
+ FTPES uses --ssl-reqd instead of depricated --ftp-ssl
+ Defaults to https FTP server uploads (bsc#1134599)
- Updated to version 3.1.2
+ Fixed missing sapconf and log (bsc#1081326)
+ Added timed_log_cmd to hwinfo and showmount commands (bsc#1120967)
| Advisory ID | SUSE-SU-2019:1398-1
|
| Released | Fri May 31 12:54:22 2019 |
| Summary | Security update for libpng16 |
| Type | security |
| Severity | low |
| References | 1100687,1121624,1124211,CVE-2018-13785,CVE-2019-7317 |
Description:
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2018-13785: Fixed a wrong calculation of row_factor in the
png_check_chunk_length function in pngrutil.c, which could haved triggered
and integer overflow and result in an divide-by-zero while processing a
crafted PNG file, leading to a denial of service (bsc#1100687)
| Advisory ID | SUSE-SU-2019:1407-1
|
| Released | Mon Jun 3 13:33:51 2019 |
| Summary | Security update for bind |
| Type | security |
| Severity | important |
| References | 1104129,1126068,1126069,1133185,CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 |
Description:
This update for bind fixes the following issues:
Security issues fixed:
- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2018-5745: Fixed a denial of service vulnerability if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (bsc#1126068).
- CVE-2018-5743: Fixed a denial of service vulnerability which could be caused by to many simultaneous TCP connections (bsc#1133185).
- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).
| Advisory ID | SUSE-SU-2019:1457-1
|
| Released | Tue Jun 11 10:09:14 2019 |
| Summary | Security update for vim |
| Type | security |
| Severity | important |
| References | 1137443,CVE-2019-12735 |
Description:
This update for vim fixes the following issue:
Security issue fixed:
- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).
| Advisory ID | SUSE-RU-2019:1484-1
|
| Released | Thu Jun 13 07:46:46 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1128383 |
Description:
This update for e2fsprogs fixes the following issues:
- Check and fix tails of all bitmap blocks (bsc#1128383)
| Advisory ID | SUSE-SU-2019:1486-1
|
| Released | Thu Jun 13 09:40:24 2019 |
| Summary | Security update for elfutils |
| Type | security |
| Severity | moderate |
| References | 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 |
Description:
This update for elfutils fixes the following issues:
Security issues fixed:
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
- CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
- CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
- CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
- CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
- CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
- CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
- CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
- CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)
| Advisory ID | SUSE-SU-2019:1487-1
|
| Released | Thu Jun 13 09:40:56 2019 |
| Summary | Security update for python-requests |
| Type | security |
| Severity | moderate |
| References | 1111622,CVE-2018-18074 |
Description:
This update for python-requests to version 2.20.1 fixes the following issues:
Security issue fixed:
- CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622).
| Advisory ID | SUSE-RU-2019:1492-1
|
| Released | Thu Jun 13 14:51:01 2019 |
| Summary | Recommended update for libidn |
| Type | recommended |
| Severity | low |
| References | 1132869 |
Description:
This update for libidn fixes the following issue:
- The missing libidn11-32bit compat library package was provided. (bsc#1132869)
| Advisory ID | SUSE-SU-2019:1562-1
|
| Released | Wed Jun 19 09:16:07 2019 |
| Summary | Security update for docker |
| Type | security |
| Severity | moderate |
| References | 1096726,CVE-2018-15664 |
Description:
This update for docker fixes the following issues:
Security issue fixed:
- CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726).
| Advisory ID | SUSE-SU-2019:1595-1
|
| Released | Fri Jun 21 10:17:44 2019 |
| Summary | Security update for dbus-1 |
| Type | security |
| Severity | important |
| References | 1137832,CVE-2019-12749 |
Description:
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
| Advisory ID | SUSE-RU-2019:1616-1
|
| Released | Fri Jun 21 11:04:39 2019 |
| Summary | Recommended update for rpcbind |
| Type | recommended |
| Severity | moderate |
| References | 1134659 |
Description:
This update for rpcbind fixes the following issues:
- Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659)
- Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update.
| Advisory ID | SUSE-RU-2019:1627-1
|
| Released | Fri Jun 21 11:15:11 2019 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1073421,1122271,1129859 |
Description:
This update for xfsprogs fixes the following issues:
- xfs_repair: will now allow '/' in attribute names (bsc#1122271)
- xfs_repair: will now allow zeroing of corrupt log (bsc#1073421)
- enabdled offline (unmounted) filesystem geometry queries (bsc#1129859)
| Advisory ID | SUSE-RU-2019:1631-1
|
| Released | Fri Jun 21 11:17:21 2019 |
| Summary | Recommended update for xz |
| Type | recommended |
| Severity | low |
| References | 1135709 |
Description:
This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma,
xz, xzdec, lzmadec, documentation, translated messages, tests,
debug, extra directory) are in public domain licence [bsc#1135709]
| Advisory ID | SUSE-RU-2019:1635-1
|
| Released | Fri Jun 21 12:45:53 2019 |
| Summary | Recommended update for krb5 |
| Type | recommended |
| Severity | moderate |
| References | 1134217 |
Description:
This update for krb5 provides the following fix:
- Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap.
(bsc#1134217)
| Advisory ID | SUSE-RU-2019:1700-1
|
| Released | Tue Jun 25 13:19:21 2019 |
| Summary | Security update for libssh |
| Type | recommended |
| Severity | moderate |
| References | 1134193 |
Description:
This update for libssh fixes the following issue:
Issue addressed:
- Added support for new AES-GCM encryption types (bsc#1134193).
| Advisory ID | SUSE-SU-2019:1804-1
|
| Released | Wed Jul 10 10:40:44 2019 |
| Summary | Security update for ruby-bundled-gems-rpmhelper, ruby2.5 |
| Type | security |
| Severity | important |
| References | 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790,CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325 |
Description:
This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues:
Changes in ruby2.5:
Update to 2.5.5 and 2.5.4:
https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/
https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
Security issues fixed:
- CVE-2019-8320: Delete directory using symlink when
decompressing tar (bsc#1130627)
- CVE-2019-8321: Escape sequence injection vulnerability in
verbose (bsc#1130623)
- CVE-2019-8322: Escape sequence injection vulnerability in gem
owner (bsc#1130622)
- CVE-2019-8323: Escape sequence injection vulnerability in API
response handling (bsc#1130620)
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary
code execution (bsc#1130617)
- CVE-2019-8325: Escape sequence injection vulnerability in
errors (bsc#1130611)
Ruby 2.5 was updated to 2.5.3:
This release includes some bug fixes and some security fixes.
Security issues fixed:
- CVE-2018-16396: Tainted flags are not propagated in Array#pack
and String#unpack with some directives (bsc#1112532)
- CVE-2018-16395: OpenSSL::X509::Name equality check does not
work correctly (bsc#1112530)
Ruby 2.5 was updated to 2.5.1:
This release includes some bug fixes and some security fixes.
Security issues fixed:
- CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)
- CVE-2018-6914: Unintentional file and directory creation with
directory traversal in tempfile and tmpdir (bsc#1087441)
- CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)
- CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)
- CVE-2018-8779: Unintentional socket creation by poisoned NUL
byte in UNIXServer and UNIXSocket (bsc#1087440)
- CVE-2018-8780: Unintentional directory traversal by poisoned
NUL byte in Dir (bsc#1087437)
- Multiple vulnerabilities in RubyGems were fixed:
- CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058)
- CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014)
- CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011)
- CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010)
- CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009)
- CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008)
- CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007)
Other changes:
- Fixed Net::POPMail methods modify frozen literal when using default arg
- ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)
- build with PIE support (bsc#1130028)
Changes in ruby-bundled-gems-rpmhelper:
- Add a new helper for bundled ruby gems.
| Advisory ID | SUSE-RU-2019:1808-1
|
| Released | Wed Jul 10 13:16:29 2019 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1133808 |
Description:
This update for libgcrypt fixes the following issues:
- Fixed redundant fips tests in some situations causing sudo to stop
working when pam-kwallet is installed. bsc#1133808
| Advisory ID | SUSE-RU-2019:1815-1
|
| Released | Thu Jul 11 07:47:55 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1140016 |
Description:
This update for timezone fixes the following issues:
- Timezone update 2019b. (bsc#1140016):
- Brazil no longer observes DST.
- 'zic -b slim' outputs smaller TZif files.
- Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
- Add info about the Crimea situation.
| Advisory ID | SUSE-SU-2019:1835-1
|
| Released | Fri Jul 12 18:06:31 2019 |
| Summary | Security update for expat |
| Type | security |
| Severity | moderate |
| References | 1139937,CVE-2018-20843 |
Description:
This update for expat fixes the following issues:
Security issue fixed:
- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption
in the XML parser when XML names contain a large amount of colons (bsc#1139937).
| Advisory ID | SUSE-SU-2019:1846-1
|
| Released | Mon Jul 15 11:36:33 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | important |
| References | 1139083,CVE-2019-12900 |
Description:
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
| Advisory ID | SUSE-RU-2019:1853-1
|
| Released | Mon Jul 15 16:03:36 2019 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1107617,1137053 |
Description:
This update for systemd fixes the following issues:
- conf-parse: remove 4K line length limit (bsc#1137053)
- udevd: change the default value of udev.children-max (again) (bsc#1107617)
- meson: stop creating enablement symlinks in /etc during installation (sequel)
- Fixed build for openSUSE Leap 15+
- Make sure we don't ship any static enablement symlinks in /etc
Those symlinks must only be created by the presets. There are no
changes in practice since systemd/udev doesn't ship such symlinks in
/etc but let's make sure no future changes will introduce new ones
by mistake.
| Advisory ID | SUSE-SU-2019:1869-1
|
| Released | Wed Jul 17 14:03:20 2019 |
| Summary | Security update for MozillaFirefox |
| Type | security |
| Severity | important |
| References | 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811 |
Description:
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
- Added IPSEC IKE support to softoken
- Many new FIPS test cases
| Advisory ID | SUSE-SU-2019:1877-1
|
| Released | Thu Jul 18 11:31:46 2019 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 |
Description:
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Does no longer compress debug sections in crt*.o files (bsc#1123710)
- Fixes a concurrency problem in ldconfig (bsc#1117993)
- Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330)
| Advisory ID | SUSE-SU-2019:1971-1
|
| Released | Thu Jul 25 14:58:52 2019 |
| Summary | Security update for libgcrypt |
| Type | security |
| Severity | moderate |
| References | 1138939,CVE-2019-12904 |
Description:
This update for libgcrypt fixes the following issues:
Security issue fixed:
- CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).
| Advisory ID | SUSE-RU-2019:1994-1
|
| Released | Fri Jul 26 16:12:05 2019 |
| Summary | Recommended update for libxml2 |
| Type | recommended |
| Severity | moderate |
| References | 1135123 |
Description:
This update for libxml2 fixes the following issues:
- Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)
| Advisory ID | SUSE-RU-2019:2001-1
|
| Released | Fri Jul 26 18:09:41 2019 |
| Summary | Recommended update for docker |
| Type | recommended |
| Severity | important |
| References | 1138920 |
Description:
This update for docker fixes the following issues:
- Mark daemon.json as %config(noreplace) to not overwrite it during
installation (bsc#1138920)
| Advisory ID | SUSE-SU-2019:2004-1
|
| Released | Mon Jul 29 13:01:59 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | important |
| References | 1139083,CVE-2019-12900 |
Description:
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
| Advisory ID | SUSE-RU-2019:2005-1
|
| Released | Mon Jul 29 13:02:15 2019 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | moderate |
| References | 1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692,1136440 |
Description:
This update for cloud-init fixes the following issues:
- Fixes a bug where only the last defined route was written to the routes configuration
file (bsc#1132692)
- Fixes a bug where a new network rules file for network devices didn't apply immediately (bsc#1125950)
- Improved the writing of route config files to avoid issues (bsc#1125992)
- Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440)
- Fixes a bug where IPv4 and IPv6 were not set up as default routes (bsc#1121878)
- Added a fix to prevent the resolv.conf to be empty (bsc#1119397)
- Uses now the proper name to designate IPv6 addresses in ifcfg-* files (bsc#1126101)
- Fixes an issue where the ifroute-eth0 file got corrupted when cloning an
existing instance (bsc#1123694)
Some more fixes were included within the 19.1 update of cloud-init. Please refer to the package
changelog for more details.
| Advisory ID | SUSE-SU-2019:2006-1
|
| Released | Mon Jul 29 13:02:49 2019 |
| Summary | Security update for gpg2 |
| Type | security |
| Severity | important |
| References | 1124847,1141093,CVE-2019-13050 |
Description:
This update for gpg2 fixes the following issues:
Security issue fixed:
- CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093).
