Image summary for suse-sles-15-chost-byos-v20220201-hvm-ssd-x86_64

SUSE-IU-2022:237-1

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for python-urllib3 fixes the following issues:

• CVE-2020-26116: Raise ValueError if method contains control characters and thus prevent CRLF injection into URLs (bsc#1177211).
• Skip test for RECENT_DATE (bsc#1181571).

This update for cloud-init fixes the following issues:

• Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing.

• Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:

• CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
• CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)

• Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).

• Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401)

• Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243

• Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708

• Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14

• Enable fish-completion

• Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

• Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires.

• Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support).
• Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly.

• Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243

• Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).
• CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
• CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
• CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
• CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
• CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
• CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
• CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
• CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
• CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
• CVE-2020-10781: A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable (bnc#1173074).
• CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
• CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
• CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
• CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
• CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
• CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
• CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
• CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
• CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
• CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
• CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).
• CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
• CVE-2020-29371: An issue was discovered in romfs_dev_read in fs/romfs/storage.c where uninitialized memory leaks to userspace (bnc#1179429).
• CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
• CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
• CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
• CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
• CVE-2019-20806: Fixed a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service (bnc#1172199).

• blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840 bsc#1179071).
• blk-mq: make sure that line break can be printed (bsc#1163840 bsc#1179071).
• epoll: Keep a reference on files added to the check list (bsc#1180031).
• fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
• futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
• futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
• futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
• futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
• futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
• futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
• futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
• futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
• HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
• iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181001, jsc#ECO-3191).
• iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
• kABI: Fix kABI for extended APIC-ID support (bsc#1181001, jsc#ECO-3191).
• locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
• nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
• net/x25: prevent a couple of overflows (bsc#1178590).
• rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
• s390/dasd: fix hanging device offline processing (bsc#1144912).
• scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
• x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181001, jsc#ECO-3191).
• x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181001, jsc#ECO-3191).
• x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181001, jsc#ECO-3191).
• x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
• x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
• x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181001, jsc#ECO-3191).
• x86/tracing: Introduce a static key for exception tracing (bsc#1179895).
• x86/traps: Simplify pagefault tracing logic (bsc#1179895).

This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module.

This update for openssh fixes the following issues:

• Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501)

This update for bind fixes the following issues:

• CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246]

This update for docker, golang-github-docker-libnetwork fixes the following issues:

• A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)

This update for python3 fixes the following issues:

• CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
• Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

This update for python-cffi fixes the following issues:

• Restored compatibility with Python 2.7 update (bsc#1182471)

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
• iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

This update for python-Jinja2 fixes the following issues:

• CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944).

This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:

• CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
• CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
• CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
• CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
• CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
• CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)

This update for bind fixes the following issues:

• dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933]

This update for python-cryptography fixes the following issues:

• CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066).

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

• CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
• CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
• CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
• CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

• kernel-{binary,source}.spec.in: do not create loop symlinks (bsc#1179082)
• kernel-source.spec: Fix build with rpm 4.16 (boo#1179015).
• rpm/kernel-binary.spec.in: avoid using barewords (bsc#1179014)
• rpm/kernel-binary.spec.in: avoid using more barewords (bsc#1179014) %split_extra still contained two.
• rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files.
• rpm/kernel-binary.spec.in: use grep -E instead of egrep (bsc#1179045) egrep is only a deprecated bash wrapper for 'grep -E'. So use the latter instead.
• rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592)
• rpm/kernel-obs-build.spec.in: Add -q option to modprobe calls (bsc#1178401)
• rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).
• rpm/mkspec: do not build kernel-obs-build on x86_32 We want to use 64bit kernel due to various bugs (bsc#1178762 to name one).
• rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
• xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600).
• xen/netback: fix spurious event detection for common event case (bsc#1182175).

This update for openssl-1_1 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for libsolv, libzypp, yast2-installation, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commnds help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• BuildRequires: libsolv-devel >= 0.7.17.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

• Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415)

• repo_write: fix handling of nested flexarray
• improve choicerule generation a bit more to cover more cases
• harden testcase parser against repos being added too late
• support python-3.10
• check %_dbpath macro in rpmdb code
• handle default/visible/langonly attributes in comps parser
• support multiple collections in updateinfo parser
• add '-D' option in rpmdb2solv to set the dbpath

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for glib2 fixes the following issues:

• CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

• CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for nghttp2 fixes the following issues:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

This update for ruby2.5 fixes the following issues:

• CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125).
• Enable optimizations also on ARM64 (bsc#1177222)

This update for gnutls fixes the following issues:

• CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
• CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

This update for python3 fixes the following issues:

• python36 was updated to 3.6.13
• CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).

This update for zstd fixes the following issues:

• CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
• CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

This update for rsyslog fixes the following issues:

• Fix groupname retrieval for large groups. (bsc#1178490)

This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commands help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Add missing includes for GCC 11 compatibility.
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105)

This update for vim provides the following fixes:

• Install SUSE vimrc in /usr. (bsc#1182324)
• Source correct suse.vimrc file. (bsc#1182324)

This update for cloud-init fixes the following issues:

• Does no longer include the sudoers.d directory twice (bsc#1181283)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for openldap2 fixes the following issues:

• Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

This update for open-iscsi fixes the following issues:

• CVE-2020-17437: uIP Out-of-Bounds Write (bsc#1179908)
• CVE-2020-17438: uIP Out-of-Bounds Write (bsc#1179908)
• CVE-2020-13987: uIP Out-of-Bounds Read (bsc#1179908)
• CVE-2020-13988: uIP Integer Overflow (bsc#1179908)
• Enabled no-wait ('-W') iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421)
• Added the ability to perform async logins (bsc#1173886)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for qemu fixes the following issues:

• Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
• Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
• Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
• Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
• Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
• Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
• Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
• Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
• Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
• Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
• Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
• Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
• Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
• Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)
• Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
• Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
• Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
• Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)
• Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
• Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
• Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
• Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
• Drop the 'ampersand 0x25 shift altgr' line in pt-br keymap file (bsc#1129962)
• Fix migration failure with error message: 'error while loading state section id 3(ram) (bsc#1154790)
• Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
• Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
• Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)
• Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel
• Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent. (bsc#1178565)
• Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

This update for xen fixes the following issues:

• CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431)

This update for grub2 fixes the following issues:

• Fix a migration issue due to a lower build number in higher service packs. (bsc#1183761)
• Fix executable stack marking in `grub-emu`. (bsc#1181696)

This update for sudo fixes the following issues:

• L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)

This update for ruby2.5 fixes the following issues:

• Update to 2.5.9
• CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644)

This update for cloud-init fixes the following issues:

• Fixed an issue, where the bonding options were wrongly configured in SLE and openSUSE (bsc#1184085)

This update for e2fsprogs fixes the following issues:

• Fixed an issue when building e2fsprogs (bsc#1183791)

This update for systemd fixes the following issues:

• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

This update for libnettle fixes the following issues:

• CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

This update for tcpdump fixes the following issues:

• Disabled five regression tests that fail with libpcap > 1.8.1 (bsc#1183800)

This update for dhcp fixes the following issues:

• Use '/run' instead of '/var/run' for PIDFile in 'dhcrelay.service'. (bsc#1185157)

This update for bind fixes the following issues:

• CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
• CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
• make /usr/bin/delv in bind-tools position independent (bsc#1183453).

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064)

This update for patterns-microos provides the following fix:

• Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for python3 fixes the following issues:

• CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)

This update for chrony fixes the following issues:

• Fix build with glibc-2.31 (bsc#1162964)
• Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400)

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
• CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
• CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).
• CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).
• CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
• CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
• CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
• CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
• CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
• CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
• CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).
• CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
• CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
• CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
• CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
• CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
• CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).
• CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).
• CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).
• CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
• CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
• CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
• CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
• CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).
• CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).
• CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).
• CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
• CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).
• CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).
• CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
• CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
• CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).
• CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
• CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
• CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

• Revert 'rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)' This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113).
• Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
• bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775).
• bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775).
• ext4: check journal inode extents more carefully (bsc#1173485).
• ext4: do not allow overlapping system zones (bsc#1173485).
• ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
• hv: clear ring_buffer pointer during cleanup (part of ae6935ed) (bsc#1181032).
• hv_netvsc: remove ndo_poll_controller (bsc#1185248).
• macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
• post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388).
• rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514).
• rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063).
• rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439)
• rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244)
• rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650)
• xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).

