From sle-security-updates at lists.suse.com Mon Nov 4 13:12:40 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Nov 2019 21:12:40 +0100 (CET) Subject: SUSE-SU-2019:2890-1: important: Security update for samba Message-ID: <20191104201240.C2069F798@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2890-1 Rating: important References: #1144902 Cross-References: CVE-2019-10218 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP4 SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2890=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2890=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2890=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2890=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2890=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2890=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2890=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2019-2890=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2019-2890=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2890=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2890=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2890=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE OpenStack Cloud 8 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE OpenStack Cloud 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libndr-devel-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac-devel-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt-devel-4.6.16+git.169.064abe062be-3.46.1 libndr-standard-devel-4.6.16+git.169.064abe062be-3.46.1 libsamba-util-devel-4.6.16+git.169.064abe062be-3.46.1 libsmbclient-devel-4.6.16+git.169.064abe062be-3.46.1 libwbclient-devel-4.6.16+git.169.064abe062be-3.46.1 samba-core-devel-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): ctdb-4.6.16+git.169.064abe062be-3.46.1 ctdb-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): ctdb-4.6.16+git.169.064abe062be-3.46.1 ctdb-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ctdb-4.6.16+git.169.064abe062be-3.46.1 ctdb-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-ceph-4.6.16+git.169.064abe062be-3.46.1 samba-ceph-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 - SUSE Enterprise Storage 5 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 - SUSE Enterprise Storage 5 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - HPE Helion Openstack 8 (noarch): samba-doc-4.6.16+git.169.064abe062be-3.46.1 - HPE Helion Openstack 8 (x86_64): libdcerpc-binding0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc-binding0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libdcerpc0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-krb5pac0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-nbt0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr-standard0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libndr0-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libndr0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libnetapi0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-credentials0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-errors0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-hostconfig0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-passdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamba-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsamdb0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbconf0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libsmbldap0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libtevent-util0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 libwbclient0-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-4.6.16+git.169.064abe062be-3.46.1 samba-client-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-client-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-debugsource-4.6.16+git.169.064abe062be-3.46.1 samba-libs-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-libs-debuginfo-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-32bit-4.6.16+git.169.064abe062be-3.46.1 samba-winbind-debuginfo-4.6.16+git.169.064abe062be-3.46.1 References: https://www.suse.com/security/cve/CVE-2019-10218.html https://bugzilla.suse.com/1144902 From sle-security-updates at lists.suse.com Mon Nov 4 13:21:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Nov 2019 21:21:21 +0100 (CET) Subject: SUSE-SU-2019:2891-1: moderate: Security update for python-ecdsa Message-ID: <20191104202121.148D5F798@maintenance.suse.de> SUSE Security Update: Security update for python-ecdsa ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2891-1 Rating: moderate References: #1153165 #1154217 Cross-References: CVE-2019-14853 CVE-2019-14859 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2019-2891=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-2891=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2891=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2891=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2891=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-ecdsa-0.13.3-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (noarch): python2-ecdsa-0.13.3-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python2-ecdsa-0.13.3-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): python2-ecdsa-0.13.3-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): python3-ecdsa-0.13.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-14853.html https://www.suse.com/security/cve/CVE-2019-14859.html https://bugzilla.suse.com/1153165 https://bugzilla.suse.com/1154217 From sle-security-updates at lists.suse.com Tue Nov 5 07:11:51 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 Nov 2019 15:11:51 +0100 (CET) Subject: SUSE-SU-2019:2893-1: important: Security update for samba Message-ID: <20191105141151.24C8FF798@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2893-1 Rating: important References: #1144902 Cross-References: CVE-2019-10218 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issue: - CVE-2019-10218: Fixed a path injection caused by filenames containing path separators (bso#14071) (bsc#1144902). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2893=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2893=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2893=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2893=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2019-2893=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libdcerpc-binding0-32bit-4.4.2-38.28.1 libdcerpc-binding0-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-4.4.2-38.28.1 libdcerpc0-32bit-4.4.2-38.28.1 libdcerpc0-4.4.2-38.28.1 libdcerpc0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc0-debuginfo-4.4.2-38.28.1 libndr-krb5pac0-32bit-4.4.2-38.28.1 libndr-krb5pac0-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-4.4.2-38.28.1 libndr-nbt0-32bit-4.4.2-38.28.1 libndr-nbt0-4.4.2-38.28.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.28.1 libndr-nbt0-debuginfo-4.4.2-38.28.1 libndr-standard0-32bit-4.4.2-38.28.1 libndr-standard0-4.4.2-38.28.1 libndr-standard0-debuginfo-32bit-4.4.2-38.28.1 libndr-standard0-debuginfo-4.4.2-38.28.1 libndr0-32bit-4.4.2-38.28.1 libndr0-4.4.2-38.28.1 libndr0-debuginfo-32bit-4.4.2-38.28.1 libndr0-debuginfo-4.4.2-38.28.1 libnetapi0-32bit-4.4.2-38.28.1 libnetapi0-4.4.2-38.28.1 libnetapi0-debuginfo-32bit-4.4.2-38.28.1 libnetapi0-debuginfo-4.4.2-38.28.1 libsamba-credentials0-32bit-4.4.2-38.28.1 libsamba-credentials0-4.4.2-38.28.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.28.1 libsamba-credentials0-debuginfo-4.4.2-38.28.1 libsamba-errors0-32bit-4.4.2-38.28.1 libsamba-errors0-4.4.2-38.28.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.28.1 libsamba-errors0-debuginfo-4.4.2-38.28.1 libsamba-hostconfig0-32bit-4.4.2-38.28.1 libsamba-hostconfig0-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-4.4.2-38.28.1 libsamba-passdb0-32bit-4.4.2-38.28.1 libsamba-passdb0-4.4.2-38.28.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.28.1 libsamba-passdb0-debuginfo-4.4.2-38.28.1 libsamba-util0-32bit-4.4.2-38.28.1 libsamba-util0-4.4.2-38.28.1 libsamba-util0-debuginfo-32bit-4.4.2-38.28.1 libsamba-util0-debuginfo-4.4.2-38.28.1 libsamdb0-32bit-4.4.2-38.28.1 libsamdb0-4.4.2-38.28.1 libsamdb0-debuginfo-32bit-4.4.2-38.28.1 libsamdb0-debuginfo-4.4.2-38.28.1 libsmbclient0-32bit-4.4.2-38.28.1 libsmbclient0-4.4.2-38.28.1 libsmbclient0-debuginfo-32bit-4.4.2-38.28.1 libsmbclient0-debuginfo-4.4.2-38.28.1 libsmbconf0-32bit-4.4.2-38.28.1 libsmbconf0-4.4.2-38.28.1 libsmbconf0-debuginfo-32bit-4.4.2-38.28.1 libsmbconf0-debuginfo-4.4.2-38.28.1 libsmbldap0-32bit-4.4.2-38.28.1 libsmbldap0-4.4.2-38.28.1 libsmbldap0-debuginfo-32bit-4.4.2-38.28.1 libsmbldap0-debuginfo-4.4.2-38.28.1 libtevent-util0-32bit-4.4.2-38.28.1 libtevent-util0-4.4.2-38.28.1 libtevent-util0-debuginfo-32bit-4.4.2-38.28.1 libtevent-util0-debuginfo-4.4.2-38.28.1 libwbclient0-32bit-4.4.2-38.28.1 libwbclient0-4.4.2-38.28.1 libwbclient0-debuginfo-32bit-4.4.2-38.28.1 libwbclient0-debuginfo-4.4.2-38.28.1 samba-4.4.2-38.28.1 samba-client-32bit-4.4.2-38.28.1 samba-client-4.4.2-38.28.1 samba-client-debuginfo-32bit-4.4.2-38.28.1 samba-client-debuginfo-4.4.2-38.28.1 samba-debuginfo-4.4.2-38.28.1 samba-debugsource-4.4.2-38.28.1 samba-libs-32bit-4.4.2-38.28.1 samba-libs-4.4.2-38.28.1 samba-libs-debuginfo-32bit-4.4.2-38.28.1 samba-libs-debuginfo-4.4.2-38.28.1 samba-winbind-32bit-4.4.2-38.28.1 samba-winbind-4.4.2-38.28.1 samba-winbind-debuginfo-32bit-4.4.2-38.28.1 samba-winbind-debuginfo-4.4.2-38.28.1 - SUSE OpenStack Cloud 7 (noarch): samba-doc-4.4.2-38.28.