Non-security issue fixed:
- Allow coredumps in X11 desktop sessions (bsc#1124847)
| Advisory ID | SUSE-SU-2019:2050-1
|
| Released | Tue Aug 6 09:42:37 2019 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 |
Description:
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
Non-security issue fixed:
- Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).
| Advisory ID | SUSE-SU-2019:2087-1
|
| Released | Wed Aug 7 18:16:48 2019 |
| Summary | Security update for tcpdump |
| Type | security |
| Severity | moderate |
| References | 1068716,1142439,CVE-2017-16808,CVE-2019-1010220 |
Description:
This update for tcpdump fixes the following issues:
Security issues fixed:
- CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).
| Advisory ID | SUSE-RU-2019:2096-1
|
| Released | Fri Aug 9 06:57:23 2019 |
| Summary | Recommended update for docker-img-store-setup |
| Type | recommended |
| Severity | moderate |
| References | 1138201 |
Description:
This update for docker-img-store-setup fixes the following issues:
- Support creation of the container storage filesystem with XFS to use the overlay fs driver. (bsc#1138201)
| Advisory ID | SUSE-RU-2019:2097-1
|
| Released | Fri Aug 9 09:31:17 2019 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | important |
| References | 1097073 |
Description:
This update for libgcrypt fixes the following issues:
- Fixed a regression where system were unable to boot in fips mode, caused by an
incomplete implementation of previous change (bsc#1097073).
| Advisory ID | SUSE-SU-2019:2117-1
|
| Released | Tue Aug 13 14:56:55 2019 |
| Summary | Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork |
| Type | security |
| Severity | important |
| References | 1100331,1121967,1138920,1139649,1142160,1142413,1143409,CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 |
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker:
- CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).
- CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).
- Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).
runc:
- Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).
- Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).
containerd:
- CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).
- Update to containerd v1.2.6, which is required by docker (bsc#1139649).
golang-github-docker-libnetwork:
- Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649).
| Advisory ID | SUSE-RU-2019:2134-1
|
| Released | Wed Aug 14 11:54:56 2019 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1136717,1137624,1141059,SLE-5807 |
Description:
This update for zlib fixes the following issues:
- Update the s390 patchset. (bsc#1137624)
- Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
- Use FAT LTO objects in order to provide proper static library.
- Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
- Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)
| Advisory ID | SUSE-RU-2019:2142-1
|
| Released | Wed Aug 14 18:14:04 2019 |
| Summary | Recommended update for mozilla-nspr, mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1141322 |
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
- New function in pk11pub.h: PK11_FindRawCertsWithSubject
- The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
- Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
- Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
- Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
- Add IPSEC IKE support to softoken (bmo#1546229)
- Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
- Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
- Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
- Changed prbit.h to use builtin function on aarch64.
- Removed Gonk/B2G references.
| Advisory ID | SUSE-RU-2019:2188-1
|
| Released | Wed Aug 21 10:10:29 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1140647 |
Description:
This update for aaa_base fixes the following issues:
- Make systemd detection cgroup oblivious. (bsc#1140647)
| Advisory ID | SUSE-RU-2019:2218-1
|
| Released | Mon Aug 26 11:29:57 2019 |
| Summary | Recommended update for pinentry |
| Type | recommended |
| Severity | moderate |
| References | 1141883 |
Description:
This update for pinentry fixes the following issues:
- Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)
| Advisory ID | SUSE-RU-2019:2241-1
|
| Released | Wed Aug 28 14:58:49 2019 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1144169 |
Description:
This update for ca-certificates-mozilla fixes the following issues:
ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169)
Removed CAs:
- Certinomis - Root CA
Includes new root CAs from the 2.32 version:
- emSign ECC Root CA - C3 (email and server auth)
- emSign ECC Root CA - G3 (email and server auth)
- emSign Root CA - C1 (email and server auth)
- emSign Root CA - G1 (email and server auth)
- Hongkong Post Root CA 3 (server auth)
| Advisory ID | SUSE-RU-2019:2306-1
|
| Released | Thu Sep 5 14:39:23 2019 |
| Summary | Recommended update for parted |
| Type | recommended |
| Severity | moderate |
| References | 1082318,1136245 |
Description:
This update for parted fixes the following issues:
- Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245)
- Installs the license file in the correct directory (bsc#1082318)
| Advisory ID | SUSE-SU-2019:2307-1
|
| Released | Thu Sep 5 14:45:08 2019 |
| Summary | Security update for util-linux and shadow |
| Type | security |
| Severity | moderate |
| References | 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 |
Description:
This update for util-linux and shadow fixes the following issues:
util-linux:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Prevent outdated pam files (bsc#1082293).
- De-duplicate fstrim -A properly (bsc#1127701).
- Do not trim read-only volumes (bsc#1106214).
- Integrate pam_keyinit pam module to login (bsc#1081947).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Fix problems in reading of login.defs values (bsc#1121197)
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832)
- Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197).
shadow:
- Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197)
- Fix segfault in useradd during setting password inactivity period. (bsc#1141113)
- Hardening for su wrappers (bsc#353876)
| Advisory ID | SUSE-SU-2019:2332-1
|
| Released | Mon Sep 9 10:17:16 2019 |
| Summary | Security update for python-urllib3 |
| Type | security |
| Severity | moderate |
| References | 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 |
Description:
This update for python-urllib3 fixes the following issues:
Security issues fixed:
- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
| Advisory ID | SUSE-RU-2019:2357-1
|
| Released | Wed Sep 11 13:26:14 2019 |
| Summary | Recommended update for lmdb |
| Type | recommended |
| Severity | moderate |
| References | 1136132 |
Description:
This update for lmdb fixes the following issues:
- Fix occasional crash when freed pages landed on the dirty list twice
(bsc#1136132).
| Advisory ID | SUSE-RU-2019:2361-1
|
| Released | Thu Sep 12 07:54:54 2019 |
| Summary | Recommended update for krb5 |
| Type | recommended |
| Severity | moderate |
| References | 1081947,1144047 |
Description:
This update for krb5 contains the following fixes:
- Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947)
| Advisory ID | SUSE-SU-2019:2395-1
|
| Released | Wed Sep 18 08:31:38 2019 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 |
Description:
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
Non-security issues fixed:
- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).
| Advisory ID | SUSE-RU-2019:2422-1
|
| Released | Fri Sep 20 16:36:43 2019 |
| Summary | Recommended update for python-urllib3 |
| Type | recommended |
| Severity | moderate |
| References | 1150895 |
Description:
This update for python-urllib3 fixes the following issues:
- Add missing dependency on python-six (bsc#1150895)
| Advisory ID | SUSE-RU-2019:2423-1
|
| Released | Fri Sep 20 16:41:45 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1146866,SLE-9132 |
Description:
This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
| Advisory ID | SUSE-SU-2019:2429-1
|
| Released | Mon Sep 23 09:28:40 2019 |
| Summary | Security update for expat |
| Type | security |
| Severity | moderate |
| References | 1149429,CVE-2019-15903 |
Description:
This update for expat fixes the following issues:
Security issues fixed:
- CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)
| Advisory ID | SUSE-RU-2019:2494-1
|
| Released | Mon Sep 30 16:22:20 2019 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | important |
| References | 1141969,1144363,1144881 |
Description:
This update for cloud-init provides the following fixes:
- Properly handle static routes. The EphemeralDHCP context manager did not parse or handle
rfc3442 classless static routes which prevented reading datasource metadata in some
clouds. (bsc#1141969)
- The __str__ implementation no longer delivers the name of the interface, use the 'name'
attribute instead to form a proper path in the sysfs tree. (bsc#1144363)
- If no routes are set for a subnet but the subnet has a gateway specified, set the
gateway as the default route for the interface. (bsc#1144881)
| Advisory ID | SUSE-SU-2019:2517-1
|
| Released | Wed Oct 2 10:49:20 2019 |
| Summary | Security update for libseccomp |
| Type | security |
| Severity | moderate |
| References | 1082318,1128828,1142614,CVE-2019-9893 |
Description:
This update for libseccomp fixes the following issues:
Security issues fixed:
- CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)
libseccomp was updated to new upstream release 2.4.1:
- Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates
libseccomp was updated to release 2.3.3:
- Updated the syscall table for Linux v4.15-rc7
| Advisory ID | SUSE-SU-2019:2533-1
|
| Released | Thu Oct 3 15:02:50 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1150137,CVE-2019-16168 |
Description:
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
| Advisory ID | SUSE-SU-2019:2550-1
|
| Released | Fri Oct 4 13:17:15 2019 |
| Summary | Security update for bind |
| Type | security |
| Severity | important |
| References | 1118367,1118368,1138687,CVE-2019-6471 |
Description:
This update for bind fixes the following issues:
Security issue fixed:
- CVE-2019-6471: Fixed a reachable assert in dispatch.c. (bsc#1138687)
Non-security issue fixed:
- bind will no longer rely on /etc/insserv.conf (bsc#1118367, bsc#1118368)
| Advisory ID | SUSE-SU-2019:2656-1
|
| Released | Mon Oct 14 17:02:24 2019 |
| Summary | Security update for sudo |
| Type | security |
| Severity | important |
| References | 1153674,CVE-2019-14287 |
Description:
This update for sudo fixes the following issue:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
| Advisory ID | SUSE-SU-2019:2657-1
|
| Released | Mon Oct 14 17:04:07 2019 |
| Summary | Security update for dhcp |
| Type | security |
| Severity | moderate |
| References | 1089524,1134078,1136572,CVE-2019-6470 |
Description:
This update for dhcp fixes the following issues:
Secuirty issue fixed:
- CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078).
Bug fixes:
- Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524).
- Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572).
| Advisory ID | SUSE-SU-2019:2673-1
|
| Released | Tue Oct 15 16:53:08 2019 |
| Summary | Security update for libpcap |
| Type | security |
| Severity | important |
| References | 1153332,CVE-2018-16301,CVE-2019-15165 |
Description:
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
| Advisory ID | SUSE-SU-2019:2674-1
|
| Released | Tue Oct 15 16:53:28 2019 |
| Summary | Security update for tcpdump |
| Type | security |
| Severity | important |
| References | 1068716,1153098,1153332,CVE-2017-16808,CVE-2018-10103,CVE-2018-10105,CVE-2018-14461,CVE-2018-14462,CVE-2018-14463,CVE-2018-14464,CVE-2018-14465,CVE-2018-14466,CVE-2018-14467,CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14879,CVE-2018-14880,CVE-2018-14881,CVE-2018-14882,CVE-2018-16227,CVE-2018-16228,CVE-2018-16229,CVE-2018-16230,CVE-2018-16300,CVE-2018-16301,CVE-2018-16451,CVE-2018-16452,CVE-2019-1010220,CVE-2019-15166,CVE-2019-15167 |
Description:
This update for tcpdump fixes the following issues:
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print and lookup_emem (bsc#1068716 bsc#1153098).