This update for sed fixes the following issues:

• Fixed a building issue with glibc-2.31 (bsc#1183797).

This update for openldap2 fixes the following issue:

• Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for lz4 fixes the following issues:

• CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

This update for libxml2 fixes the following issues:

• CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for supportutils fixes the following issues:

• Collects rotated logs with different compression types (bsc#1180478)
• Captures now IBM Power bootlist (jsc#SLE-15557)
• Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894)
• Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122)
• Checks package signatures in rpm.txt (bsc#1021918)
• Optimize find (bsc#1184912)
• Using zypper --xmlout (bsc#1181351)
• Error fix for sysfs.txt (bsc#1089870)
• Added list-timers to systemd.txt (bsc#1169348)
• Including nfs4 in search (bsc#1184829)
• [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826)
• Fixed mismatched taint flags (bsc#1178491)
• Removed redundant fdisk code that can cause timeout issues (bsc#1181679)
• Supportconfig processes -f without hanging (bsc#1182904)
• Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950)
• [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911)
• Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932)
• No longer truncates boot log (bsc#1181610)
• Collects rotated logs with different compression types (bsc#1180478)
• Capture IBM Power bootlist (SLE-15557)
• [powerpc] Collect logs for power specific components #72 (bscn#1176895)
• Fixed btrfs errors (bsc#1168894)
• Large ntp.txt with binary data (bsc#1169122)
• Only include hostinfo details in /etc/motd (bsc#1170092)
• Fixed CPU load average calculation (bsc#1170094)
• Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858)
• Implement persistens host information across reboots (bsc#1183732)

This update for snappy fixes the following issues:
Update from version 1.1.3 to 1.1.8

• Small performance improvements.
• Removed `snappy::string` alias for `std::string`.
• Improved `CMake` configuration.
• Improved packages descriptions.
• Fix RPM groups.
• Aarch64 fixes
• PPC speedups
• PIE improvements
• Fix license install. (bsc#1080040)
• Fix a 1% performance regression when snappy is used in PIE executable.
• Improve compression performance by 5%.
• Improve decompression performance by 20%.
• Use better download URL.
• Fix a build issue for tensorflow2. (bsc#1184507)

This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19

• Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
• Fix memory leaks in error cases
• Fix error handling in `solv_xfopen_fd()`
• Fix regex code on win32
• fixed memory leak in choice rule generation
• `repo_add_conda`: add a flag to skip version 2 packages.

• Properly handle permission denied when providing optional files. (bsc#1185239)
• Fix service detection with `cgroupv2`. (bsc#1184997)
• Add missing includes for GCC 11. (bsc#1181874)
• Fix unsafe usage of static in media verifier.
• `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
• `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
• Do no cleanup in custom cache dirs. (bsc#1182936)
• `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

This update for python3 fixes the following issues:

• Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block.

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
• Allow partial chain verification (jsc#SLE-17956).

This update for python-py fixes the following issues:

• CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).

This update for dhcp fixes the following issues:

• CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)

This update for mozilla-nss fixes the following issue:

• Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for qemu fixes the following issues:

• Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
• Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
• For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975)

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

This update for gpg2 fixes the following issues:

• Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308).

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

• Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
• CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
• btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

• Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
• Fixed /dev/null is not available (bsc#1168481).
• CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

• CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
• Handle a requirement from docker (bsc#1181594).

This update for wget fixes the following issue:

• When running recursively, wget will verify the length of the whole URL when saving the files. This will make it overwrite files with truncated names, throwing the following message: 'The name is too long,... trying to shorten'. (bsc#1181173)

This update for libnettle fixes the following issues:

• CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for thin-provisioning-tools fixes the following issues:

• Link as position-independent executable (bsc#1184124)

This update for patterns-microos provides the following fix:

• Add zypper-migration-plugin to the default pattern. (bsc#1186791)

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for openldap2 fixes the following issues:

• Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

This update for dbus-1 fixes the following issues:

• CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

This update for chrony fixes the following issues:

• Fixed an issue when chrony aborts in FIPS mode due to MD5. (bsc#1173760)

This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

This update for dosfstools fixes the following issue:

• Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for cloud-init contains the following:

• Change log file creation mode to 640. (bsc#1183939)
• Do not write the generated password to the log file. (bsc#1184758)
• Allow purging cache when Python when version change detected.

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
• Skip udev rules if 'elevator=' is used (bsc#1184994)

This update for containerd fixes the following issues:

• CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282)

The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2021-22555: A heap out-of-bounds write was discovered in net/netfilter/x_tables.c (bnc#1188116 ).
• CVE-2021-33909: Extremely large seq buffer allocations in seq_file could lead to buffer underruns and code execution (bsc#1188062).
• CVE-2021-3609: A use-after-free in can/bcm could have led to privilege escalation (bsc#1187215).
• CVE-2021-33624: In kernel/bpf/verifier.c a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db (bnc#1187554).
• CVE-2021-0605: In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1187601).
• CVE-2021-0512: In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1187595).
• CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time (bnc#1179610).
• CVE-2021-34693: net/can/bcm.c in the Linux kernel allowed local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized (bnc#1187452).
• CVE-2020-36385: An issue was discovered in the Linux kernel drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c (bnc#1187050).
• CVE-2021-0129: Improper access control in BlueZ may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bnc#1186463).
• CVE-2020-36386: An issue was discovered in the Linux kernel net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf (bnc#1187038).
• CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (bnc#1185861).
• CVE-2021-33200: kernel/bpf/verifier.c enforced incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit (bnc#1186484).
• CVE-2021-33034: net/bluetooth/hci_event.c had a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value (bnc#1186111).
• CVE-2020-26139: An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients (bnc#1186062).
• CVE-2021-23134: Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability (bnc#1186060).
• CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
• CVE-2020-26141: The Wi-Fi implementation did not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol (bnc#1185987).
• CVE-2020-26145: The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration (bnc#1185860).
• CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
• CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. ()
• CVE-2021-3491: The io_uring subsystem allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. (bnc#1185642).
• CVE-2021-23133: A race condition in SCTP sockets (net/sctp/socket.c) could lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket (bnc#1184675).
• CVE-2021-32399: net/bluetooth/hci_request.c in the Linux kernel has a race condition for removal of the HCI controller (bnc#1184611 bnc#1185898).

• Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).
• Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).
• af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081).
• dm: fix redundant IO accounting for bios that need splitting (bsc#1183738).
• kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
• net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
• net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081).
• net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
• net/packet: Ask driver for protocol if not provided by user (bsc#1176081).
• net/packet: Remove redundant skb->protocol set (bsc#1176081).
• net: Do not set transport offset to invalid value (bsc#1176081).
• net: Introduce parse_protocol header_ops callback (bsc#1176081).
• video: hyperv_fb: Add ratelimit on error message (bsc#1185725).

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for qemu fixes the following issues:
Security issues fixed:

• CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
• CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
• CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
• CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
• CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)

This update for dbus-1 fixes the following issues:

• CVE-2020-12049: truncated messages lead to resource exhaustion (bsc#1172505)

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for sca-appliance-common, supportutils fixes the following issues:

• Adding ethtool options to the supportconfigt. (jsc#SLE-18239, jsc#SLE-18344)
• Fixed and issue when 'lsof' causes performance problems. (bsc#1186687)
• Exclude 'rhn.conf' from 'etc.txt' to prevent supportconfig capturing passwords in clear text. (bsc#1186347)
• Fix 'analyzevmcore' to supports local directories. (bsc#1186397)
• Fix for 'getappcore' checking for valid compression binary. (bsc#1185991)
• Fixed 'getappcore' to prevent triggering errors with help message. (bsc#1185993)

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:

• CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
• If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
• Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
• Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
• Use unbuffered /dev/urandom for random data to prevent early startup performance issues

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli

• Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package.

• Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0

• Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0

• CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)

This update for openssl-1_1 fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for bind fixes the following issues:

• Fix an assertion failure in the 'rehash()' function (bsc#1188763) When calculating the new hashtable bitsize, there was an off-by-one error that would allow the new bitsize to be larger than maximum allowed.
• tsig-keygen is now used to generate DDNS keys (bsc#1187921)

This update for libesmtp fixes the following issues:

• CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).