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libdcerpc-binding0-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-4.4.2-38.28.1 libdcerpc0-4.4.2-38.28.1 libdcerpc0-debuginfo-4.4.2-38.28.1 libndr-krb5pac0-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-4.4.2-38.28.1 libndr-nbt0-4.4.2-38.28.1 libndr-nbt0-debuginfo-4.4.2-38.28.1 libndr-standard0-4.4.2-38.28.1 libndr-standard0-debuginfo-4.4.2-38.28.1 libndr0-4.4.2-38.28.1 libndr0-debuginfo-4.4.2-38.28.1 libnetapi0-4.4.2-38.28.1 libnetapi0-debuginfo-4.4.2-38.28.1 libsamba-credentials0-4.4.2-38.28.1 libsamba-credentials0-debuginfo-4.4.2-38.28.1 libsamba-errors0-4.4.2-38.28.1 libsamba-errors0-debuginfo-4.4.2-38.28.1 libsamba-hostconfig0-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-4.4.2-38.28.1 libsamba-passdb0-4.4.2-38.28.1 libsamba-passdb0-debuginfo-4.4.2-38.28.1 libsamba-util0-4.4.2-38.28.1 libsamba-util0-debuginfo-4.4.2-38.28.1 libsamdb0-4.4.2-38.28.1 libsamdb0-debuginfo-4.4.2-38.28.1 libsmbclient0-4.4.2-38.28.1 libsmbclient0-debuginfo-4.4.2-38.28.1 libsmbconf0-4.4.2-38.28.1 libsmbconf0-debuginfo-4.4.2-38.28.1 libsmbldap0-4.4.2-38.28.1 libsmbldap0-debuginfo-4.4.2-38.28.1 libtevent-util0-4.4.2-38.28.1 libtevent-util0-debuginfo-4.4.2-38.28.1 libwbclient0-4.4.2-38.28.1 libwbclient0-debuginfo-4.4.2-38.28.1 samba-4.4.2-38.28.1 samba-client-4.4.2-38.28.1 samba-client-debuginfo-4.4.2-38.28.1 samba-debuginfo-4.4.2-38.28.1 samba-debugsource-4.4.2-38.28.1 samba-libs-4.4.2-38.28.1 samba-libs-debuginfo-4.4.2-38.28.1 samba-winbind-4.4.2-38.28.1 samba-winbind-debuginfo-4.4.2-38.28.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libdcerpc-binding0-32bit-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc0-32bit-4.4.2-38.28.1 libdcerpc0-debuginfo-32bit-4.4.2-38.28.1 libndr-krb5pac0-32bit-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.28.1 libndr-nbt0-32bit-4.4.2-38.28.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.28.1 libndr-standard0-32bit-4.4.2-38.28.1 libndr-standard0-debuginfo-32bit-4.4.2-38.28.1 libndr0-32bit-4.4.2-38.28.1 libndr0-debuginfo-32bit-4.4.2-38.28.1 libnetapi0-32bit-4.4.2-38.28.1 libnetapi0-debuginfo-32bit-4.4.2-38.28.1 libsamba-credentials0-32bit-4.4.2-38.28.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.28.1 libsamba-errors0-32bit-4.4.2-38.28.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.28.1 libsamba-hostconfig0-32bit-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.28.1 libsamba-passdb0-32bit-4.4.2-38.28.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.28.1 libsamba-util0-32bit-4.4.2-38.28.1 libsamba-util0-debuginfo-32bit-4.4.2-38.28.1 libsamdb0-32bit-4.4.2-38.28.1 libsamdb0-debuginfo-32bit-4.4.2-38.28.1 libsmbclient0-32bit-4.4.2-38.28.1 libsmbclient0-debuginfo-32bit-4.4.2-38.28.1 libsmbconf0-32bit-4.4.2-38.28.1 libsmbconf0-debuginfo-32bit-4.4.2-38.28.1 libsmbldap0-32bit-4.4.2-38.28.1 libsmbldap0-debuginfo-32bit-4.4.2-38.28.1 libtevent-util0-32bit-4.4.2-38.28.1 libtevent-util0-debuginfo-32bit-4.4.2-38.28.1 libwbclient0-32bit-4.4.2-38.28.1 libwbclient0-debuginfo-32bit-4.4.2-38.28.1 samba-client-32bit-4.4.2-38.28.1 samba-client-debuginfo-32bit-4.4.2-38.28.1 samba-libs-32bit-4.4.2-38.28.1 samba-libs-debuginfo-32bit-4.4.2-38.28.1 samba-winbind-32bit-4.4.2-38.28.1 samba-winbind-debuginfo-32bit-4.4.2-38.28.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): samba-doc-4.4.2-38.28.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libdcerpc-binding0-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-4.4.2-38.28.1 libdcerpc0-4.4.2-38.28.1 libdcerpc0-debuginfo-4.4.2-38.28.1 libndr-krb5pac0-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-4.4.2-38.28.1 libndr-nbt0-4.4.2-38.28.1 libndr-nbt0-debuginfo-4.4.2-38.28.1 libndr-standard0-4.4.2-38.28.1 libndr-standard0-debuginfo-4.4.2-38.28.1 libndr0-4.4.2-38.28.1 libndr0-debuginfo-4.4.2-38.28.1 libnetapi0-4.4.2-38.28.1 libnetapi0-debuginfo-4.4.2-38.28.1 libsamba-credentials0-4.4.2-38.28.1 libsamba-credentials0-debuginfo-4.4.2-38.28.1 libsamba-errors0-4.4.2-38.28.1 libsamba-errors0-debuginfo-4.4.2-38.28.1 libsamba-hostconfig0-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-4.4.2-38.28.1 libsamba-passdb0-4.4.2-38.28.1 libsamba-passdb0-debuginfo-4.4.2-38.28.1 libsamba-util0-4.4.2-38.28.1 libsamba-util0-debuginfo-4.4.2-38.28.1 libsamdb0-4.4.2-38.28.1 libsamdb0-debuginfo-4.4.2-38.28.1 libsmbclient0-4.4.2-38.28.1 libsmbclient0-debuginfo-4.4.2-38.28.1 libsmbconf0-4.4.2-38.28.1 libsmbconf0-debuginfo-4.4.2-38.28.1 libsmbldap0-4.4.2-38.28.1 libsmbldap0-debuginfo-4.4.2-38.28.1 libtevent-util0-4.4.2-38.28.1 libtevent-util0-debuginfo-4.4.2-38.28.1 libwbclient0-4.4.2-38.28.1 libwbclient0-debuginfo-4.4.2-38.28.1 samba-4.4.2-38.28.1 samba-client-4.4.2-38.28.1 samba-client-debuginfo-4.4.2-38.28.1 samba-debuginfo-4.4.2-38.28.1 samba-debugsource-4.4.2-38.28.1 samba-libs-4.4.2-38.28.1 samba-libs-debuginfo-4.4.2-38.28.1 samba-winbind-4.4.2-38.28.1 samba-winbind-debuginfo-4.4.2-38.28.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libdcerpc-binding0-32bit-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc0-32bit-4.4.2-38.28.1 libdcerpc0-debuginfo-32bit-4.4.2-38.28.1 libndr-krb5pac0-32bit-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.28.1 libndr-nbt0-32bit-4.4.2-38.28.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.28.1 libndr-standard0-32bit-4.4.2-38.28.1 libndr-standard0-debuginfo-32bit-4.4.2-38.28.1 libndr0-32bit-4.4.2-38.28.1 libndr0-debuginfo-32bit-4.4.2-38.28.1 libnetapi0-32bit-4.4.2-38.28.1 libnetapi0-debuginfo-32bit-4.4.2-38.28.1 libsamba-credentials0-32bit-4.4.2-38.28.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.28.1 libsamba-errors0-32bit-4.4.2-38.28.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.28.1 libsamba-hostconfig0-32bit-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.28.1 libsamba-passdb0-32bit-4.4.2-38.28.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.28.1 libsamba-util0-32bit-4.4.2-38.28.1 libsamba-util0-debuginfo-32bit-4.4.2-38.28.1 libsamdb0-32bit-4.4.2-38.28.1 libsamdb0-debuginfo-32bit-4.4.2-38.28.1 libsmbclient0-32bit-4.4.2-38.28.1 libsmbclient0-debuginfo-32bit-4.4.2-38.28.1 libsmbconf0-32bit-4.4.2-38.28.1 libsmbconf0-debuginfo-32bit-4.4.2-38.28.1 libsmbldap0-32bit-4.4.2-38.28.1 libsmbldap0-debuginfo-32bit-4.4.2-38.28.1 libtevent-util0-32bit-4.4.2-38.28.1 libtevent-util0-debuginfo-32bit-4.4.2-38.28.1 libwbclient0-32bit-4.4.2-38.28.1 libwbclient0-debuginfo-32bit-4.4.2-38.28.1 samba-client-32bit-4.4.2-38.28.1 samba-client-debuginfo-32bit-4.4.2-38.28.1 samba-libs-32bit-4.4.2-38.28.1 samba-libs-debuginfo-32bit-4.4.2-38.28.1 samba-winbind-32bit-4.4.2-38.28.1 samba-winbind-debuginfo-32bit-4.4.2-38.28.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): samba-doc-4.4.2-38.28.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libdcerpc-binding0-32bit-4.4.2-38.28.1 libdcerpc-binding0-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc-binding0-debuginfo-4.4.2-38.28.1 libdcerpc0-32bit-4.4.2-38.28.1 libdcerpc0-4.4.2-38.28.1 libdcerpc0-debuginfo-32bit-4.4.2-38.28.1 libdcerpc0-debuginfo-4.4.2-38.28.1 libndr-krb5pac0-32bit-4.4.2-38.28.1 libndr-krb5pac0-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-32bit-4.4.2-38.28.1 libndr-krb5pac0-debuginfo-4.4.2-38.28.1 libndr-nbt0-32bit-4.4.2-38.28.1 libndr-nbt0-4.4.2-38.28.1 libndr-nbt0-debuginfo-32bit-4.4.2-38.28.1 libndr-nbt0-debuginfo-4.4.2-38.28.1 libndr-standard0-32bit-4.4.2-38.28.1 libndr-standard0-4.4.2-38.28.1 libndr-standard0-debuginfo-32bit-4.4.2-38.28.1 libndr-standard0-debuginfo-4.4.2-38.28.1 libndr0-32bit-4.4.2-38.28.1 libndr0-4.4.2-38.28.1 libndr0-debuginfo-32bit-4.4.2-38.28.1 libndr0-debuginfo-4.4.2-38.28.1 libnetapi0-32bit-4.4.2-38.28.1 libnetapi0-4.4.2-38.28.1 libnetapi0-debuginfo-32bit-4.4.2-38.28.1 libnetapi0-debuginfo-4.4.2-38.28.1 libsamba-credentials0-32bit-4.4.2-38.28.1 libsamba-credentials0-4.4.2-38.28.1 libsamba-credentials0-debuginfo-32bit-4.4.2-38.28.1 libsamba-credentials0-debuginfo-4.4.2-38.28.1 libsamba-errors0-32bit-4.4.2-38.28.1 libsamba-errors0-4.4.2-38.28.1 libsamba-errors0-debuginfo-32bit-4.4.2-38.28.1 libsamba-errors0-debuginfo-4.4.2-38.28.1 libsamba-hostconfig0-32bit-4.4.2-38.28.1 libsamba-hostconfig0-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-32bit-4.4.2-38.28.1 