- CVE-2018-10103: Fixed a mishandling of the printing of SMB data (bsc#1153098).
- CVE-2018-10105: Fixed a mishandling of the printing of SMB data (bsc#1153098).
- CVE-2018-14461: Fixed a buffer over-read in print-ldp.c:ldp_tlv_print (bsc#1153098).
- CVE-2018-14462: Fixed a buffer over-read in print-icmp.c:icmp_print (bsc#1153098).
- CVE-2018-14463: Fixed a buffer over-read in print-vrrp.c:vrrp_print (bsc#1153098).
- CVE-2018-14464: Fixed a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs (bsc#1153098).
- CVE-2018-14465: Fixed a buffer over-read in print-rsvp.c:rsvp_obj_print (bsc#1153098).
- CVE-2018-14466: Fixed a buffer over-read in print-rx.c:rx_cache_find (bsc#1153098).
- CVE-2018-14467: Fixed a buffer over-read in print-bgp.c:bgp_capabilities_print (bsc#1153098).
- CVE-2018-14468: Fixed a buffer over-read in print-fr.c:mfr_print (bsc#1153098).
- CVE-2018-14469: Fixed a buffer over-read in print-isakmp.c:ikev1_n_print (bsc#1153098).
- CVE-2018-14470: Fixed a buffer over-read in print-babel.c:babel_print_v2 (bsc#1153098).
- CVE-2018-14879: Fixed a buffer overflow in the command-line argument parser (bsc#1153098).
- CVE-2018-14880: Fixed a buffer over-read in the OSPFv3 parser (bsc#1153098).
- CVE-2018-14881: Fixed a buffer over-read in the BGP parser (bsc#1153098).
- CVE-2018-14882: Fixed a buffer over-read in the ICMPv6 parser (bsc#1153098).
- CVE-2018-16227: Fixed a buffer over-read in the IEEE 802.11 parser in print-802_11.c for the Mesh Flags subfield (bsc#1153098).
- CVE-2018-16228: Fixed a buffer over-read in the HNCP parser (bsc#1153098).
- CVE-2018-16229: Fixed a buffer over-read in the DCCP parser (bsc#1153098).
- CVE-2018-16230: Fixed a buffer over-read in the BGP parser in print-bgp.c:bgp_attr_print (bsc#1153098).
- CVE-2018-16300: Fixed an unlimited recursion in the BGP parser that allowed denial-of-service by stack consumption (bsc#1153098).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332 bsc#1153098).
- CVE-2018-16451: Fixed several buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN (bsc#1153098).
- CVE-2018-16452: Fixed a stack exhaustion in smbutil.c:smb_fdata (bsc#1153098).
- CVE-2019-15166: Fixed a bounds check in lmp_print_data_link_subobjs (bsc#1153098).
- CVE-2019-15167: Fixed a vulnerability in VRRP (bsc#1153098).
| Advisory ID | SUSE-RU-2019:2676-1
|
| Released | Tue Oct 15 21:06:54 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1145716,1152101,CVE-2019-5094 |
Description:
This update for e2fsprogs fixes the following issues:
Security issue fixed:
- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)
Non-security issue fixed:
- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)
| Advisory ID | SUSE-RU-2019:2681-1
|
| Released | Tue Oct 15 22:01:40 2019 |
| Summary | Recommended update for libdb-4_8 |
| Type | recommended |
| Severity | moderate |
| References | 1148244 |
Description:
This update for libdb-4_8 fixes the following issues:
- Add off-page deadlock patch as found and documented by Red Hat.
(bsc#1148244)
| Advisory ID | SUSE-RU-2019:2693-1
|
| Released | Wed Oct 16 16:43:30 2019 |
| Summary | Recommended update for rpcbind |
| Type | recommended |
| Severity | moderate |
| References | 1142343 |
Description:
This update for rpcbind fixes the following issues:
- Return correct IP address with multiple ip addresses in the same
subnet. (bsc#1142343)
| Advisory ID | SUSE-RU-2019:2722-1
|
| Released | Mon Oct 21 11:14:20 2019 |
| Summary | Recommended update for pciutils-ids |
| Type | recommended |
| Severity | moderate |
| References | 1127840,1133581 |
Description:
This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840)
| Advisory ID | SUSE-SU-2019:2730-1
|
| Released | Mon Oct 21 16:04:57 2019 |
| Summary | Security update for procps |
| Type | security |
| Severity | important |
| References | 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 |
Description:
This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
Also this non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
The update to 3.3.15 contains the following fixes:
- library: Increment to 8:0:1
No removals, no new functions
Changes: slab and pid structures
- library: Just check for SIGLOST and don't delete it
- library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
- library: Use size_t for alloc functions CVE-2018-1126
- library: Increase comm size to 64
- pgrep: Fix stack-based buffer overflow CVE-2018-1125
- pgrep: Remove >15 warning as comm can be longer
- ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
- ps: Increase command name selection field to 64
- top: Don't use cwd for location of config CVE-2018-1122
- update translations
- library: build on non-glibc systems
- free: fix scaling on 32-bit systems
- Revert 'Support running with child namespaces'
- library: Increment to 7:0:1
No changes, no removals
New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
- doc: Document I idle state in ps.1 and top.1
- free: fix some of the SI multiples
- kill: -l space between name parses correctly
- library: dont use vm_min_free on non Linux
- library: don't strip off wchan prefixes (ps & top)
- pgrep: warn about 15+ char name only if -f not used
- pgrep/pkill: only match in same namespace by default
- pidof: specify separator between pids
- pkill: Return 0 only if we can kill process
- pmap: fix duplicate output line under '-x' option
- ps: avoid eip/esp address truncations
- ps: recognizes SCHED_DEADLINE as valid CPU scheduler
- ps: display NUMA node under which a thread ran
- ps: Add seconds display for cputime and time
- ps: Add LUID field
- sysctl: Permit empty string for value
- sysctl: Don't segv when file not available
- sysctl: Read and write large buffers
- top: add config file support for XDG specification
- top: eliminated minor libnuma memory leak
- top: show fewer memory decimal places (configurable)
- top: provide command line switch for memory scaling
- top: provide command line switch for CPU States
- top: provides more accurate cpu usage at startup
- top: display NUMA node under which a thread ran
- top: fix argument parsing quirk resulting in SEGV
- top: delay interval accepts non-locale radix point
- top: address a wishlist man page NLS suggestion
- top: fix potential distortion in 'Mem' graph display
- top: provide proper multi-byte string handling
- top: startup defaults are fully customizable
- watch: define HOST_NAME_MAX where not defined
- vmstat: Fix alignment for disk partition format
- watch: Support ANSI 39,49 reset sequences
| Advisory ID | SUSE-SU-2019:2757-1
|
| Released | Wed Oct 23 17:21:17 2019 |
| Summary | Security update for lz4 |
| Type | security |
| Severity | moderate |
| References | 1153936,CVE-2019-17543 |
Description:
This update for lz4 fixes the following issues:
- CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936).
| Advisory ID | SUSE-RU-2019:2762-1
|
| Released | Thu Oct 24 07:08:44 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1150451 |
Description:
This update for timezone fixes the following issues:
- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.
| Advisory ID | SUSE-RU-2019:2777-1
|
| Released | Thu Oct 24 16:13:20 2019 |
| Summary | Recommended update for fipscheck |
| Type | recommended |
| Severity | moderate |
| References | 1149792 |
Description:
This update for fipscheck fixes the following issues:
- Remove #include of unused fips.h to fix build with OpenSSL 1.1.1
(bsc#1149792)
| Advisory ID | SUSE-SU-2019:2782-1
|
| Released | Fri Oct 25 14:27:52 2019 |
| Summary | Security update for nfs-utils |
| Type | security |
| Severity | moderate |
| References | 1150733,CVE-2019-3689 |
Description:
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
| Advisory ID | SUSE-SU-2019:2786-1
|
| Released | Fri Oct 25 15:56:35 2019 |
| Summary | Security update for docker-runc |
| Type | security |
| Severity | moderate |
| References | 1152308,CVE-2019-16884 |
Description:
This update for docker-runc fixes the following issues:
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)
| Advisory ID | SUSE-SU-2019:2802-1
|
| Released | Tue Oct 29 11:39:05 2019 |
| Summary | Security update for python3 |
| Type | security |
| Severity | moderate |
| References | 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 |
Description:
This update for python3 to 3.6.9 fixes the following issues:
Security issues fixed:
- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
Non-security issues fixed:
- Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
- Improved locale handling by implementing PEP 538.
| Advisory ID | SUSE-RU-2019:2812-1
|
| Released | Tue Oct 29 14:57:55 2019 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1139459,1140631,1145023,1150595,SLE-7687 |
Description:
This update for systemd provides the following fixes:
- Fix a problem that would cause invoking try-restart to an inactive service to hang when
a daemon-reload is invoked before the try-restart returned. (bsc#1139459)
- man: Add a note about _netdev usage.
- units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target.
- units: Add [Install] section to remote-cryptsetup.target.
- cryptsetup: Ignore _netdev, since it is used in generator.
- cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687)
- cryptsetup-generator: Add a helper utility to create symlinks.
- units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target.
- man: Add an explicit description of _netdev to systemd.mount(5).
- man: Order fields alphabetically in crypttab(5).
- man: Make crypttab(5) a bit easier to read.
- units: Order cryptsetup-pre.target before cryptsetup.target.
- Fix reporting of enabled-runtime units.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit.
(bsc#1145023)
| Advisory ID | SUSE-RU-2019:2870-1
|
| Released | Thu Oct 31 08:09:14 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1051143,1138869,1151023 |
Description:
This update for aaa_base provides the following fixes:
- Check if variables can be set before modifying them to avoid warnings on login with a
restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)
| Advisory ID | SUSE-SU-2019:2891-1
|
| Released | Mon Nov 4 17:47:10 2019 |
| Summary | Security update for python-ecdsa |
| Type | security |
| Severity | moderate |
| References | 1153165,1154217,CVE-2019-14853,CVE-2019-14859 |
Description:
This update for python-ecdsa to version 0.13.3 fixes the following issues:
Security issues fixed:
- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).