This update for openldap2 fixes the following issue:

• openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

This update for xen fixes the following issues:

• CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
• CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429).
• CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433).
• CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
• CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
• CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
• CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434).

• Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).

This update for pcre2 fixes the following issue:

• Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)

This update for runc fixes the following issues:

• Fixed an issue when toolbox container fails to start. (bsc#1189743)

This update for openssl-1_1 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

This update for SUSEConnect fixes the following issues:

• Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
• Add subscription name to output of 'SUSEConnect --status'.
• send payload of GET requests as part of the url, not in the body (see bsc#1185611)

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for c-ares fixes the following issue:

• Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores.

This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:

• implement new socket option PR_SockOpt_DontFrag
• support larger DNS records by increasing the default buffer size for DNS queries
• Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138
• PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version.

• bmo#1713562 - Fix test leak.
• bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
• bmo#1693206 - Implement PKCS8 export of ECDSA keys.
• bmo#1712883 - DTLS 1.3 draft-43.
• bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
• bmo#1713562 - Validate ECH public names.
• bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

• bmo#1683710 - Add a means to disable ALPN.
• bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
• bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
• bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
• bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

• bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
• bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
• bmo#1708307 - Remove Trustis FPS Root CA from NSS.
• bmo#1707097 - Add Certum Trusted Root CA to NSS.
• bmo#1707097 - Add Certum EC-384 CA to NSS.
• bmo#1703942 - Add ANF Secure Server Root CA to NSS.
• bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
• bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
• bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
• bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
• bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
• bmo#1709291 - Add VerifyCodeSigningCertificateChain.

• bmo#1709654 - Update for NetBSD configuration.
• bmo#1709750 - Disable HPKE test when fuzzing.
• bmo#1566124 - Optimize AES-GCM for ppc64le.
• bmo#1699021 - Add AES-256-GCM to HPKE.
• bmo#1698419 - ECH -10 updates.
• bmo#1692930 - Update HPKE to final version.
• bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
• bmo#1703936 - New coverity/cpp scanner errors.
• bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
• bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
• bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

• bmo#1705286 - Properly detect mips64.
• bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and

• bmo#1697380 - Make a clang-format run on top of helpful contributions.
• bmo#1683520 - ECCKiila P384, change syntax of nested structs

• bmo#1688374 - Fix parallel build NSS-3.61 with make
• bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()

• bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key

• TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information.
• December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information.

• bmo#1679290 - Fix potential deadlock with certain third-party

• Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

• bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
• bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
• bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
• bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
• bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed

• bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode.
• bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni).
• bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
• bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows.
• bmo#1667153 - Add PK11_ImportDataKey for data object import.
• bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.

• The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
• The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
• Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed.
• https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

• bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
• bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
• bmo#1654142 - Add CPU feature detection for Intel SHA extension.
• bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
• bmo#1656986 - Properly detect arm64 during GYP build architecture

• P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
• PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633)
• DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

• bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
• bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
• bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
• bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
• bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
• bmo#1646594 - Fix AVX2 detection in makefile builds.
• bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
• bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
• bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
• bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
• bmo#1649226 - Add Wycheproof ECDSA tests.
• bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
• bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
• bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.

• Support for TLS 1.3 external pre-shared keys (bmo#1603042).
• Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
• The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
• The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

• A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list.

• bmo#1528113 - Use ARM Cryptography Extension for SHA256.
• bmo#1603042 - Add TLS 1.3 external PSK support.
• bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
• bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
• bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
• bmo#1641716 - Add Microsoft's non-EV root certificates.
• bmo1621151 - Disable email trust bit for 'O=Government

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for xfsprogs fixes the following issues:

• Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299)
• xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency.
• mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536)
• mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535)
• xfs_growfs: Refactor geometry reporting. (bsc#1181306)
• xfs_growfs: Allow mounted device node as argument. (bsc#1181299)
• xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309)
• xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651)
• xfs_bmap: Remove '-c' from manpage. (bsc#1189552)
• xfs_bmap: Do not reject '-e'. (bsc#1189552)
• Implement 'libhandle1' through ECO. (jsc#SLE-20360)

This update for docker fixes the following issues:

• Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34.
• Add shell requires for the *-completion subpackages.

This update for cloud-init contains the following fixes:

• Update to version 21.2 (bsc#1186004) + Remove patches included upstream and patches no longer needed + Remove SLE 12 compatibility patch, version in SLE 12 is frozen to 20.2 + Forward port: - cloud-init-write-routes.patch - cloud-init-break-resolv-symlink.patch - cloud-init-sysconf-path.patch - cloud-init-no-tempnet-oci.patch + Add \r\n check for SSH keys in Azure (#889) + Revert 'Add support to resize rootfs if using LVM (#721)' (#887) (LP: #1922742) + Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo] + test_upgrade: modify test_upgrade_package to run for more sources (#883) + Fix chef module run failure when chef_license is set (#868) [Ben Hughes] + Azure: Retry net metadata during nic attach for non-timeout errs (#878) [aswinrajamannar] + Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer] + Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo] + Use `partprobe` to re-read partition table if available (#856) [Nicolas Bock] (LP: #1920939) + fix error on upgrade caused by new vendordata2 attributes (#869) (LP: #1922739) + add prefer_fqdn_over_hostname config option (#859) [hamalq] (LP: #1921004) + Emit dots on travis to avoid timeout (#867) + doc: Replace remaining references to user-scripts as a config module (#866) [Ryan Harper] + azure: Removing ability to invoke walinuxagent (#799) [Anh Vo] + Add Vultr support (#827) [David Dymko] + Fix unpickle for source paths missing run_dir (#863) [lucasmoura] (LP: #1899299) + sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann] + bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov] + add hamalq user (#860) [hamalq] + Add support to resize rootfs if using LVM (#721) [Eduardo Otubo] (LP: #1799953) + Fix mis-detecting network configuration in initramfs cmdline (#844) (LP: #1919188) + tools/write-ssh-key-fingerprints: do not display empty header/footer (#817) [dermotbradley] + Azure helper: Ensure Azure http handler sleeps between retries (#842) [Johnson Shi] + Fix chef apt source example (#826) [timothegenzmer] + .travis.yml: generate an SSH key before running tests (#848) + write passwords only to serial console, lock down cloud-init-output.log (#847) (LP: #1918303) + Fix apt default integration test (#845) + integration_tests: bump pycloudlib dependency (#846) + Fix stack trace if vendordata_raw contained an array (#837) [eb3095] + archlinux: Fix broken locale logic (#841) [Kristian Klausen] (LP: #1402406) + Integration test for #783 (#832) + integration_tests: mount more paths IN_PLACE (#838) + Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875) + Remove the vi comment from the part-handler example (#835) + net: exclude OVS internal interfaces in get_interfaces (#829) (LP: #1912844) + tox.ini: pass OS_* environment variables to integration tests (#830) + integration_tests: add OpenStack as a platform (#804) + Add flexibility to IMDS api-version (#793) [Thomas Stringer] + Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] (LP: #1916629) + doc: remove duplicate 'it' from nocloud.rst (#825) [V.I. Wood] + archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] + cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] + Update cc_set_hostname documentation (#818) [Toshi Aoyama]

• Fix unit test fail in TestGetPackageMirrorInfo::test_substitution.

• Remove python2 compatibility so cloud-init builds fine in Tumbleweed with a recent Jinja2 version. This patch is only applied in TW.

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858)

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for sudo fixes the following issues:

• Update to sudo 1.8.27 (jsc#SLE-17083).
• Fixed special handling of ipa_hostname (bsc#1181371).
• Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473).

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
• Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
• Rules weren't applied to dm devices (multipath) (bsc#1188713).
• Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
• Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
• Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

This update for glibc fixes the following issues:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

This update for kdump fixes the following issues:

• Install /etc/resolv.conf using its resolved path (bsc#1183070).
• Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070).
• Skip kdump-related mounts if there is no /proc/vmcore (bsc#1102252, bsc#1125011).
• Make sure that kdump mount points are cleaned up (bsc#1102252, bsc#1125011).
• powerpc: Do not reload on CPU hot removal (bsc#1133407).
• Do not iterate past end of string (bsc#1186037).
• Make sure that initrd.target.wants directory exists (bsc#1172670).
• Fix incorrect exit code checking after 'local' with assignment (bsc#1184616).
• Add 'bootdev=' to dracut command line (bsc#1182309).
• Query systemd network.service to find out if wicked is used (bsc#1182309).
• Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090).
• Make sure that the udev runtime directory exists (bsc#1164713).
• Prefer by-path and device-mapper aliases over kernel names (bsc#1101149).
• Activate udev rules late during boot (bsc#1154837).