libsamba-hostconfig0-debuginfo-4.4.2-38.28.1 libsamba-passdb0-32bit-4.4.2-38.28.1 libsamba-passdb0-4.4.2-38.28.1 libsamba-passdb0-debuginfo-32bit-4.4.2-38.28.1 libsamba-passdb0-debuginfo-4.4.2-38.28.1 libsamba-util0-32bit-4.4.2-38.28.1 libsamba-util0-4.4.2-38.28.1 libsamba-util0-debuginfo-32bit-4.4.2-38.28.1 libsamba-util0-debuginfo-4.4.2-38.28.1 libsamdb0-32bit-4.4.2-38.28.1 libsamdb0-4.4.2-38.28.1 libsamdb0-debuginfo-32bit-4.4.2-38.28.1 libsamdb0-debuginfo-4.4.2-38.28.1 libsmbclient0-32bit-4.4.2-38.28.1 libsmbclient0-4.4.2-38.28.1 libsmbclient0-debuginfo-32bit-4.4.2-38.28.1 libsmbclient0-debuginfo-4.4.2-38.28.1 libsmbconf0-32bit-4.4.2-38.28.1 libsmbconf0-4.4.2-38.28.1 libsmbconf0-debuginfo-32bit-4.4.2-38.28.1 libsmbconf0-debuginfo-4.4.2-38.28.1 libsmbldap0-32bit-4.4.2-38.28.1 libsmbldap0-4.4.2-38.28.1 libsmbldap0-debuginfo-32bit-4.4.2-38.28.1 libsmbldap0-debuginfo-4.4.2-38.28.1 libtevent-util0-32bit-4.4.2-38.28.1 libtevent-util0-4.4.2-38.28.1 libtevent-util0-debuginfo-32bit-4.4.2-38.28.1 libtevent-util0-debuginfo-4.4.2-38.28.1 libwbclient0-32bit-4.4.2-38.28.1 libwbclient0-4.4.2-38.28.1 libwbclient0-debuginfo-32bit-4.4.2-38.28.1 libwbclient0-debuginfo-4.4.2-38.28.1 samba-4.4.2-38.28.1 samba-client-32bit-4.4.2-38.28.1 samba-client-4.4.2-38.28.1 samba-client-debuginfo-32bit-4.4.2-38.28.1 samba-client-debuginfo-4.4.2-38.28.1 samba-debuginfo-4.4.2-38.28.1 samba-debugsource-4.4.2-38.28.1 samba-libs-32bit-4.4.2-38.28.1 samba-libs-4.4.2-38.28.1 samba-libs-debuginfo-32bit-4.4.2-38.28.1 samba-libs-debuginfo-4.4.2-38.28.1 samba-winbind-32bit-4.4.2-38.28.1 samba-winbind-4.4.2-38.28.1 samba-winbind-debuginfo-32bit-4.4.2-38.28.1 samba-winbind-debuginfo-4.4.2-38.28.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): samba-doc-4.4.2-38.28.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): ctdb-4.4.2-38.28.1 ctdb-debuginfo-4.4.2-38.28.1 samba-debuginfo-4.4.2-38.28.1 samba-debugsource-4.4.2-38.28.1 References: https://www.suse.com/security/cve/CVE-2019-10218.html https://bugzilla.suse.com/1144902 From sle-security-updates at lists.suse.com Tue Nov 5 07:14:36 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 Nov 2019 15:14:36 +0100 (CET) Subject: SUSE-SU-2019:2896-1: moderate: Security update for ImageMagick Message-ID: <20191105141436.351C1F798@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2896-1 Rating: moderate References: #1146065 #1146068 #1146211 #1146212 #1146213 #1151781 #1151782 #1151783 #1151784 #1151785 #1151786 Cross-References: CVE-2019-14980 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-15141 CVE-2019-16708 CVE-2019-16709 CVE-2019-16710 CVE-2019-16711 CVE-2019-16712 CVE-2019-16713 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: Security issues fixed: - CVE-2019-15139: Fixed a denial-of-service vulnerability in ReadXWDImage (bsc#1146213). - CVE-2019-15140: Fixed a use-after-free bug in the Matlab image parser (bsc#1146212). - CVE-2019-15141: Fixed a divide-by-zero vulnerability in the MeanShiftImage function (bsc#1146211). - CVE-2019-14980: Fixed an application crash resulting from a heap-based buffer over-read in WriteTIFFImage (bsc#1146068). - CVE-2019-14981: Fixed a use after free in the UnmapBlob function (bsc#1146065). - CVE-2019-16708: Fixed a memory leak in magick/xwindow.c (bsc#1151781). - CVE-2019-16709: Fixed a memory leak in coders/dps.c (bsc#1151782). - CVE-2019-16710: Fixed a memory leak in coders/dot.c (bsc#1151783). - CVE-2019-16711: Fixed a memory leak in Huffman2DEncodeImage in coders/ps2.c (bsc#1151784). - CVE-2019-16712: Fixed a memory leak in Huffman2DEncodeImage in coders/ps3.c (bsc#1151785). - CVE-2019-16713: Fixed a memory leak in coders/dot.c (bsc#1151786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2896=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2896=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2896=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2896=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2896=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2896=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-config-7-upstream-7.0.7.34-3.72.1 ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 ImageMagick-extra-7.0.7.34-3.72.1 ImageMagick-extra-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ImageMagick-devel-32bit-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-32bit-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-32bit-debuginfo-7.0.7.34-3.72.1 libMagick++-devel-32bit-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-32bit-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-32bit-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-32bit-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ImageMagick-doc-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 ImageMagick-extra-7.0.7.34-3.72.1 ImageMagick-extra-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): ImageMagick-doc-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 perl-PerlMagick-7.0.7.34-3.72.1 perl-PerlMagick-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 perl-PerlMagick-7.0.7.34-3.72.1 perl-PerlMagick-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-3.72.1 ImageMagick-config-7-SUSE-7.0.7.34-3.72.1 ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 ImageMagick-devel-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-3.72.1 libMagick++-devel-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-3.72.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): ImageMagick-7.0.7.34-3.72.1 ImageMagick-config-7-SUSE-7.0.7.34-3.72.1 ImageMagick-config-7-upstream-7.0.7.34-3.72.1 ImageMagick-debuginfo-7.0.7.34-3.72.1 ImageMagick-debugsource-7.0.7.34-3.72.1 ImageMagick-devel-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-7.0.7.34-3.72.1 libMagick++-7_Q16HDRI4-debuginfo-7.0.7.34-3.72.1 libMagick++-devel-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-7.0.7.34-3.72.1 libMagickCore-7_Q16HDRI6-debuginfo-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-7.0.7.34-3.72.1 libMagickWand-7_Q16HDRI6-debuginfo-7.0.7.34-3.72.1 References: https://www.suse.com/security/cve/CVE-2019-14980.html https://www.suse.com/security/cve/CVE-2019-14981.html https://www.suse.com/security/cve/CVE-2019-15139.html https://www.suse.com/security/cve/CVE-2019-15140.html https://www.suse.com/security/cve/CVE-2019-15141.html https://www.suse.com/security/cve/CVE-2019-16708.html https://www.suse.com/security/cve/CVE-2019-16709.html https://www.suse.com/security/cve/CVE-2019-16710.html https://www.suse.com/security/cve/CVE-2019-16711.html https://www.suse.com/security/cve/CVE-2019-16712.html https://www.suse.com/security/cve/CVE-2019-16713.html https://bugzilla.suse.com/1146065 https://bugzilla.suse.com/1146068 https://bugzilla.suse.com/1146211 https://bugzilla.suse.com/1146212 https://bugzilla.suse.com/1146213 https://bugzilla.suse.com/1151781 https://bugzilla.suse.com/1151782 https://bugzilla.suse.com/1151783 https://bugzilla.suse.com/1151784 https://bugzilla.suse.com/1151785 https://bugzilla.suse.com/1151786 From sle-security-updates at lists.suse.com Wed Nov 6 07:11:59 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 15:11:59 +0100 (CET) Subject: SUSE-SU-2019:2902-1: moderate: Security update for gdb Message-ID: <20191106141159.78E9FF798@maintenance.suse.de> SUSE Security Update: Security update for gdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2902-1 Rating: moderate References: #1115034 #1142772 #1145692 Cross-References: CVE-2019-1010180 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for gdb fixes the following issues: Update to gdb 8.3.1: (jsc#ECO-368) Security issues fixed: - CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772) Upgrade libipt from v2.0 to v2.0.1. - Enable librpm for version > librpm.so.3 [bsc#1145692]: * Allow any librpm.so.x * Add %build test to check for "zypper install " message - Copy gdbinit from fedora master @ 25caf28. Add gdbinit.without-python, and use it for --without=python. Rebase to 8.3 release (as in fedora 30 @ 1e222a3). * DWARF index cache: GDB can now automatically save indices of DWARF symbols on disk to speed up further loading of the same binaries. * Ada task switching is now supported on aarch64-elf targets when debugging a program using the Ravenscar Profile. * Terminal styling is now available for the CLI and the TUI. * Removed support for old demangling styles arm, edg, gnu, hp and lucid. * Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*). - Implemented access to more POWER8 registers. [fate#326120, fate#325178] - Handle most of new s390 arch13 instructions. [fate#327369, jsc#ECO-368] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2902=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2902=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): gdb-debuginfo-8.3.1-3.13.1 gdb-debugsource-8.3.1-3.13.1 gdb-testresults-8.3.1-3.13.