| Advisory ID | SUSE-RU-2019:2418-1
|
| Released | Thu Nov 14 11:53:03 2019 |
| Summary | Recommended update for bash |
| Type | recommended |
| Severity | moderate |
| References | 1133773,1143055 |
Description:
This update for bash fixes the following issues:
- Rework patch readline-7.0-screen (bsc#1143055):
map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as
map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm'
- Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773)
| Advisory ID | SUSE-RU-2019:2992-1
|
| Released | Mon Nov 18 11:52:10 2019 |
| Summary | Recommended update for supportutils |
| Type | recommended |
| Severity | moderate |
| References | 1111029,1127734,1137336 |
Description:
This update for supportutils fixes the following issues:
- Removed LPM/DLPAR data for POWER. (bsc#1111029)
- Prevent running 'systool -vb memory' by default on systems with 16TB or more. (bsc#1127734)
- Added sed and gawk to spec requirements (bsc#1137336)
| Advisory ID | SUSE-SU-2019:2997-1
|
| Released | Mon Nov 18 15:16:38 2019 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | moderate |
| References | 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 |
Description:
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
| Advisory ID | SUSE-RU-2019:3018-1
|
| Released | Wed Nov 20 12:48:21 2019 |
| Summary | Recommended update for xkeyboard-config |
| Type | recommended |
| Severity | moderate |
| References | 1153774 |
Description:
This update for xkeyboard-config fixes the following issues:
- Fix capslock in Old Hungarian layout (bsc#1153774)
| Advisory ID | SUSE-SU-2019:3030-1
|
| Released | Thu Nov 21 19:11:25 2019 |
| Summary | Security update for cups |
| Type | security |
| Severity | important |
| References | 1146358,1146359,CVE-2019-8675,CVE-2019-8696 |
Description:
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
| Advisory ID | SUSE-SU-2019:3059-1
|
| Released | Mon Nov 25 17:33:07 2019 |
| Summary | Security update for cpio |
| Type | security |
| Severity | moderate |
| References | 1155199,CVE-2019-14866 |
Description:
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
| Advisory ID | SUSE-SU-2019:3061-1
|
| Released | Mon Nov 25 17:34:22 2019 |
| Summary | Security update for gcc9 |
| Type | security |
| Severity | moderate |
| References | 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 |
Description:
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
| Advisory ID | SUSE-RU-2019:3070-1
|
| Released | Tue Nov 26 12:39:29 2019 |
| Summary | Recommended update for gpg2 |
| Type | recommended |
| Severity | low |
| References | 1152755 |
Description:
This update for gpg2 provides the following fix:
- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)
| Advisory ID | SUSE-SU-2019:3086-1
|
| Released | Thu Nov 28 10:02:24 2019 |
| Summary | Security update for libidn2 |
| Type | security |
| Severity | moderate |
| References | 1154884,1154887,CVE-2019-12290,CVE-2019-18224 |
Description:
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
| Advisory ID | SUSE-SU-2019:3087-1
|
| Released | Thu Nov 28 10:03:00 2019 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | low |
| References | 1123919 |
Description:
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
| Advisory ID | SUSE-SU-2019:3096-1
|
| Released | Thu Nov 28 16:48:21 2019 |
| Summary | Security update for cloud-init |
| Type | security |
| Severity | moderate |
| References | 1099358,1129124,1136440,1142988,1144363,1151488,1154092,CVE-2019-0816 |
Description:
This update for cloud-init to version 19.2 fixes the following issues:
Security issue fixed:
- CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124).
Non-security issues fixed:
- Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988).
- If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488).
| Advisory ID | SUSE-RU-2019:3118-1
|
| Released | Fri Nov 29 14:41:35 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1154295 |
Description:
This update for e2fsprogs fixes the following issues:
- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)
| Advisory ID | SUSE-RU-2019:3166-1
|
| Released | Wed Dec 4 11:24:42 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1007715,1084934,1157278 |
Description:
This update for aaa_base fixes the following issues:
- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)
| Advisory ID | SUSE-RU-2019:3173-1
|
| Released | Wed Dec 4 20:22:45 2019 |
| Summary | Recommended update for growpart, growpart-rootgrow |
| Type | recommended |
| Severity | moderate |
| References | 1154357,ECO-550 |
Description:
This update for growpart, growpart-rootgrow contains the following fixes:
growpart:
- Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)
growpart-rootgrow:
- Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
- Bump from version 1.0.0 to 1.0.1:
- Fixed binary location in service unit file.
| Advisory ID | SUSE-RU-2019:3240-1
|
| Released | Tue Dec 10 10:40:19 2019 |
| Summary | Recommended update for ca-certificates-mozilla, p11-kit |
| Type | recommended |
| Severity | moderate |
| References | 1154871 |
Description:
This update for ca-certificates-mozilla, p11-kit fixes the following issues:
Changes in ca-certificates-mozilla:
- export correct p11kit trust attributes so Firefox detects built in
certificates (bsc#1154871).
Changes in p11-kit:
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (bsc#1154871)
| Advisory ID | SUSE-SU-2019:3267-1
|
| Released | Wed Dec 11 11:19:53 2019 |
| Summary | Security update for libssh |
| Type | security |
| Severity | important |
| References | 1158095,CVE-2019-14889 |
Description:
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
| Advisory ID | SUSE-SU-2019:3392-1
|
| Released | Fri Dec 27 13:33:29 2019 |
| Summary | Security update for libgcrypt |
| Type | security |
| Severity | moderate |
| References | 1148987,1155338,1155339,CVE-2019-13627 |
Description:
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).
Bug fixes:
- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.
| Advisory ID | SUSE-SU-2019:3395-1
|
| Released | Mon Dec 30 14:05:06 2019 |
| Summary | Security update for mozilla-nspr, mozilla-nss |
| Type | security |
| Severity | moderate |
| References | 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 |
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
| Advisory ID | SUSE-RU-2020:9-1
|
| Released | Thu Jan 2 12:33:47 2020 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1157438 |
Description:
This update for xfsprogs fixes the following issues:
- Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438)
| Advisory ID | SUSE-SU-2020:35-1
|
| Released | Wed Jan 8 09:06:32 2020 |
| Summary | Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork |
| Type | security |
| Severity | moderate |
| References | 1122469,1143349,1150397,1152308,1153367,1158590,CVE-2019-16884 |
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issue fixed:
- CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).
Bug fixes:
- Update to Docker 19.03.5-ce (bsc#1158590).
- Update to Docker 19.03.3-ce (bsc#1153367).
- Update to Docker 19.03.2-ce (bsc#1150397).
- Fixed default installation such that --userns-remap=default works properly (bsc#1143349).
- Fixed nginx blocked by apparmor (bsc#1122469).
| Advisory ID | SUSE-SU-2020:114-1
|
| Released | Thu Jan 16 10:11:52 2020 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 |
Description:
This update for python3 to version 3.6.10 fixes the following issues:
- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).
| Advisory ID | SUSE-RU-2020:119-1
|
| Released | Thu Jan 16 15:42:39 2020 |
| Summary | Recommended update for python-jsonpatch |
| Type | recommended |
| Severity | moderate |
| References | 1160978 |
Description:
This update for python-jsonpatch fixes the following issues:
- Drop jsondiff binary to avoid conflict with python-jsondiff package.
| Advisory ID | SUSE-SU-2020:129-1
|
| Released | Mon Jan 20 09:21:13 2020 |
| Summary | Security update for libssh |
| Type | security |
| Severity | important |
| References | 1158095,CVE-2019-14889 |
Description:
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).
| Advisory ID | SUSE-RU-2020:225-1
|
| Released | Fri Jan 24 06:49:07 2020 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1158830 |
Description:
This update for procps fixes the following issues:
- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)
| Advisory ID | SUSE-RU-2020:245-1
|
| Released | Tue Jan 28 09:42:30 2020 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | moderate |
| References | 1155376,1156139,1157894,1161132,1161133 |
Description:
This update for cloud-init fixes the following issues:
- Fixed an issue where it was not possible to add SSH keys and thus it was not possible to
log into the system (bsc#1161132, bsc#1161133)
- Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139)
- The route's destination network will now be written in CIDR notation. This provides support
for correctly recording IPv6 routes (bsc#1155376)
- Many smaller fixes came with this package as well. For a full list of all changes, refer to the
rpm's changes file.
| Advisory ID | SUSE-RU-2020:256-1
|
| Released | Wed Jan 29 09:39:17 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1157794,1160970 |
Description:
This update for aaa_base fixes the following issues:
- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)
| Advisory ID | SUSE-SU-2020:262-1
|
| Released | Thu Jan 30 11:02:42 2020 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 |
Description:
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).
Bug fixes:
- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).
| Advisory ID | SUSE-SU-2020:265-1
|
| Released | Thu Jan 30 14:05:34 2020 |
| Summary | Security update for e2fsprogs |
| Type | security |
| Severity | moderate |
| References | 1160571,CVE-2019-5188 |
Description:
This update for e2fsprogs fixes the following issues:
- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).
| Advisory ID | SUSE-RU-2020:279-1
|
| Released | Fri Jan 31 12:01:39 2020 |
| Summary | Recommended update for p11-kit |
| Type | recommended |
| Severity | moderate |
| References | 1013125 |
Description:
This update for p11-kit fixes the following issues:
- Also build documentation (bsc#1013125)
| Advisory ID | SUSE-RU-2020:325-1
|
| Released | Wed Feb 5 14:57:02 2020 |
| Summary | Recommended update for dmidecode |
| Type | recommended |
| Severity | moderate |
| References | 1153533,1158833 |
Description:
This update for dmidecode fixes the following issues:
- Add enumerated values from SMBIOS 3.3.0 preventing incorrect report of new VGA card. (bsc#1153533, bsc#1158833, jsc#SLE-10875)
- Only scan '/dev/mem' for entry point on x86 (fixes reboot on ARM64).
- Fix formatting of TPM table output (missing newlines).
- Fix displaying system slot information for PCIe SSD.
| Advisory ID | SUSE-SU-2020:335-1
|
| Released | Thu Feb 6 11:37:24 2020 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 |
Description:
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display
- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)
- Improve bash completion support (bsc#1155207)
* shell-completion: systemctl: do not list template units in {re,}start
* shell-completion: systemctl: pass current word to all list_unit*
* bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
* bash-completion: systemctl: use systemctl --no-pager
* bash-completion: also suggest template unit files
* bash-completion: systemctl: add missing options and verbs
* bash-completion: use the first argument instead of the global variable (#6457)
- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)
- Add boot option to not use swap at system start (jsc#SLE-7689)
- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
(bsc#1092920)
| Advisory ID | SUSE-RU-2020:339-1
|
| Released | Thu Feb 6 13:03:22 2020 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | low |
| References | 1158921 |
Description:
This update for openldap2 provides the following fix:
- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)
| Advisory ID | SUSE-RU-2020:340-1
|
| Released | Thu Feb 6 13:03:56 2020 |
| Summary | Recommended update for python-rpm-macros |
| Type | recommended |
| Severity | moderate |
| References | 1161770 |
Description:
This update for python-rpm-macros fixes the following issues:
- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)
| Advisory ID | SUSE-RU-2020:365-1
|
| Released | Fri Feb 7 13:48:54 2020 |
| Summary | Recommended update for lmdb |
| Type | recommended |
| Severity | moderate |
| References | 1159086 |
Description:
This update for lmdb fixes the following issues:
- Fix assert in LMBD during 'mdb_page_search_root'. (bsc#1159086).
| Advisory ID | SUSE-SU-2020:375-1
|
| Released | Fri Feb 7 17:30:25 2020 |
| Summary | Security update for docker-runc |
| Type | security |
| Severity | moderate |
| References | 1160452,CVE-2019-19921 |
Description:
This update for docker-runc fixes the following issues:
- CVE-2019-19921: Fixed a volume mount race condition with shared mounts (bsc#1160452).
| Advisory ID | SUSE-SU-2020:408-1
|
| Released | Wed Feb 19 09:32:46 2020 |
| Summary | Security update for sudo |
| Type | security |
| Severity | important |
| References | 1162202,1162675,CVE-2019-18634 |
Description:
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
| Advisory ID | SUSE-RU-2020:417-1
|
| Released | Wed Feb 19 11:40:02 2020 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1159840 |
Description:
This update for chrony fixes the following issues:
- Fix 'make check' builds made after 2019-12-20.
Existing installations do not need to be updated as the bug only
affects the test, but not chrony itself (bsc#1159840).
| Advisory ID | SUSE-RU-2020:451-1
|
| Released | Tue Feb 25 10:50:35 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1155337,1161215,1161216,1161218,1161219,1161220 |
Description:
This update for libgcrypt fixes the following issues:
- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
| Advisory ID | SUSE-RU-2020:462-1
|
| Released | Tue Feb 25 11:49:30 2020 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1158504,1158509,1158630,1158758 |
Description:
This update for xfsprogs fixes the following issues:
- Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630)
- Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509)
- Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504)
- Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758)
| Advisory ID | SUSE-SU-2020:467-1
|
| Released | Tue Feb 25 12:00:39 2020 |
| Summary | Security update for python3 |
| Type | security |
| Severity | moderate |
| References | 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 |
Description:
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).