This update for xkeyboard-config fixes the following issue:

• Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)

The SUSE Linux Enterprise 15 SP2 kernel was updated.

The following security bugs were fixed:

• CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
• CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
• CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
• CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
• CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
• CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)

• ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
• apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
• ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
• ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
• ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
• ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
• ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
• ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
• ath9k: fix sleeping in atomic context (git-fixes).
• blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
• blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
• blk-mq: mark if one queue map uses managed irq (bsc#1185762).
• Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
• bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
• bnxt_en: Add missing DMA memory barriers (git-fixes).
• bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
• bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
• bnxt_en: Store the running firmware version code (git-fixes).
• bnxt: count Tx drops (git-fixes).
• bnxt: disable napi before canceling DIM (git-fixes).
• bnxt: do not lock the tx queue from napi poll (git-fixes).
• bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
• btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
• clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
• clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
• console: consume APC, DM, DCS (git-fixes).
• cuse: fix broken release (bsc#1190596).
• cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
• debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
• devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
• dmaengine: ioat: depends on !UML (git-fixes).
• dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
• dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
• docs: Fix infiniband uverbs minor number (git-fixes).
• drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
• drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
• drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
• drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
• drm/amdgpu: Fix BUG_ON assert (git-fixes).
• drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
• drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
• drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
• e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
• e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
• EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
• EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
• erofs: fix up erofs_lookup tracepoint (git-fixes).
• fbmem: do not allow too huge resolutions (git-fixes).
• fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
• fpga: machxo2-spi: Return an error on failure (git-fixes).
• fuse: flush extending writes (bsc#1190595).
• fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
• genirq: add device_has_managed_msi_irq (bsc#1185762).
• gpio: uniphier: Fix void functions to remove return value (git-fixes).
• gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
• gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
• hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
• hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
• hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
• hwmon: (tmp421) fix rounding for negative values (git-fixes).
• hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
• i40e: Add additional info to PHY type error (git-fixes).
• i40e: Fix firmware LLDP agent related warning (git-fixes).
• i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
• i40e: Fix logic of disabling queues (git-fixes).
• i40e: Fix queue-to-TC mapping on Tx (git-fixes).
• iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
• iavf: Set RSS LUT and key in reset handle path (git-fixes).
• ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
• ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
• ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
• ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
• ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
• ice: Prevent probing virtual functions (git-fixes).
• iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
• include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
• iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
• ionic: cleanly release devlink instance (bsc#1167773).
• ionic: count csum_none when offload enabled (bsc#1167773).
• ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
• ipc/util.c: use binary search for max_idx (bsc#1159886).
• ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
• ipvs: avoid expiring many connections from timer (bsc#1190467).
• ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
• ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
• iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
• kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
• kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
• kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
• kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
• libata: fix ata_host_start() (git-fixes).
• mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
• mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
• mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
• mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
• mac80211: mesh: fix potentially unaligned access (git-fixes).
• media: cedrus: Fix SUNXI tile size calculation (git-fixes).
• media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
• media: dib8000: rewrite the init prbs logic (git-fixes).
• media: imx258: Limit the max analogue gain to 480 (git-fixes).
• media: imx258: Rectify mismatch of VTS value (git-fixes).
• media: rc-loopback: return number of emitters rather than error (git-fixes).
• media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
• media: uvc: do not do DMA on stack (git-fixes).
• media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
• mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
• mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
• mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
• mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
• mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
• mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
• mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
• net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
• net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
• net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
• net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
• net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
• net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
• net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
• net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
• net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
• net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
• net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
• net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
• net/mlx5: Fix flow table chaining (git-fixes).
• net/mlx5: Fix return value from tracer initialization (git-fixes).
• net/mlx5: Unload device upon firmware fatal error (git-fixes).
• net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
• net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
• net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
• netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
• nfp: update ethtool reporting of pauseframe control (git-fixes).
• NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
• NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
• NFS: pass cred explicitly for access tests (bsc#1190746).
• nvme: avoid race in shutdown namespace removal (bsc#1188067).
• nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
• parport: remove non-zero check on count (git-fixes).
• PCI: aardvark: Fix checking for PIO status (git-fixes).
• PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
• PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
• PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
• PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
• PCI: Add AMD GPU multi-function power dependencies (git-fixes).
• PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
• PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
• PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
• PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
• PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
• PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
• PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
• PM: EM: Increase energy calculation precision (git-fixes).
• power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
• power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
• powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
• powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
• powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
• powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
• powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
• powerpc/perf: Fix the check for SIAR value (bsc#1065729).
• powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
• powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
• powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
• powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
• powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
• powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
• powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
• pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
• pwm: img: Do not modify HW state in .remove() callback (git-fixes).
• pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
• pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
• qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
• RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
• Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
• regmap: fix page selection for noinc reads (git-fixes).
• regmap: fix page selection for noinc writes (git-fixes).
• regmap: fix the offset of register error log (git-fixes).
• Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
• rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
• rpm/kernel-binary.spec: Use only non-empty certificates.
• rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
• rtc: rx8010: select REGMAP_I2C (git-fixes).
• rtc: tps65910: Correct driver module alias (git-fixes).
• s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
• sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
• scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
• scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
• scsi: fc: Add EDC ELS definition (bsc#1190576).
• scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
• scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
• scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
• scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
• scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
• scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
• scsi: lpfc: Add EDC ELS support (bsc#1190576).
• scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
• scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
• scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
• scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
• scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
• scsi: lpfc: Add support for the CM framework (bsc#1190576).
• scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
• scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
• scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
• scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
• scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
• scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
• scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
• scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
• scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
• scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
• scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
• scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
• scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
• scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
• scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
• scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
• scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
• scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
• scsi: lpfc: Remove unneeded variable (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
• scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
• scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
• scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
• scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
• scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
• serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
• serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
• serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
• serial: sh-sci: fix break handling for sysrq (git-fixes).
• spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
• staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
• staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
• staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
• thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
• time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
• tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
• tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
• tty: synclink_gt, drop unneeded forward declarations (git-fixes).
• usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
• usb: core: hcd: Add support for deferring roothub registration (git-fixes).
• usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
• usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
• usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
• usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
• usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
• usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
• usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
• usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
• usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
• usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
• usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
• usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
• usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
• usb: serial: option: add Telit LN920 compositions (git-fixes).
• usb: serial: option: remove duplicate USB device ID (git-fixes).
• usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
• usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
• video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
• video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
• vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
• vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
• vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
• vmxnet3: prepare for version 6 changes (bsc#1190406).
• vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
• vmxnet3: set correct hash type based on rss information (bsc#1190406).
• vmxnet3: update to version 6 (bsc#1190406).
• watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
• x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
• x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
• x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
• x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
• x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
• x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
• xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
• xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
• xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
• xhci: Set HCD flag to defer primary roothub registration (git-fixes).

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

• CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

• Install systemd service file as well (bsc#1190826)

• Fixed a failure to set CPU quota period in some cases on cgroup v1.
• Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
• Made release builds reproducible from now on.
• Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

• Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
• Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
• cgroup/systemd/v2: don't freeze cgroup on Set.
• cgroup/systemd/v1: avoid unnecessary freeze on Set.
• fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
• cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
• cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
• cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
• cgroupv2: support SkipDevices with systemd driver
• cgroup/systemd: return, not ignore, stop unit error from Destroy
• Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
• cgroup1: blkio: support BFQ weights.
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

• seccomp: fix 32-bit compilation errors
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
• runc start: fix 'chdir to cwd: permission denied' for some setups

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for less fixes the following issues:

• Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552)

This update for qemu fixes the following issues:
Security issues fixed:

• Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
• Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
• usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682)
• NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506)
• NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503)
• eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255)
• usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527)

This update for SUSEConnect contains the following fix:

• Update to 0.3.32: - Allow --regcode and --instance-data attributes at the same time. (jsc#PCT-164) - Document that 'debug' can also get set in the config file. - --status will also print the subscription name.