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): gdb-8.3.1-3.13.1 gdb-debuginfo-8.3.1-3.13.1 gdb-debugsource-8.3.1-3.13.1 gdbserver-8.3.1-3.13.1 gdbserver-debuginfo-8.3.1-3.13.1 References: https://www.suse.com/security/cve/CVE-2019-1010180.html https://bugzilla.suse.com/1115034 https://bugzilla.suse.com/1142772 https://bugzilla.suse.com/1145692 From sle-security-updates at lists.suse.com Wed Nov 6 07:13:03 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 15:13:03 +0100 (CET) Subject: SUSE-SU-2019:2900-1: moderate: Security update for libssh2_org Message-ID: <20191106141303.9535FF798@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2900-1 Rating: moderate References: #1154862 Cross-References: CVE-2019-17498 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2900=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2900=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2900=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libssh2-1-32bit-1.8.0-4.10.1 libssh2-1-32bit-debuginfo-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://bugzilla.suse.com/1154862 From sle-security-updates at lists.suse.com Wed Nov 6 07:13:49 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 15:13:49 +0100 (CET) Subject: SUSE-SU-2019:14207-1: moderate: Security update for gdb Message-ID: <20191106141349.D758CF798@maintenance.suse.de> SUSE Security Update: Security update for gdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14207-1 Rating: moderate References: #1142772 Cross-References: CVE-2019-1010180 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gdb fixes the following issues: - CVE-2019-1010180: Fixed a buffer overflow (bsc#1142772). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-gdb-14207=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-gdb-14207=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): gdb-7.5.1-0.9.6.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): gdb-debuginfo-7.5.1-0.9.6.1 gdb-debugsource-7.5.1-0.9.6.1 References: https://www.suse.com/security/cve/CVE-2019-1010180.html https://bugzilla.suse.com/1142772 From sle-security-updates at lists.suse.com Wed Nov 6 07:16:06 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 15:16:06 +0100 (CET) Subject: SUSE-SU-2019:2906-1: important: Security update for ardana-ansible, ardana-horizon, ardana-keystone, ardana-manila, ardana-neutron, crowbar-core, crowbar-openstack, grafana, openstack-cinder, openstack-dashboard, openstack-horizon-plugin-manila-ui, openstack-keystone, openstack-manila, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, pdns, python-Django1, python-keystonemiddleware, python-octaviaclient, python-os-brick, python-oslo.cache, python-oslo.messaging Message-ID: <20191106141606.7E08EF798@maintenance.suse.de> SUSE Security Update: Security update for ardana-ansible, ardana-horizon, ardana-keystone, ardana-manila, ardana-neutron, crowbar-core, crowbar-openstack, grafana, openstack-cinder, openstack-dashboard, openstack-horizon-plugin-manila-ui, openstack-keystone, openstack-manila, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, pdns, python-Django1, python-keystonemiddleware, python-octaviaclient, python-os-brick, python-oslo.cache, python-oslo.messaging ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2906-1 Rating: important References: #1129734 #1148383 Cross-References: CVE-2019-15043 CVE-2019-3871 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ardana-ansible, ardana-horizon, ardana-keystone, ardana-manila, ardana-neutron, crowbar-core, crowbar-openstack, grafana, openstack-cinder, openstack-dashboard, openstack-horizon-plugin-manila-ui, openstack-keystone, openstack-manila, openstack-neutron, openstack-neutron-fwaas, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, pdns, python-Django1, python-keystonemiddleware, python-octaviaclient, python-os-brick, python-oslo.cache, python-oslo.messaging fixes the following issues: Security issues fixed: - CVE-2019-3871: Fixed an insufficient validation in the HTTP remote back end (pdns, bsc#1129734). - CVE-2019-15043: Added authentication to a few REST endpoints (Grafana, SOC-10357, bsc#1148383). Non-security issues fixed: - Update to version 9.0+git.1568821007.4e73730: * Include manila-pre-upgrade.yml in ardana-upgrade.yml (SOC-10609) - Update to version 9.0+git.1569869028.8edfc22: * Added command to minify the django compressed css files (SOC-10305) - Update to version 9.0+git.1570035317.78077ac: * support OpenID Connect WebSSO (SOC-10509) - Update to version 9.0+git.1569444107.add6a40: * Manila parallelised upgrade workflow enhancements (SOC-10609) - Update to version 9.0+git.1571328680.3a89cb8: * Add neutron-common role dependencies (SOC-10875) - Update to version 6.0+git.1571412352.8da4d261f: * upgrade: Reload repo config in repochecks (SOC-10718) - Update to version 6.0+git.1571210108.12bd2ffa3: * crowbar: Give more time for reboot for physical hardware reboots - Update to version 6.0+git.1570004730.b56b8983b: * Revert "Use block-migration when needed" (SOC-10133) - Update to version 6.0+git.1569911671.d44b0035c: * Designate: Don't add the admin node to the public network (SOC-10658) - Update to version 6.0+git.1572264221.3826a58b8: * Octavia: account for long ops in HA deployments (SOC-9894) * Octavia: use correct IP addresses for listening (SOC-9894) * Octavia: fix subnet creation race condition (SOC-9894) * Updated copyright notices (SOC-9894) * Octavia: Follow up patch addressing comments from last PR (SOC-9894) - Update to version 6.0+git.1571986150.c5b827b7a: * Fix the migration that tried to access Array as a Hash (SOC-10896) - Update to version 6.0+git.1571731423.957dcfecd: * mysql: fix WSREP sync race (SOC-10717) - Update to version 6.0+git.1571660392.997fee49d: * mysql: stop service for mysql_install_db (SOC-10717) - Update to version 6.0+git.1571241502.2f673d0a9: * rabbitmq: fix migration 200 (SOC-10623) * Changes to integrate with ACI 4.1 and new packages (SOC-10403) - Update to version 6.0+git.1570143515.9b1546ed3: * No rndc key if no public DNS server (SOC-10835) - Update to version 6.0+git.1570048281.815e06ff3: * create watcher barclamp (SOC-4183) - Update to version 6.0+git.1569942913.15b24bec5: * monasca: Fix restore condition (SOC-9772) * database: really fix migration 102 (SOC-10717) - Update to version 6.0+git.1569823669.91f267e96: * Designate: Filter out the admin node (SOC-10658) - Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and - Update to version cinder-13.0.8.dev8: * Extend timeout for database migration tests 13.0.7 * Add context to cloning snapshots in remotefs driver - Update to version cinder-13.0.7.dev22: * Add retry to LVM deactivation * Fix DetachedInstanceError for VolumeAttachment * Don't allow retype to encrypted+multiattach type - Update to version cinder-13.0.8.dev8: * Extend timeout for database migration tests 13.0.7 * Add context to cloning snapshots in remotefs driver - Update to version cinder-13.0.7.dev22: * Add retry to LVM deactivation * Fix DetachedInstanceError for VolumeAttachment * Don't allow retype to encrypted+multiattach type - Update to version horizon-14.0.5.dev1: * Fix aes-xts key length in Horizon Admin Guide / Manage Volumes 14.0.4 - Add python-csscompressor as a requirement * python-csscompressor will be used to minify compressed css files - Update to version horizon-14.0.4.dev17: * Remove the check which causes plugin's quotas update failure - Update to version horizon-14.0.4.dev16: * Add Allowed Address Pair/Delete buttons are only visible to admin - Update to version horizon-14.0.4.dev14: * Updated max-width to be dynamic for .member class - Update to version horizon-14.0.4.dev13: * Avoid forced logout when 403 error encountered - Update to version manila-ui-2.16.2.dev2: * Updated to get quotas data for Modify Quotas dialog Share tab * OpenDev Migration Patch 2.16.1 - Update to version keystone-14.1.1.dev26: * Make system tokens work with domain-specific drivers - Update to version keystone-14.1.1.dev24: * Add test case for expanding implied roles in system tokens - Update to version keystone-14.1.1.dev22: * Add retry for DBDeadlock in credential delete - Update to version keystone-14.1.1.dev20: * Import LDAP job into project * Update broken links to dogpile.cache docs - Update to version keystone-14.1.1.dev26: * Make system tokens work with domain-specific drivers - Update to version keystone-14.1.1.dev24: * Add test case for expanding implied roles in system tokens - Update to version keystone-14.1.1.dev22: * Add retry for DBDeadlock in credential delete - Update to version keystone-14.1.1.dev20: * Import LDAP job into project * Update broken links to dogpile.cache docs - Update to version manila-7.3.1.dev15: * Fix [Unity] verification and convert mgmt ipv6 - Update to version manila-7.3.1.dev14: * Adding documentation for User Messages in Manila Documentation - Update to version manila-7.3.1.dev12: * [NetApp] Allow extension/shrinking of NetApp replicated