Non-security issue fixed:
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
| Advisory ID | SUSE-RU-2020:476-1
|
| Released | Tue Feb 25 14:23:14 2020 |
| Summary | Recommended update for perl |
| Type | recommended |
| Severity | moderate |
| References | 1102840,1160039 |
Description:
This update for perl fixes the following issues:
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
| Advisory ID | SUSE-RU-2020:480-1
|
| Released | Tue Feb 25 17:38:22 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1160735 |
Description:
This update for aaa_base fixes the following issues:
- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)
| Advisory ID | SUSE-RU-2020:498-1
|
| Released | Wed Feb 26 17:59:44 2020 |
| Summary | Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized |
| Type | recommended |
| Severity | moderate |
| References | 1122669,1136184,1146853,1146854,1159018 |
Description:
This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues:
python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507):
Upgrade to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
python-cfn-lint was added in version 0.21.4:
- Add upstream patch to fix EOL dates for lambda runtimes
- Add upstream patch to fix test_config_expand_paths test
- Rename to python-cfn-lint. This package has a python API, which
is required by python-moto.
Update to version 0.21.4:
+ Features
* Include more resource types in W3037
+ CloudFormation Specifications
* Add Resource Type `AWS::CDK::Metadata`
+ Fixes
* Uncap requests dependency in setup.py
* Check Join functions have lists in the correct sections
* Pass a parameter value for AutoPublishAlias when doing a Transform
* Show usage examples when displaying the help
Update to version 0.21.3
+ Fixes
* Support dumping strings for datetime objects when doing a Transform
Update to version 0.21.2
+ CloudFormation Specifications
* Update CloudFormation specs to 3.3.0
* Update instance types from pricing API as of 2019.05.23
Update to version 0.21.1
+ Features
* Add `Info` logging capability and set the default logging to `NotSet`
+ Fixes
* Only do rule logging (start/stop/time) when the rule is going to be called
* Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub`
* Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub`
* Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type
Update to version 0.21.0
+ Features
* New rule E3038 to check if a Serverless resource includes the appropriate Transform
* New rule E2531 to validate a Lambda's runtime against the deprecated dates
* New rule W2531 to validate a Lambda's runtime against the EOL dates
* Update rule E2541 to include updates to Code Pipeline capabilities
* Update rule E2503 to include checking of values for load balancer attributes
+ CloudFormation Specifications
* Update CloudFormation specs to 3.2.0
* Update instance types from pricing API as of 2019.05.20
+ Fixes
* Include setuptools in setup.py requires
Update to version 0.20.3
+ CloudFormation Specifications
* Update instance types from pricing API as of 2019.05.16
+ Fixes
* Update E7001 to allow float/doubles for mapping values
* Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed
* Pin requests to be below or equal to 2.21.0 to prevent issues with botocore
Update to version 0.20.2
+ Features
* Add support for List Parameter types
+ CloudFormation Specifications
* Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet
* Create new property type for Security Group IDs or Names
* Add new Lambda runtime environment for NodeJs 10.x
* Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive
* Update Glue Crawler Role to take an ARN or a name
* Remove PrimitiveType from MaintenanceWindowTarget Targets
* Add Min/Max values for Load Balancer Ports to be between 1-65535
+ Fixes
* Include License file in the pypi package to help with downstream projects
* Filter out dynamic references from rule E3031 and E3030
* Convert Python linting and Code Coverage from Python 3.6 to 3.7
Update to version 0.20.1
+ Fixes
* Update rule E8003 to support more functions inside a Fn::Equals
Update to version 0.20.0
+ Features
* Allow a rule's exception to be defined in a resource's metadata
* Add rule configuration capabilities
* Update rule E3012 to allow for non strict property checking
* Add rule E8003 to test Fn::Equals structure and syntax
* Add rule E8004 to test Fn::And structure and syntax
* Add rule E8005 to test Fn::Not structure and syntax
* Add rule E8006 to test Fn::Or structure and syntax
* Include Path to error in the JSON output
* Update documentation to describe how to install cfn-lint from brew
+ CloudFormation Specifications
* Update CloudFormation specs to version 3.0.0
* Add new region ap-east-1
* Add list min/max and string min/max for CloudWatch Alarm Actions
* Add allowed values for EC2::LaunchTemplate
* Add allowed values for EC2::Host
* Update allowed values for Amazon MQ to include 5.15.9
* Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions
* Add AWS::EC2::VPCEndpointService to all regions
* Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN
* Patch spec files for SSM MaintenanceWindow to look for Target and not Targets
* Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit.
+ Fixes
* Fix rule E3033 to check the string size when the string is inside a list
* Fix an issue in which AWS::NotificationARNs was not a list
* Add AWS::EC2::Volume to rule W3010
* Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger
* Fix rule W3010 to not error when the availability zone is 'all'
Update to version 0.19.1
+ Fixes
* Fix core Condition processing to support direct Condition in another Condition
* Fix the W2030 to check numbers against string allowed values
Update to version 0.19.0
+ Features
* Add NS and PTR Route53 record checking to rule E3020
* New rule E3050 to check if a Ref to IAM Role has a Role path of '/'
* New rule E3037 to look for duplicates in a list that doesn't support duplicates
* New rule I3037 to look for duplicates in a list when duplicates are allowed
+ CloudFormation Specifications
* Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds
* Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument
* Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl
NetworkInterface, PlacementGroup, and Volume
* Add Min/max values to AWS::Budgets::Budget.Notification Threshold
* Update RDS Instance types by database engine and license definitions using the pricing API
* Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN
* Update AWS::ECS::Service Role to support Role Name or ARN
+ Fixes
* Update E3025 to support the new structure of data in the RDS instance type json
* Update E2540 to remove all nested conditions from the object
* Update E3030 to not do strict type checking
* Update E3020 to support conditions nested in the record sets
* Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats
Update to version 0.18.1
+ CloudFormation Specifications
* Update CloudFormation Specs to 2.30.0
* Fix IAM Regex Path to support more character types
* Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an
InstanceProfile or GetAtt the InstanceProfile Arn
* Allow VPC IDs to Ref a Parameter of type String
+ Fixes
* Fix E3502 to check the size of the property instead of the parent object
Update to version 0.18.0
+ Features
* New rule E3032 to check the size of lists
* New rule E3502 to check JSON Object Size using definitions in the spec file
* New rule E3033 to test the minimum and maximum length of a string
* New rule E3034 to validate the min and max of a number
* Remove Ebs Iops check from E2504 and use rule E3034 instead
* Remove rule E2509 and use rule E3033 instead
* Remove rule E2508 as it replaced by E3032 and E3502
* Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs
* SAM requirement upped to minimal version of 1.10.0
+ CloudFormation Specifications
* Extend specs to include:
> `ListMin` and `ListMax` for the minimum and maximum size of a list
> `JsonMax` to check the max size of a JSON Object
> `StringMin` and `StringMax` to check the minimum and maximum length of a String
> `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long
* Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy
* Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance
* Add AllowedValues for the AWS::GuardDuty Resources
* Add AllowedValues for AWS::EC2 VPC and VPN Resources
* Switch IAM Instance Profiles for certain resources to the type that only takes the name
* Add regex pattern for IAM Instance Profile when a name (not Arn) is used
* Add regex pattern for IAM Paths
* Add Regex pattern for IAM Role Arn
* Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2
+ Fixes
* Fix serverless transform to use DefinitionBody when Auth is in the API definition
* Fix rule W2030 to not error when checking SSM or List Parameters
Update to version 0.17.1
+ Features
* Update rule E2503 to make sure NLBs don't have a Security Group configured
+ CloudFormation Specifications
* Add all the allowed values of the `AWS::Glue` Resources
* Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics`
* Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic`
* Update CloudFormation specs to 2.29.0
* Fix type with MariaDB in the AllowedValues
* Update pricing information for data available on 2018.3.29
+ Fixes
* Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies
* Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+`
* Fix rule E2532 to allow for `Parameters` inside a `Pass` action
* Fix an issue when getting the location of an error in which numbers are causing an attribute error
Update to version 0.17.0
+ Features
* Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released
* Add new rule W3037 to validate IAM resource policies. Status: Experimental
* Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released
+ CloudFormation Specifications
* Update Spec files to 2.28.0
* Add all the allowed values of the AWS::Redshift::* Resources
* Add all the allowed values of the AWS::Neptune::* Resources
* Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required
* Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required
+ Fixes
* Remove extra blank lines when there is no errors in the output
* Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition
* Update rule E1029 to allow for literals in a Sub
* Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check
* Correct typos for errors in rule W1001
* Switch from parsing a template as Yaml to Json when finding an escape character
* Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers
* Fix an issue with rule E2541 when non strings were used for Stage Names
Update to version 0.16.0
+ Features
* Add rule E3031 to look for regex patterns based on the patched spec file
* Remove regex checks from rule E2509
* Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting
+ CloudFormation Specifications
* Update Spec files to 2.26.0
* Add all the allowed values of the AWS::DirectoryService::* Resources
* Add all the allowed values of the AWS::DynamoDB::* Resources
* Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2
* Patch the spec file with regex patterns
* Add all the allowed values of the AWS::DocDb::* Resources
+ Fixes
* Update rule E2504 to have '20000' as the max value
* Update rule E1016 to not allow ImportValue inside of Conditions
* Update rule E2508 to check conditions when providing limit checks on managed policies
* Convert unicode to strings when in Py 3.4/3.5 and updating specs
* Convert from `awslabs` to `aws-cloudformation` organization
* Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with
samtranslator 1.10.0
Update to version 0.15.0
+ Features
* Add scaffolding for arbitrary Match attributes, adding attributes for Type checks
* Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST
+ CloudFormation Specifications
* Update Spec files to 2.24.0
* Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName
* Add all the allowed values of the AWS::CloudFront::* Resources
* Add all the allowed values of the AWS::DAX::* Resources
+ Fixes
* Update config parsing to use the builtin Yaml decoder
* Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules
* Update rule E1029 to better check Resource strings inside IAM Policies
* Improve the line/column information of a Match with array support
Update to version 0.14.1
+ CloudFormation Specifications
* Update CloudFormation Specs to version 2.23.0
* Add allowed values for AWS::Config::* resources
* Add allowed values for AWS::ServiceDiscovery::* resources
* Fix allowed values for Apache MQ
+ Fixes
* Update rule E3008 to not error when using a list from a custom resource
* Support simple types in the CloudFormation spec
* Add tests for the formatters
Update to version 0.14.0
+ Features
* Add rule E3035 to check the values of DeletionPolicy
* Add rule E3036 to check the values of UpdateReplacePolicy
* Add rule E2014 to check that there are no REFs in the Parameter section
* Update rule E2503 to support TLS on NLBs
+ CloudFormation Specifications
* Update CloudFormation spec to version 2.22.0
* Add allowed values for AWS::Cognito::* resources
+ Fixes
* Update rule E3002 to allow GetAtts to Custom Resources under a Condition
Update to version 0.13.2
+ Features
* Introducing the cfn-lint logo!
* Update SAM dependency version
+ Fixes
* Fix CloudWatchAlarmComparisonOperator allowed values.