This update for grub2 fixes the following issues:

• Fix boot failure as journaled data not get drained due to abrupt power off after grub-install (bsc#1167756)
• Fix boot failure after kdump due to the content of grub.cfg to pending modificaton in xfs journal (bsc#1186975)

This update for bind fixes the following issues:

• CVE-2021-25219: Fixed lame cache that could have been abused to severely degrade resolver performance (bsc#1192146).

This update for libzypp, zypper and libsolv fixes the following issues:

• Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
• Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
• Make sure to keep states alives while transitioning. (bsc#1190199)
• May set techpreview variables for testing in /etc/zypp/zypp.conf.
• If environment variables are unhandy one may enable the desired techpreview in zypp.conf
• CMake/spec: Add option to force SINGLE_RPMTRANS as default for zypper.
• Make sure singleTrans is zypper-only for now.
• Do not check of signatures and keys two times(redundant) (bsc#1190059)
• Fix crashes in logging code when shutting down (bsc#1189031)
• Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
• Fix solver jobs for PTFs (bsc#1186503)
• spec: switch to pkgconfig(openssl)
• Show key fpr from signature when signature check fails (bsc#1187224)
• Implement alternative single transaction commit strategy.
• Use ZYPP_MEDIANETWORK=1 to enable the experimental new media backend.
• Implement zchunk download, refactor Downloader backend.
• Fix purge-kernels fails (bsc#1187738)
• Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
• Fix typo in German translations.
• Support new reports for singletrans rpm commit.
• Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
• Install summary: Show new and removed packages closer to the prompt.
• Add need reboot/restart hint to XML install summary (bsc#1188435)
• Add comment option for lock command.
• Fix obs:// platform guessing for Leap (bsc#1187425)
• Manpage: Improve description about patch updates(bsc#1187466)
• Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
• Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
• Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS' (bsc#1153687)
• Protect against strict/relaxed user umask via sudo (bsc#1183589)
• zypper-log: protect against thread name indicators in a log.
• xml summary: add solvables repository alias. (bsc#1182372)
• Fix service detection with cgroupv2 (bsc#1184997)
• Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
• Allow trusted repos to add additional signing keys (bsc#1184326)
• Let negative values wait forever for the zypp lock (bsc#1184399)
• Link all executables with -pie (bsc#1186447)
• Ship an empty /etc/zypp/needreboot per default (jsc#PM-2645)
• choice rules: treat orphaned packages as newest (bc#1190465)
• Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
• Disable logger in the child after fork (bsc#1192436)
• Check log writer before accessing it (bsc#1192337)
• Allow uname-r format in purge kernels keepspec
• zypper should keep cached files if transaction is aborted (bsc#1190356)
• Require a minimum number of mirrors for multicurl (bsc#1191609)
• Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
• Fix translations (bsc#1191370)
• RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

This update for xfsprogs fixes the following issues:

• Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566)
• Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675)
• xfs_io: include support for label command (bsc#1191500)
• xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983)
• xfs_admin: add support for external log devices (bsc#1189984)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for systemd fixes the following issues:

• Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
• Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
• shutdown: Reduce log level of unmounts (bsc#1191252)
• pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
• core: rework how we connect to the bus (bsc#1190325)
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• virt: detect Amazon EC2 Nitro instance (bsc#1190440)
• Several fixes for umount
• busctl: use usec granularity for the timestamp printed by the busctl monitor command
• fix unitialized fields in MountPoint in dm_list_get()
• shutdown: explicitly set a log target
• mount-util: add mount_option_mangle()
• dissect: automatically mark partitions read-only that have a read-only file system
• build-sys: require proper libmount version
• systemd-shutdown: use log_set_prohibit_ipc(true)
• rationalize interface for opening/closing logging
• pid1: when we can't log to journal, remember our fallback log target
• log: remove LOG_TARGET_SAFE pseudo log target
• log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
• log: add new 'prohibit_ipc' flag to logging system
• log: make log_set_upgrade_syslog_to_journal() take effect immediately
• dbus: split up bus_done() into seperate functions
• machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
• virt: if we detect Xen by DMI, trust that over CPUID

This update for suse-module-tools fixes the following issues:
Update to version 15.0.10:

• Add kernel rpm scriptlets
• rpm-script: fix bad exit status in OpenQA (bsc#1191922)
• cert-script: Deal with existing $cert.delete file (bsc#1191804).
• cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480).
• cert-script: Only print mokutil output in verbose mode.
• inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200)
• kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
• rpm-script: link config also into /boot (bsc#1189879)
• Import kernel scriptlets from kernel-source. (bsc#1189841, bsc#1190598)
• Provide 'suse-kernel-rpm-scriptlets'

• 00-system.conf: move br_netfilter softdep to separate file (bsc#1158817)

This update for glibc fixes the following issues:

• libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
• CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

This update for ruby2.5 fixes the following issues:

• CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
• CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
• CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).

This update for xen fixes the following issues:

• CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
• CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
• CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
• CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).

• Integrate bugfixes (bsc#1189373, bsc#1189378).

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for openssh fixes the following issues:

• CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for aaa_base fixes the following issues:

• Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
• Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
• Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
• Support xz compressed kernel (bsc#1162581)

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:

• CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573) You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)

• CVE-2018-3639: Fixed a speculative execution that may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1087082)
• CVE-2021-20320: Fix a bug that allows a local attacker with special user privilege can circumvent the verifier and may lead to a confidentiality problem. (bsc#1190601)
• CVE-2021-0941: Fixed A missing sanity check to the current MTU check that may allow a local attacker with special user privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. (bnc#1192045)
• CVE-2021-31916: Fixed a bound check failure that could allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash, a leak of internal kernel information, or a privilege escalation problem. (bnc#1192781)
• CVE-2021-20322: Fixed a bug that provides to an attacker the ability to quickly scan open UDP ports. (bsc#1191790)
• CVE-2021-3772: Fixed an issue that would allow a blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. (bsc#1190351)
• CVE-2021-34981: Fixed an issue that allows an attacker with a local account to escalate privileges when CAPI (ISDN) hardware connection fails. (bsc#1191961)
• CVE-2018-9517: Fixed possible memory corruption due to a use after free in pppol2tp_connect (bsc#1108488).
• CVE-2019-3874: Fixed possible denial of service attack via SCTP socket buffer used by a userspace applications (bnc#1129898).
• CVE-2019-3900: Fixed an infinite loop issue while handling incoming packets in handle_rx() (bnc#1133374).
• CVE-2020-12770: Fixed sg_remove_request call in a certain failure cases (bsc#1171420).
• CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
• CVE-2021-22543: Fixed improper handling of VM_IO|VM_PFNMAP vmas in KVM, which could bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation (bsc#1186482).
• CVE-2021-33033: Fixed a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled (bsc#1186109).
• CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983).
• CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985).
• CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
• CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399).
• CVE-2021-3655: Fixed a missing size validations on inbound SCTP packets, which may have allowed the kernel to read uninitialized memory (bsc#1188563).
• CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
• CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
• CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
• CVE-2021-37159: Fixed use-after-free and a double free inside hso_free_net_device in drivers/net/usb/hso.c when unregister_netdev is called without checking for the NETREG_REGISTERED state (bnc#1188601).
• CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
• CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
• CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
• CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
• CVE-2021-37576: Fixed an issue on the powerpc platform, where a KVM guest OS user could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
• CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
• CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
• CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
• CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262).
• CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
• CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
• CVE-2021-41864: Fixed prealloc_elems_and_freelist that allowed unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write (bnc#1191317).
• CVE-2021-42008: Fixed a slab out-of-bounds write in the decode_data function in drivers/net/hamradio/6pack.c. Input from a process that had the CAP_NET_ADMIN capability could have lead to root access (bsc#1191315).
• CVE-2021-42252: Fixed an issue inside aspeed_lpc_ctrl_mmap that could have allowed local attackers to access the Aspeed LPC control interface to overwrite memory in the kernel and potentially execute privileges (bnc#1190479).

• bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913)
• bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
• cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
• drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
• ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
• gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
• hisax: fix spectre issues (bsc#1192802).
• hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726).
• hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
• hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
• hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
• infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
• ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
• iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
• media: dvb_ca_en50221: prevent using slot_info for Spectre attacs (bsc#1192802).
• media: dvb_ca_en50221: sanity check slot number from userspace (bsc#1192802).
• media: wl128x: get rid of a potential spectre issue (bsc#1192802).
• memcg: enable accounting for file lock caches (bsc#1190115).
• mpt3sas: fix spectre issues (bsc#1192802).
• net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28).
• net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
• net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
• net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800).
• net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
• net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
• net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
• net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
• net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
• net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802).
• net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854).
• net/mlx4_en: Handle TX error CQE (bsc#1181854).
• objtool: Do not fail on missing symbol table (bsc#1192379).
• osst: fix spectre issue in osst_verify_frame (bsc#1192802).
• ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846).
• ovl: filter of trusted xattr results in audit (bsc#1189846).
• ovl: fix dentry leak in ovl_get_redirect (bsc#1189846).
• ovl: initialize error in ovl_copy_xattr (bsc#1189846).
• ovl: relax WARN_ON() on rename to self (bsc#1189846).
• s390/bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
• s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
• s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
• s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
• s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
• sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
• sctp: fully initialize v4 addr in some functions (bsc#1188563).
• sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802).
• x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
• xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377).

This update for python3 fixes the following issues:

• CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
• CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
• CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)

• Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338).

This update for systemd fixes the following issues:

• Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates

This update for p11-kit fixes the following issues:

• CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

This update for runc fixes the following issues:
Update to runc v1.0.3.

• CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
• Fixed inability to start when read-only /dev in set in spec.
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd.
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes).

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

This update for libzypp fixes the following issues:

• Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
• Fix wrong encoding of URI compontents of ISO images (bsc#954813)
• When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
• Introduce zypp-curl as a sublibrary for CURL related code
• zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
• Save all signatures associated with a public key in its PublicKeyData

This update for apparmor fixes the following issues:

• Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

This update for mozilla-nss and MozillaFirefox fix the following issues:
mozilla-nss:

• Update from version 3.68.1 to 3.68.2 (bsc#1193845)
• Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation

• Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
• Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains

This update for dosfstools fixes the following issues:

• To be able to create filesystems compatible with previous version, add -g command line option to mkfs (bsc#1188401)
• BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use '-a' command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use 'file -s $IMAGE', check its 'sectors/track' and 'heads', and use them in the newly introduced '-g' command line argument.

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

This update for json-c fixes the following issues:

• CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)

SUSE-IU-2021:410-1

SUSE-IU-2021:5-1

This update for kdump fixes the following issues:

• Fix multipath configuration with `user_friendly_names` and/or aliases. (bsc#1111207, bsc#1125218, bsc#1153601)
• Recover from missing `CRASHTIME=` in `VMCOREINFO`. (bsc#1112387)
• Clean up the use of current vs. boot network interface names. (bsc#1094444, bsc#1116463, bsc#1141064)
• Use a custom namespace for physical NICs. (bsc#1094444, bsc#1116463, bsc#1141064)
• Add `:force` option to `KDUMP_NETCONFIG`. (bsc#1108919)
• Add `fence_kdump_send` when `fence-agents` are installed. (bsc#1108919)
• Use var for path of `fence_kdump_send` and remove the unnecessary `PRESCRIPT` check. (bsc#1108919)
• Document kdump behaviour for `fence_kdump_send`. (bsc#1108919)
• Restore only static routes in kdump initrd. (bsc#1093795)
• Replace obsolete perl-Bootloader library with a simpler script. (bsc#1050349)
• Remove `console=hvc0` from command line. (bsc#1173914)
• Set serial console from Xen command line. (bsc#1173914)
• Remove `noefi` and `acpi_rsdp` for EFI firmware. (bsc#1123940, bsc#1170336)
• Add `skip_balance` option to BTRFS mounts. (bsc#1108255)
• Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)

This update for gzip fixes the following issues:
Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)

• Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
• Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)

• Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file. Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when used as part of a pipeline.
• A use of uninitialized memory on some malformed inputs has been fixed.
• A few theoretical race conditions in signal handlers have been fixed.
• Update gnulib for `libio.h` removal.

This update for rsyslog fixes the following issues:

• Fixes a crash for imfile (bsc#1176355)

This update for openssh fixes the following issues:

• CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
• Fixed an issue where oracle cluster with cluvfy using 'scp' failing/missinterpreted (bsc#1148566).

This update for xen fixes the following issues:

• CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
• CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
• CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
• CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
• CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
• CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
• CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
• Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
• Multiple other bugs (bsc#1027519)

This update for python3 fixes the following issues:

• Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP.
• Change setuptools and pip version numbers according to new wheels
• Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)
• add triplets for mips-r6 and riscv
• RISC-V needs CTYPES_PASS_BY_REF_HACK

• Ensure python3.dll is loaded from correct locations when Python is embedded
• The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
• Prevent http header injection by rejecting control characters in http.client.putrequest(…).
• Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.
• Avoid infinite loop when reading specially crafted TAR files using the tarfile module

• This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

• Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks.
• Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094)
• CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for python3 fixes the following issues:

• A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377)

This update for SUSEConnect fixes the following issue:
Update to version 0.3.29

• Replace the Ruby path with the native one during build phase.

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

• Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

This update for libselinux fixes the following issue:
Issues addressed:

• Removed check for selinux-policy package as it is not shipped in this package(bsc#1136845).
• Added check that restorecond is installed and enabled
• adjusted licenses of packages. All packages are under Public Domain, only selinux-tools contains a GPL-2.0 tool.

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for sudo fixes the following issues:

• A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156]
• It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239]
• A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240]
• It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]

This update for systemd fixes the following issues:

• Added a timestamp to the output of the busctl monitor command (bsc#1180225)
• Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
• Improved the caching of cgroups member mask (bsc#1175458)
• Fixed the dependency definition of sound.target (bsc#1179363)
• Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436)
• time-util: treat /etc/localtime missing as UTC (bsc#1141597)
• Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

This update for systemd fixes the following issues:

• Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
• Fix for an issue when container start causes interference in other containers. (bsc#1178775)

SUSE-IU-2020:117-1

This update for pciutils fixes the following issues:

• Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587)

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for vim fixes the following issues:

• CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225).

This update for chrony fixes the following issue:

• Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113)

This update for dracut fixes the following issues:

• Detect the sysfs attribute 'is_boot_target' (bsc#975267, bsc#1171388)

This update for audit fixes the following issues:

• Fix hang on startup. (bsc#1156159)
• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

This update for gnutls fixes the following issues:

• CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506).
• Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461).

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:

• Fix solvable swapping messing up idarrays
• fix ruleinfo of complex dependencies returning the wrong origin

• Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only.
• remove 'using namespace std;' (bsc#1166610, fixes #218)
• Online doc: add 'Hardware (modalias) dependencies' page (fixes #216)
• Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs.
• RepoVariables: Add safe guard in case the caller does not own a zypp instance.
• Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
• Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476)
• Log patch status changes to history (jsc#SLE-5116)
• Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
• update translations
• boost: Fix deprecated auto_unit_test.hpp includes.
• Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
• Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format.
• yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it.
• Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770)
• RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
• RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro).
• Remove legacy rpmV3database conversion code.
• Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990)
• Remove undocumented rug legacy stuff.
• Remove 'using namespace std;' (bsc#1166610)
• patch table: Add 'Since' column if history data are available (jsc#SLE-5116)

• Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
• Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
• Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543)
• Correctly detect ambigous switch abbreviations (bsc#1165573)
• zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems.
• Do not allow the abbreviation of cli arguments (bsc#1164543)
• accoring to according in all translation files.
• Always show exception history if available.
• Use default package cache location for temporary repos (bsc#1130873)

This update for xen fixes the following issues:

• CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
• CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
• CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
• CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
• CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).
• Xenstored Crashed during VM install (bsc#1167152)

This update for grub2 fixes the following issues:

• Implement support searching for specific config files for netboot. (bsc#1166409)
• Skip zfcpdump kernel from the grub boot menu (bsc#1166513)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13

• CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377).