share - Update to version manila-7.3.1.dev11: * Fix pagination does not speed up queries bug - Update to version manila-7.3.1.dev9: * Remove backend spec from share type while creating replica - Update to version manila-7.3.1.dev8: * Check NetApp SnapRestore license for pools - Update to version manila-7.3.1.dev7: * Fix manila-tempest-minimal-dsvm-lvm-centos-7 job - Update to version manila-7.3.1.dev15: * Fix [Unity] verification and convert mgmt ipv6 - Update to version manila-7.3.1.dev14: * Adding documentation for User Messages in Manila Documentation - Update to version manila-7.3.1.dev12: * [NetApp] Allow extension/shrinking of NetApp replicated share - Update to version manila-7.3.1.dev11: * Fix pagination does not speed up queries bug - Update to version manila-7.3.1.dev9: * Remove backend spec from share type while creating replica - Update to version manila-7.3.1.dev8: * Check NetApp SnapRestore license for pools - Update to version manila-7.3.1.dev7: * Fix manila-tempest-minimal-dsvm-lvm-centos-7 job - Update to version neutron-13.0.6.dev3: * Add radvd\_user config option * Fix mismatch of tags in dnsmasq options 13.0.5 - Update to version neutron-13.0.5.dev55: * Handle ports assigned to routers without routerports - Update to version neutron-13.0.5.dev54: * fixed\_configured=True when Add/Remove port IPs - Update to version neutron-13.0.5.dev53: * raise priority of dead vlan drop * OVS flows for custom ethertypes must be on EGRESS - Update to version neutron-13.0.6.dev3: * Add radvd\_user config option * Fix mismatch of tags in dnsmasq options 13.0.5 - Update to version neutron-13.0.5.dev55: * Handle ports assigned to routers without routerports - Update to version neutron-13.0.5.dev54: * fixed\_configured=True when Add/Remove port IPs - Update to version neutron-13.0.5.dev53: * raise priority of dead vlan drop * OVS flows for custom ethertypes must be on EGRESS - Update to version neutron-fwaas-13.0.3.dev2: * Fix AttributeError with third-party L3 service plugins - Update to version neutron-fwaas-13.0.3.dev1: * FWaaS-DVR: FWaaS rules not updated in DVR routers on compute host 13.0.2 - Update to version neutron-fwaas-13.0.3.dev2: * Fix AttributeError with third-party L3 service plugins - Update to version neutron-fwaas-13.0.3.dev1: * FWaaS-DVR: FWaaS rules not updated in DVR routers on compute host 13.0.2 - Update to version neutron-lbaas-13.0.1.dev15: * Fix lb stats model - Update to version neutron-lbaas-13.0.1.dev15: * Fix lb stats model - Update to version nova-18.2.4.dev18: * Error out interrupted builds * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * cleanup evacuated instances not on hypervisor - Update to version nova-18.2.4.dev8: * Fix unit of hw\_rng:rate\_period * Fix exception translation when creating volume * Skip test\_parallel\_evacuate\_with\_server\_group until fixed * Handle get\_host\_availability\_zone error during reschedule * Noop CantStartEngineError in targets\_cell if API DB not configured - Update to version nova-18.2.4.dev1: * Stop sending bad values from libosinfo to libvirt 18.2.3 - Update to version nova-18.2.3.dev25: * Add useful error log when \_determine\_version\_cap raises DBNotAllowed - Update to version nova-18.2.3.dev23: * Reduce scope of 'path' query parameter to noVNC consoles - Update to version nova-18.2.4.dev18: * Error out interrupted builds * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * cleanup evacuated instances not on hypervisor - Update to version nova-18.2.4.dev8: * Fix unit of hw\_rng:rate\_period * Fix exception translation when creating volume * Skip test\_parallel\_evacuate\_with\_server\_group until fixed * Handle get\_host\_availability\_zone error during reschedule * Noop CantStartEngineError in targets\_cell if API DB not configured - Update to version nova-18.2.4.dev1: * Stop sending bad values from libosinfo to libvirt 18.2.3 - Update to version nova-18.2.3.dev25: * Add useful error log when \_determine\_version\_cap raises DBNotAllowed - Update to version nova-18.2.3.dev23: * Reduce scope of 'path' query parameter to noVNC consoles - Move tempest tests into the python-octavia package (SOC-9455) - Update to version octavia-3.2.1.dev1: 3.2.0 * loadbalancer vip-network-id IP availability check - Update to version octavia-3.1.2.dev46: * Fix urgent amphora two-way auth security bug Update image to 0.1.1 to include latest changes in openstack-octavia: - Update to include version octavia-3.2.1.dev1: * loadbalancer vip-network-id IP availability check * Fix urgent amphora two-way auth security bug * Fix member API handling of None/null updates * Validate server\_certs\_key\_passphrase is 32 chars * Work around strptime threading issue * Fix base (VRRP) port abandoned on revert * Do not run non-voting jobs in gate * Fix l7rule API handling of None updates * Fix template that generates vrrp check script * elements: add arch property for \`\`open-vm-tools\`\` * Prevent UDP LBs to use different IP protocol versions in amphora driver * Fixed down server issue after reloading keepalived * Fixed pool and members status with UDP loadbalancers * Add support for monitor\_{address,port} in UDP members * Fix auto setup Barbican's ACL in the legacy driver * Fix L7 repository create methods * Add warning log if auth\_strategy is not keystone * Add failover logging to show the amphora details * Revert "Use the infra pypi mirror for DIB" * Use the infra pypi mirror for DIB * only rollback DB when we have a connection to the DB * Add octavia-v2-dsvm jobs to the gate queue * Fix for utils LB DM transformation function * Update amphora-agent to report UDP listener health * Update tox.ini for new upper constraints strategy * Add bindep.txt for Octavia * Fix allocate\_and\_associate DB deadlock * Treat null admin\_state\_up as False * Performance improvement for non-udp health checks * Bandit test exclusions syntax change * Fix IPv6 in Active/Standby topology on CentOS * Fix listener API handling of None/null updates * OpenDev Migration Patch * Fix a lifecycle bug with child objects * Fix the amphora base port coming up * Fix setting of VIP QoS policy * Fix VIP plugging on CentOS-based amphorae * Fix possible state machine hole in failover * Add missing import octavia/opts.py * Fix the loss of access to barbican secrets * Fix initialization of Barbican client * Replace openstack.org git:// URLs with https:// * Fix prefix for vip\_ipv6 * Fix ifup failures on member interfaces with IPv6 * Adds server\_certs\_key\_passphrase to octavia.conf * Fix LB failover when in ERROR * Resolve amphora agent read timeout issue * Fix performance of housekeeping DB clean up * Encrypt certs and keys * Enable debug for Octavia services in grenade job * Fix oslo messaging connection leakage * Simplify keepalived lvsquery parsing for UDP * Fix functional tests under Python >= 3.6 * Fix check redirect pool for creating a fully populated load balancer * Fix missing print format error - Remove superfluous octavia-db-manage invocation from service file - Incorporate the patch from https://review.openstack.org/#/c/541811/9. - Update to 4.1.8 * #7604: Correctly interpret an empty AXFR response to an IXFR query, * #7610: Fix replying from ANY address for non-standard port, * #7609: Fix rectify for ENT records in narrow zones, * #7607: Do not compress the root, * #7608: Fix dot stripping in `setcontent()`, * #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting, * #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR, * #7602: Fix API search failed with ???Commands out of sync; you can???t run this command now???, * #7509: Plug `mysql_thread_init` memory leak, * #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations. * Prevent more than one CNAME/SOA record in the same RRset - Update to 1.11.24: * Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params (#30672). - update to version 5.2.1 - Update .gitreview for stable/rocky - Update UPPER_CONSTRAINTS_FILE for stable/rocky - OpenDev Migration Patch - Remove tox_install.sh - import zuul job settings from project-config - Skip the services with no endpoints when parsing service catalog - update to version 1.6.1 - Update UPPER_CONSTRAINTS_FILE for stable/rocky - OpenDev Migration Patch - import zuul job settings from project-config - Update .gitreview for stable/rocky - Make sure we always requests JSON responses - update to version 2.5.8 - FC: Ignore some HBAs from map for single WWNN - OpenDev Migration Patch - Improve iSCSI device detection speed - update to version 1.30.4 - Update UPPER_CONSTRAINTS_FILE for stable/rocky - Fix memcache pool client in monkey-patched environments - OpenDev Migration Patch - Pass `flush_on_reconnect` to memcache pooled backend - update to version 8.1.4 - Replace openstack.org git:// URLs with https:// - Cap Bandit below 1.6.0 and update Sphinx requirement - Retry to declare a queue after internal error - Add release note