* Fix typo resoruce_type_spec in several files
* Better support for nested And, Or, and Not when processing Conditions
Update to version 0.13.1
+ CloudFormation Specifications
* Add allowed values for AWS::CloudTrail::Trail resources
* Patch spec to have AWS::CodePipeline::CustomActionType Version included
+ Fixes
* Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified
Update to version 0.13.0
+ Features
* New rule W1011 to check if a FindInMap is using the correct map name and keys
* New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used
* Removed logic in E1011 and moved it to W1011 for validating keys
* Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne
* Update rule E2505 to check the netmask bit
* Include the ability to update the CloudFormation Specs using the Pricing API
+ CloudFormation Specifications
* Update to version 2.21.0
* Add allowed values for AWS::Budgets::Budget
* Add allowed values for AWS::CertificateManager resources
* Add allowed values for AWS::CodePipeline resources
* Add allowed values for AWS::CodeCommit resources
* Add allowed values for EC2 InstanceTypes from pricing API
* Add allowed values for RedShift InstanceTypes from pricing API
* Add allowed values for MQ InstanceTypes from pricing API
* Add allowed values for RDS InstanceTypes from pricing API
+ Fixes
* Fixed README indentation issue with .pre-commit-config.yaml
* Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task
* Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record
* Update rule E3001 to support UpdateReplacePolicy
* Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder
* Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content
- Initial build
+ Version 0.12.1
Update to 0.9.1
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
- List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
- Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
- Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
- Make sure that `setUp` and `tearDown` methods work correctly (#40)
- Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
- Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
aws-cli was updated to version 1.16.223:
For detailed changes see the changes entries:
https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst
https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst
python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing
lots of bugs and adding features (bsc#1146853, bsc#1146854)
| Advisory ID | SUSE-RU-2020:503-1
|
| Released | Wed Feb 26 19:29:07 2020 |
| Summary | Recommended update for zypper-migration-plugin |
| Type | recommended |
| Severity | moderate |
| References | 1100137,1107238 |
Description:
This update for zypper-migration-plugin fixes the following issues:
- Check if snapper is configured. (jsc#SLE-7752)
- Fix for returning non-zero exit code if there are possible migrations, but none is mirrored on registration server. (bsc#1107238)
- Check for closed stdin in salt by transactional-update. (bsc#1100137)
| Advisory ID | SUSE-RU-2020:517-1
|
| Released | Thu Feb 27 14:39:01 2020 |
| Summary | Recommended update for cifs-utils |
| Type | recommended |
| Severity | moderate |
| References | 1130528,1132087,1136031,1149164 |
Description:
This update for cifs-utils fixes the following issues:
Update cifs-utils 6.9; (bsc#1132087); (bsc#1136031).
- follow SMB default version changes in the kernel.
- adds fixes for Azure
- new smbinfo utility
- Fix double-free in mount.cifs; (bsc#1149164).
| Advisory ID | SUSE-RU-2020:521-1
|
| Released | Thu Feb 27 18:08:56 2020 |
| Summary | Recommended update for c-ares |
| Type | recommended |
| Severity | moderate |
| References | 1125306,1159006 |
Description:
This update for c-ares fixes the following issues:
c-ares version update to 1.15.0:
- Add ares_init_options() configurability for path to resolv.conf file
- Ability to exclude building of tools (adig, ahost, acountry) in CMake
- Report ARES_ENOTFOUND for .onion domain names as per RFC7686
(bsc#1125306)
- Apply the IPv6 server blacklist to all nameserver sources
- Prevent changing name servers while queries are outstanding
- ares_set_servers_csv() on failure should not leave channel in a
bad state
- getaddrinfo - avoid infinite loop in case of NXDOMAIN
- ares_getenv - return NULL in all cases
- implement ares_getaddrinfo
- Fixed a regression in DNS results that contain both A and AAAA answers.
- Add netcfg as the build requirement and runtime requirement.
| Advisory ID | SUSE-RU-2020:525-1
|
| Released | Fri Feb 28 11:49:36 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1164562 |
Description:
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
| Advisory ID | SUSE-RU-2020:566-1
|
| Released | Tue Mar 3 09:14:05 2020 |
| Summary | Recommended update for supportutils |
| Type | recommended |
| Severity | important |
| References | 1023308,1089877,1145233,1154482,1156837,1162357,1162539 |
Description:
This update for supportutils fixes the following issues:
- Exclude /proc/pagetypeinfo as it can be an expensive operation on some systems (bsc#1162357).
- Readded LPM/DLPAR data for power (bsc#1162539).
- Strip trailing commas from process names #64 (bsc#1156837).
- Dynamically select compression method (bsc#1145233).
- Updated detailed unit information fix in systemd.txt (bsc#1023308).
- Include IPv6 routes (bsc#1089877).
- Removed root .snapshots directory from full file list (bsc#1154482).
| Advisory ID | SUSE-RU-2020:572-1
|
| Released | Tue Mar 3 13:25:41 2020 |
| Summary | Recommended update for cyrus-sasl |
| Type | recommended |
| Severity | moderate |
| References | 1162518 |
Description:
This update for cyrus-sasl fixes the following issues:
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
| Advisory ID | SUSE-RU-2020:573-1
|
| Released | Tue Mar 3 13:37:28 2020 |
| Summary | Recommended update for ca-certificates-mozilla |
| Type | recommended |
| Severity | moderate |
| References | 1160160 |
Description:
This update for ca-certificates-mozilla to 2.40 fixes the following issues:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:
- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email
added certificates:
- Entrust Root Certification Authority - G4
| Advisory ID | SUSE-RU-2020:597-1
|
| Released | Thu Mar 5 15:24:09 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1164950 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: Run the self-tests from the constructor [bsc#1164950]
| Advisory ID | SUSE-RU-2020:633-1
|
| Released | Tue Mar 10 16:23:08 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1139939,1151023 |
Description:
This update for aaa_base fixes the following issues:
- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues
| Advisory ID | SUSE-RU-2020:655-1
|
| Released | Thu Mar 12 13:17:03 2020 |
| Summary | Recommended update for growpart |
| Type | recommended |
| Severity | moderate |
| References | 1164736 |
Description:
This update for growpart fixes the following issues:
- Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)
| Advisory ID | SUSE-SU-2020:668-1
|
| Released | Fri Mar 13 10:48:58 2020 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1163184,1164505,1165784,CVE-2020-10029 |
Description:
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a potential overflow in on-stack buffer
during range reduction (bsc#1165784).
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).
| Advisory ID | SUSE-RU-2020:689-1
|
| Released | Fri Mar 13 17:09:01 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1166510 |
Description:
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
| Advisory ID | SUSE-RU-2020:690-1
|
| Released | Fri Mar 13 17:09:28 2020 |
| Summary | Recommended update for suse-build-key |
| Type | recommended |
| Severity | moderate |
| References | 1166334 |
Description:
This update for suse-build-key fixes the following issues:
- created a new security@suse.de communication key (bsc#1166334)
| Advisory ID | SUSE-RU-2020:475-1
|
| Released | Thu Mar 19 11:00:46 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1160595 |
Description:
This update for systemd fixes the following issues:
- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)
| Advisory ID | SUSE-RU-2020:729-1
|
| Released | Thu Mar 19 14:44:22 2020 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1166106 |
Description:
This update for glibc fixes the following issues:
- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)
| Advisory ID | SUSE-SU-2020:737-1
|
| Released | Fri Mar 20 13:47:16 2020 |
| Summary | Recommended update for ruby2.5 |
| Type | security |
| Severity | important |
| References | 1140844,1152990,1152992,1152994,1152995,1162396,1164804,CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130 |
Description:
This update for ruby2.5 toversion 2.5.7 fixes the following issues:
ruby 2.5 was updated to version 2.5.7
- CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804).
- CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and
Shell#test (bsc#1152990).
- CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992).
- CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and
File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service of WEBrick
Digest access authentication (bsc#1152995).
- CVE-2012-6708: Fixed an XSS in JQuery
- CVE-2015-9251: Fixed an XSS in JQuery
- Fixed unit tests (bsc#1140844)
- Removed some unneeded test files (bsc#1162396).
| Advisory ID | SUSE-SU-2020:751-1
|
| Released | Mon Mar 23 16:32:44 2020 |
| Summary | Security update for cloud-init |
| Type | security |
| Severity | moderate |
| References | 1162936,1162937,1163178,CVE-2020-8631,CVE-2020-8632 |
Description:
This update for cloud-init fixes the following security issues:
- CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937).
- CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936).
| Advisory ID | SUSE-RU-2020:777-1
|
| Released | Tue Mar 24 18:07:52 2020 |
| Summary | Recommended update for python3 |
| Type | recommended |
| Severity | moderate |
| References | 1165894 |
Description:
This update for python3 fixes the following issue:
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package (bsc#1165894)
| Advisory ID | SUSE-RU-2020:793-1
|
| Released | Wed Mar 25 15:16:00 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 |
Description:
This update for systemd fixes the following issues:
- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers
Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).
Added the udev 60-ssd-scheduler.rules:
- This rules file which select the default IO scheduler for SSDs is
being moved out from the git repo since this is not related to
systemd or udev at all and is maintained by the kernel team.
- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details
| Advisory ID | SUSE-SU-2020:820-1
|
| Released | Tue Mar 31 13:02:22 2020 |
| Summary | Security update for glibc |
| Type | security |
| Severity | important |
| References | 1167631,CVE-2020-1752 |
Description:
This update for glibc fixes the following issues:
- CVE-2020-1752: Fixed a use after free in glob which could have allowed
a local attacker to create a specially crafted path that, when processed
by the glob function, could potentially have led to arbitrary code execution
(bsc#1167631).
| Advisory ID | SUSE-RU-2020:823-1
|
| Released | Tue Mar 31 13:28:14 2020 |
| Summary | Recommended update for parted |
| Type | recommended |
| Severity | moderate |
| References | 1161783,1164260 |
Description:
This update for parted fixes the following issue:
- Make parted work with pmemXs devices. (bsc#1164260)
- Fix for error when parted output size crashing parted in yast. (bsc#1161783)
| Advisory ID | SUSE-RU-2020:846-1
|
| Released | Thu Apr 2 07:24:07 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1164950,1166748,1167674 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
* Set up global_init as the constructor function:
* Relax the entropy requirements on selftest. This is especially
important for virtual machines to boot properly before the RNG
is available:
| Advisory ID | SUSE-RU-2020:848-1
|
| Released | Thu Apr 2 11:24:38 2020 |
| Summary | Recommended update for GeoIP |
| Type | recommended |
| Severity | moderate |
| References | 1156194 |
Description:
This update for GeoIP fixes the following issues:
- Update README.SUSE with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405)
| Advisory ID | SUSE-RU-2020:850-1
|
| Released | Thu Apr 2 14:37:31 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1155350,1155357,1155360,1166880 |
Description:
This update for mozilla-nss fixes the following issues:
Added various fixes related to FIPS certification:
- Use getrandom() to obtain entropy where possible.
- Make DSA KAT FIPS compliant.
- Use FIPS compliant hash when validating keypair.
- Enforce FIPS requirements on RSA key generation.
- Miscellaneous fixes to CAVS tests.
- Enforce FIPS limits on how much data can be processed without rekeying.
- Run self tests on library initialization in FIPS mode.
- Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher).
- Clear various temporary variables after use.
- Allow MD5 to be used in TLS PRF.
- Preferentially gather entropy from /dev/random over /dev/urandom.
- Allow enabling FIPS mode consistently with NSS_FIPS environment variable.