The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes.
The following security bugs were fixed:

• CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
• CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111).
• CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069).
• CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276).
• CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931).
• CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928).
• CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929).
• CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109).
• CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966).
• CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971).
• CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).
• CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).
• CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).
• CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
• CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).
• CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
• CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
• CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
• CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).
• CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
• CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).
• CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854).
• CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829).
• CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424).
• CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629).
• CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
• CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).
• CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).
• CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
• CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).
• CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
• CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295).
• CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).
• CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386).
• CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).
• CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458).
• CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908).
• CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909).
• CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910).
• CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841).
• CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911).
• CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).
• CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285).
• CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).
• CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819).
• CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021).
• CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026).
• CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518).
• CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522).
• CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692).
• CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523).
• CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155).
• CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157).
• CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195).
• CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

• 6pack,mkiss: fix possible deadlock (bsc#1051510).
• ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510).
• ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510).
• ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510).
• af_packet: set defaule value for tmo (bsc#1051510).
• ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes).
• ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes).
• ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes).
• ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes).
• ALSA: hda/ca0132 - Avoid endless loop (git-fixes).
• ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes).
• ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes).
• ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes).
• ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes).
• ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510).
• ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510).
• ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510).
• ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes).
• ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510).
• ALSA: sh: Fix compile warning wrt const (git-fixes).
• ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510).
• ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510).
• ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510).
• arm64: Revert support for execute-only user mappings (bsc#1160218).
• ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510).
• ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510).
• ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510).
• ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510).
• ASoC: wm8962: fix lambda value (git-fixes).
• ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510).
• ath9k: fix storage endpoint lookup (git-fixes).
• a typo in %kernel_base_conflicts macro name
• batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510).
• bcma: remove set but not used variable 'sizel' (git-fixes).
• blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
• blktrace: fix dereference after null check (bsc#1159285).
• blktrace: fix trace mutex deadlock (bsc#1159285).
• bonding: fix active-backup transition after link failure (git-fixes).
• bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510).
• bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510).
• brcmfmac: fix interface sanity check (git-fixes).
• brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes).
• brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes).
• btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936).
• btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
• btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569).
• btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067).
• btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934).
• btrfs: Ensure we trim ranges across block group boundary (bsc#1151910).
• btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442).
• btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243).
• btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804).
• btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433).
• btrfs: fix missing data checksums after replaying a log tree (bsc#1161931).
• btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802).
• btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803).
• btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692).
• btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937).
• btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973).
• btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692).
• btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931).
• btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692).
• btrfs: record all roots for rename exchange on a subvol (bsc#1161933).
• btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588).
• btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067).
• btrfs: send, skip backreference walking for extents with many references (bsc#1162139).
• btrfs: skip log replay on orphaned roots (bsc#1161935).
• btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692).
• btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692).
• btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692).
• btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692).
• btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692).
• btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692).
• btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692).
• btrfs: tree-checker: Verify dev item (dependency for bsc#1157692).
• btrfs: tree-checker: Verify inode item (dependency for bsc#1157692).
• btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910).
• can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510).
• can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510).
• can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510).
• can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510).
• cfg80211: check for set_wiphy_params (bsc#1051510).
• cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510).
• cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510).
• cgroup: pids: use atomic64_t for pids->limit (bsc#1161514).
• CIFS: add support for flock (bsc#1144333).
• CIFS: Close cached root handle only if it had a lease (bsc#1144333).
• CIFS: Close open handle after interrupted close (bsc#1144333).
• CIFS: close the shared root handle on tree disconnect (bsc#1144333).
• CIFS: Do not miss cancelled OPEN responses (bsc#1144333).
• CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333).
• CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333).
• CIFS: Fix mount options set in automount (bsc#1144333).
• CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333).
• CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333).
• CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333).
• CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333).
• CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333).
• CIFS: Properly process SMB3 lease breaks (bsc#1144333).
• CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333).
• CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333).
• clk: Do not try to enable critical clocks if prepare failed (bsc#1051510).
• clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510).
• clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510).
• clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510).
• clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510).
• clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510).
• clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510).
• clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621).
• copy/pasted 'Recommends:' instead of 'Provides:', 'Obsoletes:' and 'Conflicts:
• crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510).
• crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510).
• crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510).
• crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510).
• crypto: ccp - fix uninitialized list head (bsc#1051510).
• crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510).
• crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510).
• crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510).
• crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix).
• debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198.
• debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198.
• dmaengine: coh901318: Fix a double-lock bug (bsc#1051510).
• dmaengine: coh901318: Remove unused variable (bsc#1051510).
• dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510).
• dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510).
• drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993).
• drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510).
• drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617).
• drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617).
• drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
• drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617).
• drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510).
• drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510).
• drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510).
• drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510).
• drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510).
• drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510).
• drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510).
• drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510).
• drm: bridge: dw-hdmi: constify copied structure (bsc#1051510).
• drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510).
• drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510).
• drm/i810: Prevent underflow in ioctl (bsc#1114279)
• drm/i915: Add missing include file (bsc#1051510).
• drm/i915: Fix pid leak with banned clients (bsc#1114279)
• drm: limit to INT_MAX in create_blob ioctl (bsc#1051510).
• drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510).
• drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510).
• drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510).
• drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028)
• drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279)
• drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510).
• drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510).
• e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510).
• exit: panic before exit_mm() on global init exit (bsc#1161549).
• extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510).
• firestream: fix memory leaks (bsc#1051510).
• fix autofs regression caused by follow_managed() changes (bsc#1159271).
• fix dget_parent() fastpath race (bsc#1159271).
• Fix partial checked out tree build ... so that bisection does not break.
• fjes: fix missed check in fjes_acpi_add (bsc#1051510).
• fs: cifs: Fix atime update check vs mtime (bsc#1144333).
• fs/namei.c: fix missing barriers when checking positivity (bsc#1159271).
• fs/namei.c: pull positivity check into follow_managed() (bsc#1159271).
• fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
• ftrace: Avoid potential division by zero in function profiler (bsc#1160784).
• futex: Prevent robust futex exit race (bsc#1161555).
• gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510).
• HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510).
• HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510).
• hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510).
• HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510).
• hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510).
• hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510).
• hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510).
• i2c: imx: do not print error message on probe defer (bsc#1051510).
• IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
• ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983).
• ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
• iio: adc: max9611: Fix too short conversion time delay (bsc#1051510).
• iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510).
• inet: protect against too small mtu values (networking-stable-19_12_16).
• Input: add safety guards to input_set_keycode() (bsc#1168075).
• Input: aiptek - fix endpoint sanity check (bsc#1051510).
• Input: cyttsp4_core - fix use after free bug (bsc#1051510).
• Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510).
• Input: gtco - fix endpoint sanity check (bsc#1051510).
• Input: keyspan-remote - fix control-message timeouts (bsc#1051510).
• Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510).
• Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510).
• Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510).
• Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510).
• Input: sur40 - fix interface sanity checks (bsc#1051510).
• Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510).
• Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510).
• Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510).
• iommu: Remove device link to group on failure (bsc#1160755).
• iommu/vt-d: Unlink device if failed to add to group (bsc#1160756).
• iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes).
• iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510).
• iwlwifi: mvm: synchronize TID queue removal (bsc#1051510).
• kABI: protect struct sctp_ep_common (kabi).
• kABI: restore debugfs_remove_recursive() (bsc#1159198).
• kABI workaround for can/skb.h inclusion (bsc#1051510).
• kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787).
• KEYS: reaching the keys quotas correctly (bsc#1171689).
• KVM: fix spectrev1 gadgets (bsc#1164705).
• KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476).
• KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734).
• KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728).
• KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729).
• KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712).
• KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730).
• KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733).
• KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731).
• KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732).
• KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735).
• KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705).
• KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727).
• leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674).
• leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674).
• lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510).
• lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510).
• livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995).
• livepatch/selftest: Clean up shadow variable names and type (bsc#1071995).
• mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510).
• macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510).
• macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510).
• md/raid0: Fix buffer overflow at debug print (bsc#1164051).
• media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510).
• media: cec: report Vendor ID after initialization (bsc#1051510).
• media: iguanair: fix endpoint sanity check (bsc#1051510).
• media: ov519: add missing endpoint sanity checks (bsc#1168829).
• media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510).
• media: stkwebcam: Bugfix for wrong return values (bsc#1051510).
• media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
• media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510).
• media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510).
• media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510).
• missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ('rpm/kernel-subpackage-spec: Unify dependency handling.') Fixes: 3fd22e219f77 ('rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)')
• mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510).
• mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510).
• mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510).
• mmc: sdhci-of-esdhc: Revert 'mmc: sdhci-of-esdhc: add erratum A-009204 support' (bsc#1051510).
• mmc: tegra: fix SDR50 tuning override (bsc#1051510).
• mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993).
• mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394).
• mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes).
• net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16).
• net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
• net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16).
• netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes).
• net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25).
• net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25).
• net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858).
• net: psample: fix skb_over_panic (networking-stable-19_12_03).
• net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25).
• net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25).
• net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03).
• net: usb: lan78xx: limit size of local TSO packets (bsc#1051510).
• net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18).
• new helper: lookup_positive_unlocked() (bsc#1159271).
• NFC: pn533: fix bulk-message timeout (bsc#1051510).
• NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes).
• objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514).
• openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03).
• openvswitch: remove another BUG_ON() (networking-stable-19_12_03).
• openvswitch: support asymmetric conntrack (networking-stable-19_12_16).
• orinoco_usb: fix interface sanity check (git-fixes).
• PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510).
• PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510).
• phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510).
• pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510).
• pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510).
• platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510).
• platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510).
• platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510).
• powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17).
• powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17).
• powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729).
• powerpc: Fix vDSO clock_getres() (bsc#1065729).
• powerpc/irq: fix stack overflow verification (bsc#1065729).
• powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729).
• powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840).
• powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729).
• powerpc/powernv: Disable native PCIe port management (bsc#1065729).
• powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729).
• powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734).
• powerpc/tools: Do not quote $objdump in scripts (bsc#1065729).
• powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030).
• powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030).
• powerpc/xmon: do not access ASDR in VMs (bsc#1065729).
• ppp: Adjust indentation into ppp_async_input (git-fixes).
• prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286).
• pstore/ram: Write new dumps to start of recycled zones (bsc#1051510).
• qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ).
• r8152: add missing endpoint sanity check (bsc#1051510).
• random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
• RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244).
• regulator: Fix return value of _set_load() stub (bsc#1051510).
• regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510).
• regulator: rn5t618: fix module aliases (bsc#1051510).
• Revert 'Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers' (bsc#1051510).
• Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
• Revert 'mmc: sdhci: Fix incorrect switch to HS mode' (bsc#1051510).
• rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510).
• rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510).
• rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510).
• rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510).
• rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510).
• scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
• scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
• scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013).
• scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013).
• scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013).
• scsi: qla2xxx: Consolidate fabric scan (bsc#1158013).
• scsi: qla2xxx: Correct fcport flags handling (bsc#1158013).
• scsi: qla2xxx: Fix fabric scan hang (bsc#1158013).
• scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013).
• scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013).
• scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013).
• scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013).
• scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013).
• scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013).
• scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013).
• scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013).
• scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013).
• scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013).
• scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013).
• sctp: cache netns in sctp_ep_common (networking-stable-19_12_03).
• serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510).
• serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510).
• serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510).
• serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510).
• serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510).
• sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25).
• sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510).
• sh_eth: fix dumping ARSTR (bsc#1051510).
• sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510).
• sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510).
• sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510).
• sh_eth: fix TXALCR1 offsets (bsc#1051510).
• sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510).
• smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333).
• smb3: Fix persistent handles reconnect (bsc#1144333).
• smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333).
• smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1144333).
• soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510).
• spi: tegra114: clear packed bit for unpacked mode (bsc#1051510).
• spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510).
• spi: tegra114: fix for unpacked mode transfers (bsc#1051510).
• spi: tegra114: flush fifos (bsc#1051510).
• spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510).
• staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510).
• Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510).
• staging: rtl8188eu: fix interface sanity check (bsc#1051510).
• staging: wlan-ng: ensure error return is actually returned (bsc#1051510).
• tcp: clear tp->packets_out when purging write queue (bsc#1160560).
• tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159).
• tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16).
• tracing: Have the histogram compare functions convert to u64 first (bsc#1160210).
• tracing: xen: Ordered comparison of function pointers (git-fixes).
• tty: n_hdlc: fix build on SPARC (bsc#1051510).
• tty/serial: atmel: Add is_half_duplex helper (bsc#1051510).
• tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510).
• tty: vt: keyboard: reject invalid keycodes (bsc#1051510).
• USB: Allow USB device to be warm reset in suspended state (bsc#1051510).
• USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510).
• USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510).
• USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510).
• USB: core: urb: fix URB structure initialization function (bsc#1051510).
• USB: documentation: flags on usb-storage versus UAS (bsc#1051510).
• USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510).
• USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510).
• USB: dwc3: ep0: Clear started flag on completion (bsc#1051510).
• USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510).
• USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510).
• USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510).
• USB: gadget: pch_udc: fix use after free (bsc#1051510).
• USB: gadget: u_serial: add missing port entry locking (bsc#1051510).
• USB: gadget: Zero ffs_io_data (bsc#1051510).
• USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510).
• usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510).
• USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510).
• USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510).
• USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510).
• USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510).
• USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510).
• USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510).
• USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510).
• USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510).
• USB: serial: ir-usb: fix IrLAP framing (bsc#1051510).
• USB: serial: ir-usb: fix link-speed handling (bsc#1051510).
• USB: serial: keyspan: handle unbound ports (bsc#1051510).
• USB: serial: opticon: fix control-message timeouts (bsc#1051510).
• USB: serial: option: Add support for Quectel RM500Q (bsc#1051510).
• USB: serial: quatech2: handle unbound ports (bsc#1051510).
• USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510).
• USB: serial: suppress driver bind attributes (bsc#1051510).
• USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510).
• USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510).
• USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510).
• USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510).
• workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211).
• x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115).
• x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115).
• x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115).
• x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115).
• x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621).
• x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617).
• x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617).
• x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617).
• x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617).
• x86/Hyper-V: report value of misc_features (git-fixes).
• x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617).
• x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617).
• x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279).
• x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279).
• x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279).
• x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279).
• x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279).
• x86/mm: Split vmalloc_sync_all() (bsc#1165741).
• x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279).
• x86/resctrl: Fix potential memory leak (bsc#1114279).
• x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115).
• x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115).
• x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115).
• x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115).
• x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115).
• x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115).
• x86/xen: fix booting 32-bit pv guest (bsc#1071995).
• x86/xen: Make the boot CPU idle task reliable (bsc#1071995).
• x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995).
• xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600).
• xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
• xfrm: Fix transport mode skb control buffer usage (bsc#1161552).
• xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
• xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
• xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917).
• xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510).
• xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510).
• xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510).
• xhci: make sure interrupts are restored to correct state (bsc#1051510).
• zd1211rw: fix storage endpoint lookup (git-fixes).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53

• CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

This update for cloud-init contains the following fixes:

• rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/.

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed a bad warning in features.ph (bsc#1172348).

This update for systemd fixes the following issues:

• Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

This update for dracut fixes the following issue:

• Fix dracut timeout on missing root device (bsc#1161573)

This update for python3 fixes the following issues:

• CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274).

This update for zstd fixes the following issues:

• Fix for build error caused by wrong static libraries. (bsc#1133297)
• Correction in spec file marking the license as documentation. (bsc#1082318)
• Add new package for SLE-15. (jsc#ECO-1886)

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1

• CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)
• Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).

This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:

• Support transforming bitmap glyphs from python. (bsc#1169444)
• Allow python-Sphinx >= 3

• Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once.

• Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
• Include the subfamily in the filename of converted fonts
• Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
• Replace some unicode values in cu-pua12.pcf.gz to fix them
• Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not.
• Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular

• Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update for permissions fixes the following issues:

• Removed conflicting entries which might expose pcp to security issues (bsc#1171883)