- Fix argument parsing bug in lowhashtest.
| Advisory ID | SUSE-RU-2020:914-1
|
| Released | Fri Apr 3 12:07:10 2020 |
| Summary | Recommended update for btrfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1131334,1158560 |
Description:
This update for btrfsprogs fixes the following issue:
- handling metadata created by a very old kernel. (bsc#1131334)
- 'btrfs check' tool segfaulting. (bsc#1158560)
| Advisory ID | SUSE-RU-2020:917-1
|
| Released | Fri Apr 3 15:02:25 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1166510 |
Description:
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
| Advisory ID | SUSE-RU-2020:934-1
|
| Released | Tue Apr 7 03:46:20 2020 |
| Summary | Recommended update for wget |
| Type | recommended |
| Severity | moderate |
| References | 1167919 |
Description:
This update for wget fixes the following issues:
wget was updated to 1.20.3, fixing various bugs, including:
- Fix for wget ignoring domains with leading '.' in environment variable 'no_proxy'. (bsc#1167919)
| Advisory ID | SUSE-RU-2020:935-1
|
| Released | Tue Apr 7 03:46:39 2020 |
| Summary | Recommended update for xfsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1158630,1167205,1167206 |
Description:
This update for xfsprogs fixes the following issues:
- xfs_quota: reformat commands in the manpage. (bsc#1167206)
Reformat commands in the manpage so that fstest can check that each command is actually documented.
- xfs_db: document missing commands. (bsc#1167205)
Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage.
- xfs_io: allow size suffixes for the copy_range command. (bsc#1158630)
Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command
| Advisory ID | SUSE-SU-2020:948-1
|
| Released | Wed Apr 8 07:44:21 2020 |
| Summary | Security update for gmp, gnutls, libnettle |
| Type | security |
| Severity | moderate |
| References | 1152692,1155327,1166881,1168345,CVE-2020-11501 |
Description:
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
| Advisory ID | SUSE-RU-2020:949-1
|
| Released | Wed Apr 8 07:45:48 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1168669 |
Description:
This update for mozilla-nss fixes the following issues:
- Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR
is unavailable, resulting in an abort (bsc#1168669).
| Advisory ID | SUSE-SU-2020:959-1
|
| Released | Wed Apr 8 12:59:50 2020 |
| Summary | Security update for python-PyYAML |
| Type | security |
| Severity | important |
| References | 1165439,CVE-2020-1747 |
Description:
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
| Advisory ID | SUSE-RU-2020:961-1
|
| Released | Wed Apr 8 13:34:06 2020 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1160979 |
Description:
This update for e2fsprogs fixes the following issues:
- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)
| Advisory ID | SUSE-SU-2020:967-1
|
| Released | Thu Apr 9 11:41:53 2020 |
| Summary | Security update for libssh |
| Type | security |
| Severity | moderate |
| References | 1168699,CVE-2020-1730 |
Description:
This update for libssh fixes the following issues:
- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).
| Advisory ID | SUSE-RU-2020:979-1
|
| Released | Mon Apr 13 15:42:59 2020 |
| Summary | Recommended update for parted |
| Type | recommended |
| Severity | moderate |
| References | 1168756 |
Description:
This update for parted fixes the following issue:
- fix null pointer dereference. (bsc#1168756)
| Advisory ID | SUSE-SU-2020:995-1
|
| Released | Wed Apr 15 08:30:39 2020 |
| Summary | Security update for ruby2.5 |
| Type | security |
| Severity | moderate |
| References | 1167244,1168938,CVE-2020-10663,CVE-2020-10933 |
Description:
This update for ruby2.5 to version 2.5.8 fixes the following issues:
- CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244).
- CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938).
| Advisory ID | SUSE-RU-2020:1000-1
|
| Released | Wed Apr 15 14:18:57 2020 |
| Summary | Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager |
| Type | recommended |
| Severity | moderate |
| References | 1014478,1054413,1140565,982804,999200 |
Description:
This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues:
The Azure python modules and client tool stack was updated to the 2020 state.
Various other python modules were added and updated.
- python-PyYAML was updated to 5.1.2.
- python-humanfriendly was updated 4.16.1.
| Advisory ID | SUSE-RU-2020:1037-1
|
| Released | Mon Apr 20 10:49:39 2020 |
| Summary | Recommended update for python-pytest |
| Type | recommended |
| Severity | low |
| References | 1002895,1107105,1138666,1167732 |
Description:
This update fixes the following issues:
New python-pytest versions are provided.
In Basesystem:
- python3-pexpect: updated to 4.8.0
- python3-py: updated to 1.8.1
- python3-zipp: shipped as dependency in version 0.6.0
In Python2:
- python2-pexpect: updated to 4.8.0
- python2-py: updated to 1.8.1
| Advisory ID | SUSE-RU-2020:1042-1
|
| Released | Tue Apr 21 08:00:15 2020 |
| Summary | Recommended update for supportutils |
| Type | recommended |
| Severity | important |
| References | 1162539,1165475 |
Description:
This update for supportutils fixes the following issues:
- Replaced Novell with SUSE FTP servers (bsc#1165475)
- Added missed Power collection (bsc#1162539)
- Added core file validation (bsc#1166126)
- Changed filename prefixes from nts_ to scc_ referencing the SUSE Customer Center (SLE-8702, SLE-6762)
| Advisory ID | SUSE-RU-2020:1056-1
|
| Released | Tue Apr 21 16:26:22 2020 |
| Summary | Recommended update for cloud-init |
| Type | recommended |
| Severity | important |
| References | 1099358,1144881,1145622,1148645,1163178,1165296 |
Description:
This update for cloud-init contains the following fixes:
- Update previous patches with the following additions:
+ In cases where the config contains 2 or more default gateway specifications for
an interface only write the first default route, log warning message about skipped
routes
+ Avoid writing invalid route specification if neither the network nor destination
is specified in the route configuration
+ Still need to consider the 'network' configuration uption for the v1 config
implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42.
+ Add the default gateway to the ifroute config file when specified as part of
the subnet configuration. (bsc#1165296)
+ Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296)
+ Fix for default gateway and IPv6. (bsc#1144881)
+ Routes will be written if there is only a default gateway. (bsc#1148645)
- BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through
the -mini flavor.
- Update to cloud-init 19.2. (bsc#1099358, bsc#1145622)
| Advisory ID | SUSE-RU-2020:1061-1
|
| Released | Wed Apr 22 10:45:41 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1169872 |
Description:
This update for mozilla-nss fixes the following issues:
- This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872).
- Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded.
| Advisory ID | SUSE-RU-2020:1063-1
|
| Released | Wed Apr 22 10:46:50 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1165539,1169569 |
Description:
This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)
| Advisory ID | SUSE-SU-2020:1083-1
|
| Released | Thu Apr 23 11:31:23 2020 |
| Summary | Security update for cups |
| Type | security |
| Severity | important |
| References | 1168422,CVE-2020-3898 |
Description:
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
| Advisory ID | SUSE-RU-2020:1112-1
|
| Released | Fri Apr 24 16:44:20 2020 |
| Summary | Recommended update for suse-build-key |
| Type | recommended |
| Severity | moderate |
| References | 1170347 |
Description:
This update for suse-build-key fixes the following issues:
- add a /usr/share/container-keys/ directory for GPG based Container
verification.
- Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347)
| Advisory ID | SUSE-RU-2020:1131-1
|
| Released | Tue Apr 28 11:59:17 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1170571,1170572 |
Description:
This update for mozilla-nss fixes the following issues:
- FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571)
- FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks
for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served
by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224
checks.
- FIPS: Replace bad attempt at unconditional nssdbm checksumming with
a dlopen(), so it can be located consistently and perform its own
self-tests.
- FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for
a SECStatus, which caused key derivation to fail when the caller
provided a valid subprime.
| Advisory ID | SUSE-RU-2020:1175-1
|
| Released | Tue May 5 08:33:43 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1165011,1168076 |
Description:
This update for systemd fixes the following issues:
- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)
| Advisory ID | SUSE-RU-2020:1181-1
|
| Released | Tue May 5 12:02:39 2020 |
| Summary | Recommended update for pciutils-ids |
| Type | recommended |
| Severity | moderate |
| References | 1170160 |
Description:
This update for pciutils-ids fixes the following issues:
- Update the PCI utilities database to 20200324. (bsc#1170160)
| Advisory ID | SUSE-RU-2020:1182-1
|
| Released | Tue May 5 12:06:55 2020 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1099272,1156884,1161119 |
Description:
This update for chrony fixes the following issues:
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272, bsc#1161119)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony
to use NTP servers from the respective pools for SUSE and openSUSE. (bsc#1156884, SLE-11424)
- Add chrony-pool-empty to still allow installing chrony without preconfigured servers.
| Advisory ID | SUSE-RU-2020:1214-1
|
| Released | Thu May 7 11:20:34 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1169944 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)
| Advisory ID | SUSE-SU-2020:1219-1
|
| Released | Thu May 7 17:10:42 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1170771,CVE-2020-12243 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
| Advisory ID | SUSE-RU-2020:1226-1
|
| Released | Fri May 8 10:51:05 2020 |
| Summary | Recommended update for gcc9 |
| Type | recommended |
| Severity | moderate |
| References | 1149995,1152590,1167898 |
Description:
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
| Advisory ID | SUSE-RU-2020:1266-1
|
| Released | Wed May 13 10:20:54 2020 |
| Summary | Recommended update for jq |
| Type | recommended |
| Severity | moderate |
| References | 1170838 |
Description:
This update for jq fixes the following issues:
jq was updated to version 1.6:
- Destructuring Alternation
- many new builtins (see docs)
- Add support for ASAN and UBSAN
- Make it easier to use jq with shebangs
- Add $ENV builtin variable to access environment
- Add JQ_COLORS env var for configuring the output colors
- change: Calling jq without a program argument now always assumes
'.' for the program, regardless of stdin/stdout
fix: Make sorting stable regardless of qsort.
- Make jq depend on libjq1, so upgrading jq upgrades both
| Advisory ID | SUSE-SU-2020:1294-1
|
| Released | Mon May 18 07:38:36 2020 |
| Summary | Security update for file |
| Type | security |
| Severity | moderate |
| References | 1154661,1169512,CVE-2019-18218 |
Description:
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
| Advisory ID | SUSE-SU-2020:1299-1
|
| Released | Mon May 18 07:43:21 2020 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
| Advisory ID | SUSE-RU-2020:1303-1
|
| Released | Mon May 18 09:40:36 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1169582 |
Description:
This update for timezone fixes the following issues:
- timezone update 2020a. (bsc#1169582)
* Morocco springs forward on 2020-05-31, not 2020-05-24.
* Canada's Yukon advanced to -07 year-round on 2020-03-08.
* America/Nuuk renamed from America/Godthab.
* zic now supports expiration dates for leap second lists.
| Advisory ID | SUSE-RU-2020:1328-1
|
| Released | Mon May 18 17:16:04 2020 |
| Summary | Recommended update for grep |
| Type | recommended |
| Severity | moderate |
| References | 1155271 |
Description:
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
| Advisory ID | SUSE-RU-2020:1342-1
|
| Released | Tue May 19 13:27:31 2020 |
| Summary | Recommended update for python3 |
| Type | recommended |
| Severity | moderate |
| References | 1149955,1165894,CVE-2019-16056 |
Description:
This update for python3 fixes the following issues:
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
| Advisory ID | SUSE-RU-2020:1348-1
|
| Released | Wed May 20 11:37:41 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1170908 |
Description:
This update for mozilla-nss fixes the following issues:
The following issues are fixed:
- Add AES Keywrap POST.
- Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908).
| Advisory ID | SUSE-SU-2020:1353-1
|
| Released | Wed May 20 13:02:32 2020 |
| Summary | Security update for freetype2 |
| Type | security |
| Severity | moderate |
| References | 1079603,1091109,CVE-2018-6942 |
Description:
This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:
- CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).
Non-security issues fixed:
- Update to version 2.10.1
* The bytecode hinting of OpenType variation fonts was flawed, since
the data in the `CVAR' table wasn't correctly applied.
* Auto-hinter support for Mongolian.
* The handling of the default character in PCF fonts as introduced
in version 2.10.0 was partially broken, causing premature abortion
of charmap iteration for many fonts.
* If `FT_Set_Named_Instance' was called with the same arguments
twice in a row, the function returned an incorrect error code the
second time.
* Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
introduced in version 2.10.0).
* Increased precision while computing OpenType font variation
instances.
* The flattening algorithm of cubic Bezier curves was slightly
changed to make it faster. This can cause very subtle rendering
changes, which aren't noticeable by the eye, however.
* The auto-hinter now disables hinting if there are blue zones
defined for a `style' (i.e., a certain combination of a script and
its related typographic features) but the font doesn't contain any
characters needed to set up at least one blue zone.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* A bunch of new functions has been added to access and process
COLR/CPAL data of OpenType fonts with color-layered glyphs.
* As a GSoC 2018 project, Nikhil Ramakrishnan completely
overhauled and modernized the API reference.
* The logic for computing the global ascender, descender, and
height of OpenType fonts has been slightly adjusted for
consistency.
* `TT_Set_MM_Blend' could fail if called repeatedly with the same
arguments.
* The precision of handling deltas in Variation Fonts has been
increased.The problem did only show up with multidimensional
designspaces.
* New function `FT_Library_SetLcdGeometry' to set up the geometry
of LCD subpixels.
* FreeType now uses the `defaultChar' property of PCF fonts to set
the glyph for the undefined character at glyph index 0 (as
FreeType already does for all other supported font formats). As
a consequence, the order of glyphs of a PCF font if accessed
with FreeType can be different now compared to previous
versions.
This change doesn't affect PCF font access with cmaps.
* `FT_Select_Charmap' has been changed to allow parameter value
`FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
formats to access built-in cmaps that don't have a predefined
`FT_Encoding' value.
* A previously reserved field in the `FT_GlyphSlotRec' structure
now holds the glyph index.
* The usual round of fuzzer bug fixes to better reject malformed
fonts.
* `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
been removed.These two functions were public by oversight only
and were never documented.
* A new function `FT_Error_String' returns descriptions of error
codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
defined.
* `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
functions limited to Adobe MultiMaster fonts to directly set and
get the weight vector.
- Enable subpixel rendering with infinality config:
- Re-enable freetype-config, there is just too many fallouts.
- Update to version 2.9.1
* Type 1 fonts containing flex features were not rendered
correctly (bug introduced in version 2.9).
* CVE-2018-6942: Older FreeType versions can crash with certain
malformed variation fonts.
* Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
* Emboldening of bitmaps didn't work correctly sometimes, showing
various artifacts (bug introduced in version 2.8.1).
* The auto-hinter script ranges have been updated for Unicode 11.
No support for new scripts have been added, however, with the
exception of Georgian Mtavruli.
- freetype-config is now deprecated by upstream and not enabled
by default.
- Update to version 2.10.1
* The `ftmulti' demo program now supports multiple hidden axes with
the same name tag.
* `ftview', `ftstring', and `ftgrid' got a `-k' command line option
to emulate a sequence of keystrokes at start-up.
* `ftview', `ftstring', and `ftgrid' now support screen dumping to a
PNG file.
* The bytecode debugger, `ttdebug', now supports variation TrueType
fonts; a variation font instance can be selected with the new `-d'
command line option.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* The `ftdump' demo program has new options `-c' and `-C' to
display charmaps in compact and detailed format, respectively.
Option `-V' has been removed.
* The `ftview', `ftstring', and `ftgrid' demo programs use a new
command line option `-d' to specify the program window's width,
height, and color depth.
* The `ftview' demo program now displays red boxes for zero-width
glyphs.
* `ftglyph' has limited support to display fonts with
color-layered glyphs.This will be improved later on.
* `ftgrid' can now display bitmap fonts also.
* The `ttdebug' demo program has a new option `-f' to select a
member of a TrueType collection (TTC).
* Other various improvements to the demo programs.
- Remove 'Supplements: fonts-config' to avoid accidentally pulling
in Qt dependencies on some non-Qt based desktops.(bsc#1091109)
fonts-config is fundamental but ft2demos seldom installs by end users.
only fonts-config maintainers/debuggers may use ft2demos along to
debug some issues.
- Update to version 2.9.1
* No changelog upstream.
| Advisory ID | SUSE-RU-2020:1361-1
|
| Released | Thu May 21 09:31:18 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1171872 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)
| Advisory ID | SUSE-RU-2020:1400-1
|
| Released | Mon May 25 14:09:02 2020 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1162930 |
Description:
This update for glibc fixes the following issues:
- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
| Advisory ID | SUSE-RU-2020:1404-1
|
| Released | Mon May 25 15:32:34 2020 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1138793,1166260 |
Description:
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
| Advisory ID | SUSE-RU-2020:1427-1
|
| Released | Tue May 26 14:55:16 2020 |
| Summary | Recommended update for docker-runc |
| Type | recommended |
| Severity | moderate |
| References | 1168481 |
Description:
This update for docker-runc contains the following fixes:
- Backport upstream fix that enable access to /dev/null in containers. Resolves many
issues with the implementation of the runc devices cgroup code. Removes some of
the disruptive aspects of 'runc update'. (bsc#1168481)
| Advisory ID | SUSE-RU-2020:1492-1
|
| Released | Wed May 27 18:32:41 2020 |
| Summary | Recommended update for python-rpm-macros |
| Type | recommended |
| Severity | moderate |
| References | 1171561 |
Description:
This update for python-rpm-macros fixes the following issue:
- Update to version 20200207.5feb6c1 (bsc#1171561)
* Do not write .pyc files for tests
| Advisory ID | SUSE-RU-2020:1496-1
|
| Released | Wed May 27 20:30:31 2020 |
| Summary | Recommended update for python-requests |
| Type | recommended |
| Severity | low |
| References | 1170175 |
Description:
This update for python-requests fixes the following issues:
- Fix for warnings 'test fails to build' for python http. (bsc#1170175)
| Advisory ID | SUSE-RU-2020:1506-1
|
| Released | Fri May 29 17:22:11 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1087982,1170527 |
Description:
This update for aaa_base fixes the following issues:
- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)
| Advisory ID | SUSE-SU-2020:1532-1
|
| Released | Thu Jun 4 10:16:12 2020 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1172021,CVE-2019-19956 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).
| Advisory ID | SUSE-RU-2020:1541-1
|
| Released | Thu Jun 4 13:23:27 2020 |
| Summary | Recommended update for pciutils |
| Type | recommended |
| Severity | moderate |
| References | 1170554 |
Description:
This update for pciutils fixes the following issues:
- Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587)
| Advisory ID | SUSE-RU-2020:1542-1
|
| Released | Thu Jun 4 13:24:37 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1172055 |
Description:
This update for timezone fixes the following issue:
- zdump --version reported 'unknown' (bsc#1172055)
| Advisory ID | SUSE-SU-2020:1551-1
|
| Released | Mon Jun 8 09:31:41 2020 |
| Summary | Security update for vim |
| Type | security |
| Severity | moderate |
| References | 1172225,CVE-2019-20807 |
Description:
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225).
| Advisory ID | SUSE-RU-2020:1558-1
|
| Released | Mon Jun 8 10:36:32 2020 |
| Summary | Recommended update for chrony |
| Type | recommended |
| Severity | moderate |
| References | 1172113 |
Description:
This update for chrony fixes the following issue:
- Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113)
| Advisory ID | SUSE-SU-2020:1657-1
|
| Released | Thu Jun 18 10:49:53 2020 |
| Summary | Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork |
| Type | security |
| Severity | moderate |
| References | 1172377,CVE-2020-13401 |
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce
runc was updated to version 1.0.0-rc10
containerd was updated to version 1.2.13
- CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router
advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial
of service (bsc#1172377).
| Advisory ID | SUSE-SU-2020:1677-1
|
| Released | Thu Jun 18 18:16:39 2020 |
| Summary | Security update for mozilla-nspr, mozilla-nss |
| Type | security |
| Severity | important |
| References | 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 |
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
| Advisory ID | SUSE-SU-2020:1682-1
|
| Released | Fri Jun 19 09:44:54 2020 |
| Summary | Security update for perl |
| Type | security |
| Severity | important |
| References | 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 |
Description:
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).
| Advisory ID | SUSE-SU-2020:1733-1
|
| Released | Wed Jun 24 09:43:36 2020 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1173026,1173027,CVE-2020-8169,CVE-2020-8177 |
Description:
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious
server to overwrite a local file when using the -J option (bsc#1173027).
- CVE-2020-8169: Fixed an issue where could have led to partial password leak
over DNS on HTTP redirect (bsc#1173026).
| Advisory ID | SUSE-RU-2020:1759-1
|
| Released | Thu Jun 25 18:44:37 2020 |
| Summary | Recommended update for krb5 |
| Type | recommended |
| Severity | moderate |
| References | 1169357 |
Description:
This update for krb5 fixes the following issue:
- Call systemd to reload the services instead of init-scripts. (bsc#1169357)
| Advisory ID | SUSE-RU-2020:1760-1
|
| Released | Thu Jun 25 18:46:13 2020 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1157315,1162698,1164538,1169488,1171145,1172072 |
Description:
This update for systemd fixes the following issues:
- Merge branch 'SUSE/v234' into SLE15
units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
udev: rename the persistent link for ATA devices (bsc#1164538)
shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
tmpfiles: remove unnecessary assert (bsc#1171145)
test-engine: manager_free() was called too early
pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
| Advisory ID | SUSE-RU-2020:1795-1
|
| Released | Mon Jun 29 11:22:45 2020 |
| Summary | Recommended update for lvm2 |
| Type | recommended |
| Severity | important |
| References | 1172566 |
Description:
This update for lvm2 fixes the following issues:
- Fix potential data loss problem with LVM cache (bsc#1172566)
| Advisory ID | SUSE-RU-2020:1821-1
|
| Released | Thu Jul 2 08:39:34 2020 |
| Summary | Recommended update for dracut |
| Type | recommended |
| Severity | moderate |
| References | 1172807,1172816 |
Description:
This update for dracut fixes the following issues:
- 35network-legacy: Fix dual stack setups. (bsc#1172807)
- 95iscsi: fix missing space when compiling cmdline args. (bsc#1172816)
| Advisory ID | SUSE-SU-2020:1822-1
|
| Released | Thu Jul 2 11:30:42 2020 |
| Summary | Security update for python3 |
| Type | security |
| Severity | important |
| References | 1173274,CVE-2020-14422 |
Description:
This update for python3 fixes the following issues:
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
| Advisory ID | SUSE-SU-2020:1396-1
|
| Released | Fri Jul 3 12:33:05 2020 |
| Summary | Security update for zstd |
| Type | security |
| Severity | moderate |
| References | 1082318,1133297 |
Description:
This update for zstd fixes the following issues:
- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
| Advisory ID | SUSE-SU-2020:1850-1
|
| Released | Mon Jul 6 14:44:39 2020 |
| Summary | Security update for mozilla-nss |
| Type | security |
| Severity | moderate |
| References | 1168669,1173032,CVE-2020-12402 |
Description:
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
| Advisory ID | SUSE-RU-2020:1852-1
|
| Released | Mon Jul 6 16:50:21 2020 |
| Summary | Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts |
| Type | recommended |
| Severity | moderate |
| References | 1169444 |
Description:
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
| Advisory ID | SUSE-SU-2020:1856-1
|
| Released | Mon Jul 6 17:05:51 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1172698,1172704,CVE-2020-8023 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
| Advisory ID | SUSE-RU-2020:2979-1
|
| Released | Wed Oct 21 11:37:14 2020 |
| Summary | Recommended update for mozilla-nss |
| Type | recommended |
| Severity | moderate |
| References | 1176173 |
Description:
This update for mozilla-nss fixes the following issue:
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
NIST SP800-56Arev3 compliant (bsc#1176173).