for amqp library TLS/SSL error - Fix switch connection destination when a rabbitmq cluster node disappear - Mark telemetry tests nv and remove from gate - OpenDev Migration Patch - Issue blocking ACK for RPC requests from the consumer thread - fix typos Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-2906=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2019-2906=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-openstack-6.0+git.1572264221.3826a58b8-3.13.3 openstack-cinder-13.0.8~dev8-3.13.5 openstack-cinder-api-13.0.8~dev8-3.13.5 openstack-cinder-backup-13.0.8~dev8-3.13.5 openstack-cinder-scheduler-13.0.8~dev8-3.13.5 openstack-cinder-volume-13.0.8~dev8-3.13.5 openstack-dashboard-14.0.5~dev1-3.9.4 openstack-horizon-plugin-manila-ui-2.16.2~dev2-3.3.3 openstack-keystone-14.1.1~dev26-3.13.4 openstack-manila-7.3.1~dev15-4.13.4 openstack-manila-api-7.3.1~dev15-4.13.4 openstack-manila-data-7.3.1~dev15-4.13.4 openstack-manila-scheduler-7.3.1~dev15-4.13.4 openstack-manila-share-7.3.1~dev15-4.13.4 openstack-neutron-13.0.6~dev3-3.13.4 openstack-neutron-dhcp-agent-13.0.6~dev3-3.13.4 openstack-neutron-fwaas-13.0.3~dev2-3.6.3 openstack-neutron-ha-tool-13.0.6~dev3-3.13.4 openstack-neutron-l3-agent-13.0.6~dev3-3.13.4 openstack-neutron-lbaas-13.0.1~dev15-3.10.3 openstack-neutron-lbaas-agent-13.0.1~dev15-3.10.3 openstack-neutron-linuxbridge-agent-13.0.6~dev3-3.13.4 openstack-neutron-macvtap-agent-13.0.6~dev3-3.13.4 openstack-neutron-metadata-agent-13.0.6~dev3-3.13.4 openstack-neutron-metering-agent-13.0.6~dev3-3.13.4 openstack-neutron-openvswitch-agent-13.0.6~dev3-3.13.4 openstack-neutron-server-13.0.6~dev3-3.13.4 openstack-nova-18.2.4~dev18-3.13.5 openstack-nova-api-18.2.4~dev18-3.13.5 openstack-nova-cells-18.2.4~dev18-3.13.5 openstack-nova-compute-18.2.4~dev18-3.13.5 openstack-nova-conductor-18.2.4~dev18-3.13.5 openstack-nova-console-18.2.4~dev18-3.13.5 openstack-nova-novncproxy-18.2.4~dev18-3.13.5 openstack-nova-placement-api-18.2.4~dev18-3.13.5 openstack-nova-scheduler-18.2.4~dev18-3.13.5 openstack-nova-serialproxy-18.2.4~dev18-3.13.5 openstack-nova-vncproxy-18.2.4~dev18-3.13.5 openstack-octavia-3.2.1~dev1-3.13.3 openstack-octavia-amphora-agent-3.2.1~dev1-3.13.3 openstack-octavia-amphora-image-debugsource-0.1.1-7.3.4 openstack-octavia-amphora-image-x86_64-0.1.1-7.3.4 openstack-octavia-api-3.2.1~dev1-3.13.3 openstack-octavia-health-manager-3.2.1~dev1-3.13.3 openstack-octavia-housekeeping-3.2.1~dev1-3.13.3 openstack-octavia-worker-3.2.1~dev1-3.13.3 python-Django1-1.11.24-3.12.3 python-cinder-13.0.8~dev8-3.13.5 python-horizon-14.0.5~dev1-3.9.4 python-horizon-plugin-manila-ui-2.16.2~dev2-3.3.3 python-keystone-14.1.1~dev26-3.13.4 python-keystonemiddleware-5.2.1-11.4 python-manila-7.3.1~dev15-4.13.4 python-neutron-13.0.6~dev3-3.13.4 python-neutron-fwaas-13.0.3~dev2-3.6.3 python-neutron-lbaas-13.0.1~dev15-3.10.3 python-nova-18.2.4~dev18-3.13.5 python-octavia-3.2.1~dev1-3.13.3 python-octaviaclient-1.6.1-3.3.3 python-openstack_auth-14.0.5~dev1-3.9.4 python-os-brick-2.5.8-3.6.3 python-os-brick-common-2.5.8-3.6.3 python-oslo.cache-1.30.4-3.3.3 python-oslo.messaging-8.1.4-3.3.3 - SUSE OpenStack Cloud Crowbar 9 (x86_64): crowbar-core-6.0+git.1571412352.8da4d261f-3.13.3 crowbar-core-branding-upstream-6.0+git.1571412352.8da4d261f-3.13.3 grafana-6.2.5-3.9.3 grafana-debuginfo-6.2.5-3.9.3 - SUSE OpenStack Cloud 9 (noarch): ardana-ansible-9.0+git.1568821007.4e73730-3.13.3 ardana-horizon-9.0+git.1569869028.8edfc22-3.10.3 ardana-keystone-9.0+git.1570035317.78077ac-3.10.3 ardana-manila-9.0+git.1569444107.add6a40-3.9.3 ardana-neutron-9.0+git.1571328680.3a89cb8-3.13.3 openstack-cinder-13.0.8~dev8-3.13.5 openstack-cinder-api-13.0.8~dev8-3.13.5 openstack-cinder-backup-13.0.8~dev8-3.13.5 openstack-cinder-scheduler-13.0.8~dev8-3.13.5 openstack-cinder-volume-13.0.8~dev8-3.13.5 openstack-dashboard-14.0.5~dev1-3.9.4 openstack-horizon-plugin-manila-ui-2.16.2~dev2-3.3.3 openstack-keystone-14.1.1~dev26-3.13.4 openstack-manila-7.3.1~dev15-4.13.4 openstack-manila-api-7.3.1~dev15-4.13.4 openstack-manila-data-7.3.1~dev15-4.13.4 openstack-manila-scheduler-7.3.1~dev15-4.13.4 openstack-manila-share-7.3.1~dev15-4.13.4 openstack-neutron-13.0.6~dev3-3.13.4 openstack-neutron-dhcp-agent-13.0.6~dev3-3.13.4 openstack-neutron-fwaas-13.0.3~dev2-3.6.3 openstack-neutron-ha-tool-13.0.6~dev3-3.13.4 openstack-neutron-l3-agent-13.0.6~dev3-3.13.4 openstack-neutron-lbaas-13.0.1~dev15-3.10.3 openstack-neutron-lbaas-agent-13.0.1~dev15-3.10.3 openstack-neutron-linuxbridge-agent-13.0.6~dev3-3.13.4 openstack-neutron-macvtap-agent-13.0.6~dev3-3.13.4 openstack-neutron-metadata-agent-13.0.6~dev3-3.13.4 openstack-neutron-metering-agent-13.0.6~dev3-3.13.4 openstack-neutron-openvswitch-agent-13.0.6~dev3-3.13.4 openstack-neutron-server-13.0.6~dev3-3.13.4 openstack-nova-18.2.4~dev18-3.13.5 openstack-nova-api-18.2.4~dev18-3.13.5 openstack-nova-cells-18.2.4~dev18-3.13.5 openstack-nova-compute-18.2.4~dev18-3.13.5 openstack-nova-conductor-18.2.4~dev18-3.13.5 openstack-nova-console-18.2.4~dev18-3.13.5 openstack-nova-novncproxy-18.2.4~dev18-3.13.5 openstack-nova-placement-api-18.2.4~dev18-3.13.5 openstack-nova-scheduler-18.2.4~dev18-3.13.5 openstack-nova-serialproxy-18.2.4~dev18-3.13.5 openstack-nova-vncproxy-18.2.4~dev18-3.13.5 openstack-octavia-3.2.1~dev1-3.13.3 openstack-octavia-amphora-agent-3.2.1~dev1-3.13.3 openstack-octavia-amphora-image-debugsource-0.1.1-7.3.4 openstack-octavia-amphora-image-x86_64-0.1.1-7.3.4 openstack-octavia-api-3.2.1~dev1-3.13.3 openstack-octavia-health-manager-3.2.1~dev1-3.13.3 openstack-octavia-housekeeping-3.2.1~dev1-3.13.3 openstack-octavia-worker-3.2.1~dev1-3.13.3 python-Django1-1.11.24-3.12.3 python-cinder-13.0.8~dev8-3.13.5 python-horizon-14.0.5~dev1-3.9.4 python-horizon-plugin-manila-ui-2.16.2~dev2-3.3.3 python-keystone-14.1.1~dev26-3.13.4 python-keystonemiddleware-5.2.1-11.4 python-manila-7.3.1~dev15-4.13.4 python-neutron-13.0.6~dev3-3.13.4 python-neutron-fwaas-13.0.3~dev2-3.6.3 python-neutron-lbaas-13.0.1~dev15-3.10.3 python-nova-18.2.4~dev18-3.13.5 python-octavia-3.2.1~dev1-3.13.3 python-octaviaclient-1.6.1-3.3.3 python-openstack_auth-14.0.5~dev1-3.9.4 python-os-brick-2.5.8-3.6.3 python-os-brick-common-2.5.8-3.6.3 python-oslo.cache-1.30.4-3.3.3 python-oslo.messaging-8.1.4-3.3.3 venv-openstack-barbican-x86_64-7.0.1~dev18-3.11.3 venv-openstack-cinder-x86_64-13.0.8~dev8-3.11.3 venv-openstack-designate-x86_64-7.0.1~dev22-3.11.3 venv-openstack-glance-x86_64-17.0.1~dev30-3.11.3 venv-openstack-heat-x86_64-11.0.3~dev23-3.11.3 venv-openstack-horizon-x86_64-14.0.5~dev1-4.11.3 venv-openstack-keystone-x86_64-14.1.1~dev26-3.11.3 venv-openstack-magnum-x86_64-7.1.1~dev28-4.11.3 venv-openstack-manila-x86_64-7.3.1~dev15-3.11.3 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.11.3 venv-openstack-monasca-x86_64-2.7.1~dev10-3.11.3 venv-openstack-neutron-x86_64-13.0.6~dev3-6.11.3 venv-openstack-nova-x86_64-18.2.4~dev18-3.11.3 venv-openstack-octavia-x86_64-3.2.1~dev1-4.11.3 venv-openstack-sahara-x86_64-9.0.2~dev12-3.11.3 venv-openstack-swift-x86_64-2.19.2~dev1-2.8.3 - SUSE OpenStack Cloud 9 (x86_64): grafana-6.2.5-3.9.3 grafana-debuginfo-6.2.5-3.9.3 pdns-4.1.8-3.3.3 pdns-backend-mysql-4.1.8-3.3.3 pdns-backend-mysql-debuginfo-4.1.8-3.3.3 pdns-debuginfo-4.1.8-3.3.3 pdns-debugsource-4.1.8-3.3.3 References: https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2019-3871.html https://bugzilla.suse.com/1129734 https://bugzilla.suse.com/1148383 From sle-security-updates at lists.suse.com Wed Nov 6 07:16:58 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 15:16:58 +0100 (CET) Subject: SUSE-SU-2019:14206-1: moderate: Security update for libssh2_org Message-ID: <20191106141658.AC4C5F798@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14206-1 Rating: moderate References: #1154862 Cross-References: CVE-2019-17498 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-libssh2_org-14206=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libssh2_org-14206=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libssh2-1-1.4.3-17.12.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): libssh2_org-debuginfo-1.4.3-17.12.1 libssh2_org-debugsource-1.4.3-17.12.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://bugzilla.suse.com/1154862 From sle-security-updates at lists.suse.com Wed Nov 6 10:12:31 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Nov 2019 18:12:31 +0100 (CET) Subject: SUSE-SU-2019:2909-1: important: Security update for php72 Message-ID: <20191106171231.E9FFFF798@maintenance.suse.de> SUSE Security Update: Security update for php72 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2909-1 Rating: important References: #1154999 Cross-References: CVE-2019-11043 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php72 fixes the following issues: Security issue fixed: - CVE-2019-11043: Fixed possible remote code execution via env_path_info underflow in fpm_main.c (bsc#1154999). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2909=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2909=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2019-2909=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.29.1 php72-debugsource-7.2.5-1.29.1 php72-devel-7.2.5-1.29.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.29.1 php72-debugsource-7.2.5-1.29.1 php72-devel-7.2.5-1.29.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php72-7.2.5-1.29.1 apache2-mod_php72-debuginfo-7.2.5-1.29.1 php72-7.2.5-1.29.1 php72-bcmath-7.2.5-1.29.1 php72-bcmath-debuginfo-7.2.5-1.29.1 php72-bz2-7.2.5-1.29.1 php72-bz2-debuginfo-7.2.5-1.29.1 php72-calendar-7.2.5-1.29.1 php72-calendar-debuginfo-7.2.5-1.29.1 php72-ctype-7.2.5-1.29.1 php72-ctype-debuginfo-7.2.5-1.29.1 php72-curl-7.2.5-1.29.1 php72-curl-debuginfo-7.2.5-1.29.1 php72-dba-7.2.5-1.29.1 php72-dba-debuginfo-7.2.5-1.29.1 php72-debuginfo-7.2.5-1.29.1 php72-debugsource-7.2.5-1.29.1 php72-dom-7.2.5-1.29.1 php72-dom-debuginfo-7.2.5-1.29.1 php72-enchant-7.2.5-1.29.1 php72-enchant-debuginfo-7.2.5-1.29.1 php72-exif-7.2.5-1.29.1 php72-exif-debuginfo-7.2.5-1.29.1 php72-fastcgi-7.2.5-1.29.1 php72-fastcgi-debuginfo-7.2.5-1.29.1 php72-fileinfo-7.2.5-1.29.1 php72-fileinfo-debuginfo-7.2.5-1.29.1 php72-fpm-7.2.5-1.29.1 php72-fpm-debuginfo-7.2.5-1.29.1 php72-ftp-7.2.5-1.29.1 php72-ftp-debuginfo-7.2.5-1.29.1 php72-gd-7.2.5-1.29.1 php72-gd-debuginfo-7.2.5-1.29.1 php72-gettext-7.2.5-1.29.1 php72-gettext-debuginfo-7.2.5-1.29.1 php72-gmp-7.2.5-1.29.1 php72-gmp-debuginfo-7.2.5-1.29.1 php72-iconv-7.2.5-1.29.1 php72-iconv-debuginfo-7.2.5-1.29.1 php72-imap-7.2.5-1.29.1 php72-imap-debuginfo-7.2.5-1.29.1 php72-intl-7.2.5-1.29.1 php72-intl-debuginfo-7.2.5-1.29.1 php72-json-7.2.5-1.29.1 php72-json-debuginfo-7.2.5-1.29.1 php72-ldap-7.2.5-1.29.1 php72-ldap-debuginfo-7.2.5-1.29.1 php72-mbstring-7.2.5-1.29.1 php72-mbstring-debuginfo-7.2.5-1.29.1 php72-mysql-7.2.5-1.29.1 php72-mysql-debuginfo-7.2.5-1.29.1 php72-odbc-7.2.5-1.29.1 php72-odbc-debuginfo-7.2.5-1.29.1 php72-opcache-7.2.5-1.29.1 php72-opcache-debuginfo-7.2.5-1.29.1 php72-openssl-7.2.5-1.29.1 php72-openssl-debuginfo-7.2.5-1.29.1 php72-pcntl-7.2.5-1.29.1 php72-pcntl-debuginfo-7.2.5-1.29.1 php72-pdo-7.2.5-1.29.1 php72-pdo-debuginfo-7.2.5-1.29.1 php72-pgsql-7.2.5-1.29.1 php72-pgsql-debuginfo-7.2.5-1.29.1 php72-phar-7.2.5-1.29.1 php72-phar-debuginfo-7.2.5-1.29.1 php72-posix-7.2.5-1.29.1 php72-posix-debuginfo-7.2.5-1.29.1 php72-pspell-7.2.5-1.29.1 php72-pspell-debuginfo-7.2.5-1.29.1 php72-readline-7.2.5-1.29.1 php72-readline-debuginfo-7.2.5-1.29.1 php72-shmop-7.2.5-1.29.1 php72-shmop-debuginfo-7.2.5-1.29.1 php72-snmp-7.2.5-1.29.1 php72-snmp-debuginfo-7.2.5-1.29.1 php72-soap-7.2.5-1.29.1 php72-soap-debuginfo-7.2.5-1.29.1 php72-sockets-7.2.5-1.29.1 php72-sockets-debuginfo-7.2.5-1.29.1 php72-sodium-7.2.5-1.29.1 php72-sodium-debuginfo-7.2.5-1.29.1 php72-sqlite-7.2.5-1.29.1 php72-sqlite-debuginfo-7.2.5-1.29.1 php72-sysvmsg-7.2.5-1.29.1 php72-sysvmsg-debuginfo-7.2.5-1.29.1 php72-sysvsem-7.2.5-1.29.1 php72-sysvsem-debuginfo-7.2.5-1.29.1 php72-sysvshm-7.2.5-1.29.1 php72-sysvshm-debuginfo-7.2.5-1.29.1 php72-tidy-7.2.5-1.29.1 php72-tidy-debuginfo-7.2.5-1.29.1 php72-tokenizer-7.2.5-1.29.1 php72-tokenizer-debuginfo-7.2.5-1.29.1 php72-wddx-7.2.5-1.29.1 php72-wddx-debuginfo-7.2.5-1.29.1 php72-xmlreader-7.2.5-1.29.1 php72-xmlreader-debuginfo-7.2.5-1.29.1 php72-xmlrpc-7.2.5-1.29.1 php72-xmlrpc-debuginfo-7.2.5-1.29.1 php72-xmlwriter-7.2.5-1.29.1 php72-xmlwriter-debuginfo-7.2.5-1.29.1 php72-xsl-7.2.5-1.29.1 php72-xsl-debuginfo-7.2.5-1.29.1 php72-zip-7.2.5-1.29.1 php72-zip-debuginfo-7.2.5-1.29.1 php72-zlib-7.2.5-1.29.1 php72-zlib-debuginfo-7.2.5-1.29.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php72-pear-7.2.5-1.29.1 php72-pear-Archive_Tar-7.2.5-1.29.1 References: https://www.suse.com/security/cve/CVE-2019-11043.html https://bugzilla.suse.com/1154999 From sle-security-updates at lists.suse.com Thu Nov 7 07:11:05 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 Nov 2019 15:11:05 +0100 (CET) Subject: SUSE-SU-2019:2913-1: moderate: Security update for gdb Message-ID: <20191107141105.08943F798@maintenance.suse.de> SUSE Security Update: Security update for gdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2913-1 Rating: moderate References: #1115034 #1142772 #1145692 Cross-References: CVE-2019-1010180 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for gdb fixes the following issues: Update to gdb 8.3.1: (jsc#ECO-368) Security issues fixed: - CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772) Upgrade libipt from v2.0 to v2.0.1. - Enable librpm for version > librpm.so.3 [bsc#1145692]: * Allow any librpm.so.x * Add %build test to check for "zypper install " message - Copy gdbinit from fedora master @ 25caf28. Add gdbinit.without-python, and use it for --without=python. Rebase to 8.3 release (as in fedora 30 @ 1e222a3). * DWARF index cache: GDB can now automatically save indices of DWARF symbols on disk to speed up further loading of the same binaries. * Ada task switching is now supported on aarch64-elf targets when debugging a program using the Ravenscar Profile. * Terminal styling is now available for the CLI and the TUI. * Removed support for old demangling styles arm, edg, gnu, hp and lucid. * Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*). - Implemented access to more POWER8 registers. [fate#326120, fate#325178] - Handle most of new s390 arch13 instructions. [fate#327369, jsc#ECO-368] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2913=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2913=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gdb-debuginfo-8.3.1-8.8.1 gdb-debugsource-8.3.1-8.8.1 gdb-testresults-8.3.1-8.8.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gdb-8.3.1-8.8.1 gdb-debuginfo-8.3.1-8.8.1 gdb-debugsource-8.3.1-8.8.1 gdbserver-8.3.1-8.8.1 gdbserver-debuginfo-8.3.1-8.8.1 References: https://www.suse.com/security/cve/CVE-2019-1010180.html https://bugzilla.suse.com/1115034 https://bugzilla.suse.com/1142772 https://bugzilla.suse.com/1145692 From sle-security-updates at lists.suse.com Thu Nov 7 07:12:04 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 Nov 2019 15:12:04 +0100 (CET) Subject: SUSE-SU-2019:2914-1: moderate: Security update for gdb Message-ID: <20191107141204.29DEFF798@maintenance.suse.de> SUSE Security Update: Security update for gdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2914-1 Rating: moderate References: #1115034 #1142772 #1145692 Cross-References: CVE-2019-1010180 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for gdb fixes the following issues: Update to gdb 8.3.1: (jsc#ECO-368) Security issues fixed: - CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772) Upgrade libipt from v2.0 to v2.0.1. - Enable librpm for version > librpm.so.3 [bsc#1145692]: * Allow any librpm.so.x * Add %build test to check for "zypper install " message - Copy gdbinit from fedora master @ 25caf28. Add gdbinit.without-python, and use it for --without=python. Rebase to 8.3 release (as in fedora 30 @ 1e222a3). * DWARF index cache: GDB can now automatically save indices of DWARF symbols on disk to speed up further loading of the same binaries. * Ada task switching is now supported on aarch64-elf targets when debugging a program using the Ravenscar Profile. * Terminal styling is now available for the CLI and the TUI. * Removed support for old demangling styles arm, edg, gnu, hp and lucid. * Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*). - Implemented access to more POWER8 registers. [fate#326120, fate#325178] - Add gdb-s390-handle-arch13.diff to handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2914=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2914=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2914=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2914=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2914=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2914=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): gdb-8.3.1-1.12.1 gdb-debuginfo-8.3.1-1.12.1 gdb-debugsource-8.3.1-1.12.1 References: https://www.suse.com/security/cve/CVE-2019-1010180.html https://bugzilla.suse.com/1115034 https://bugzilla.suse.com/1142772 https://bugzilla.suse.com/1145692 From sle-security-updates at lists.suse.com Thu Nov 7 07:13:04 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 Nov 2019 15:13:04 +0100 (CET) Subject: SUSE-SU-2019:2915-1: moderate: Security update for bluez Message-ID: <20191107141304.3A749F798@maintenance.suse.de> SUSE Security Update: Security update for bluez ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2915-1 Rating: moderate References: #1013712 Cross-References: CVE-2016-9798 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bluez fixes the following issue: - CVE-2016-9798: Fixed a use-after-free in conf_opt (bsc#1013712). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-2915=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2019-2915=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2915=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2915=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2915=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2915=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2915=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): bluez-cups-5.13-5.15.3 bluez-cups-debuginfo-5.13-5.15.3 bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): bluez-cups-5.13-5.15.3 bluez-cups-debuginfo-5.13-5.15.3 bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 bluez-devel-5.13-5.15.3 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 bluez-devel-5.13-5.15.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): bluez-5.13-5.15.3 bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 libbluetooth3-5.13-5.15.3 libbluetooth3-debuginfo-5.13-5.15.3 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): bluez-5.13-5.15.3 bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 libbluetooth3-5.13-5.15.3 libbluetooth3-debuginfo-5.13-5.15.3 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): bluez-5.13-5.15.3 bluez-cups-5.13-5.15.3 bluez-cups-debuginfo-5.13-5.15.3 bluez-debuginfo-5.13-5.15.3 bluez-debugsource-5.13-5.15.3 libbluetooth3-5.13-5.15.3 libbluetooth3-debuginfo-5.13-5.15.3 References: https://www.suse.com/security/cve/CVE-2016-9798.html https://bugzilla.suse.com/1013712 From sle-security-updates at lists.suse.com Thu Nov 7 07:13:53 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 Nov 2019 15:13:53 +0100 (CET) Subject: SUSE-SU-2019:2916-1: moderate: Security update for gdb Message-ID: <20191107141353.CA94AF798@maintenance.suse.de> SUSE Security Update: Security update for gdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2916-1 Rating: moderate References: #1115034 #1142772 #1145692 Cross-References: CVE-2019-1010180 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for gdb fixes the following issues: Update to gdb 8.3.1: (jsc#ECO-368) Security issues fixed: - CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772) Upgrade libipt from v2.0 to v2.0.1. - Enable librpm for version > librpm.so.3 [bsc#1145692]: * Allow any librpm.so.x * Add %build test to check for "zypper install " message - Copy gdbinit from fedora master @ 25caf28. Add gdbinit.without-python, and use it for --without=python. Rebase to 8.3 release (as in fedora 30 @ 1e222a3). * DWARF index cache: GDB can now automatically save indices of DWARF symbols on disk to speed up further loading of the same binaries. * Ada task switching is now supported on aarch64-elf targets when debugging a program using the Ravenscar Profile. * Terminal styling is now available for the CLI and the TUI. * Removed support for old demangling styles arm, edg, gnu, hp and lucid. * Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*). - Implemented access to more POWER8 registers. [fate#326120, fate#325178] - Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2916=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2916=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2916=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2916=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2916=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2916=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2916=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2916=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2916=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2916=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2916=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2916=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE OpenStack Cloud 8 (x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 gdbserver-8.3.1-2.14.1 gdbserver-debuginfo-8.3.1-2.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x): gdb-debuginfo-32bit-8.3.1-2.14.1 gdbserver-32bit-8.3.1-2.14.1 gdbserver-debuginfo-32bit-8.3.1-2.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 gdbserver-8.3.1-2.14.1 gdbserver-debuginfo-8.3.1-2.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x): gdb-debuginfo-32bit-8.3.1-2.14.1 gdbserver-32bit-8.3.1-2.14.1 gdbserver-debuginfo-32bit-8.3.1-2.14.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 - HPE Helion Openstack 8 (x86_64): gdb-8.3.1-2.14.1 gdb-debuginfo-8.3.1-2.14.1 gdb-debugsource-8.3.1-2.14.1 References: https://www.suse.com/security/cve/CVE-2019-1010180.html https://bugzilla.suse.com/1115034 https://bugzilla.suse.com/1142772 https://bugzilla.suse.com/1145692 From sle-security-updates at lists.suse.com Thu Nov 7 07:14:48 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 7 Nov 2019 15:14:48 +0100 (CET) Subject: SUSE-SU-2019:2912-1: important: Recommended update for MozillaThunderbird Message-ID: <20191107141448.6F1B6F798@maintenance.suse.de> SUSE Security Update: Recommended update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2912-1 Rating: important References: #1149126 #1149429 #1151186 #1152778 #1153879 #1154738 Cross-References: CVE-2019-11757 CVE-2019-11758 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for MozillaThunderbird to version 68.2.1 provides the following fixes: - Security issues fixed (bsc#1154738): * CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429). * CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738). * CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738). * CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738). * CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738). * CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738). * CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738). * CVE-2019-11763: Fixed an XSS bypass (bsc#1154738). * CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738). Other fixes (bsc#1153879): * Some attachments couldn't be opened in messages originating from MS Outlook 2016. * Address book import from CSV. * Performance problem in message body search. * Ctrl+Enter to send a message would open an attachment if the attachment pane had focus. * Calendar: Issues with "Today Pane" start-up. * Calendar: Glitches with custom repeat and reminder number input. * Calendar: Problems with WCAP provider. * A language for the user interface can now be chosen in the advanced settings * Fixed an issue with Google authentication (OAuth2) * Fixed an issue where selected or unread messages were not shown in the correct color in the thread pane under some circumstances * Fixed an issue where when using a language pack, names of standard folders were not localized (bsc#1149126) * Fixed an issue where the address book default startup directory in preferences panel not persisted * Fixed various visual glitches * Fixed issues with the chat * Fixed building with rust >= 1.38. * Fixrd LTO build without PGO. * Removed kde.js since disabling instantApply breaks extensions and is now obsolete with the move to HTML views for preferences. (bsc#1151186) * Updated create-tar.sh. (bsc#1152778) * Deactivated the crashreporter for the last remaining arch. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2912=1 - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-2912=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.2.1-3.58.1 MozillaThunderbird-debuginfo-68.2.1-3.58.1 MozillaThunderbird-debugsource-68.2.1-3.58.1 MozillaThunderbird-translations-common-68.2.1-3.58.1 MozillaThunderbird-translations-other-68.2.1-3.58.1 - SUSE Linux Enterprise Workstation Extension 15 (x86_64): MozillaThunderbird-68.2.1-3.58.1 MozillaThunderbird-debuginfo-68.2.1-3.58.1 MozillaThunderbird-debugsource-68.2.1-3.58.1 MozillaThunderbird-translations-common-68.2.1-3.58.1 MozillaThunderbird-translations-other-68.2.1-3.58.1 References: https://www.suse.com/security/cve/CVE-2019-11757.html https://www.suse.com/security/cve/CVE-2019-11758.html https://www.suse.com/security/cve/CVE-2019-11759.html https://www.suse.com/security/cve/CVE-2019-11760.html https://www.suse.com/security/cve/CVE-2019-11761.html https://www.suse.com/security/cve/CVE-2019-11762.html https://www.suse.com/security/cve/CVE-2019-11763.html https://www.suse.com/security/cve/CVE-2019-11764.html https://www.suse.com/security/cve/CVE-2019-15903.html https://bugzilla.suse.com/1149126 https://bugzilla.suse.com/1149429 https://bugzilla.suse.com/1151186 https://bugzilla.suse.com/1152778 https://bugzilla.suse.com/1153879 https://bugzilla.suse.com/1154738 From sle-security-updates at lists.suse.com Thu Nov 7 23:16:40 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 07:16:40 +0100 (CET) Subject: SUSE-SU-2019:2930-1: moderate: Security update for SUSE Manager Server 4.0 Message-ID: <20191108061640.3F174F798@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2930-1 Rating: moderate References: #1133429 #1135442 #1136959 #1138358 #1138454 #1142309 #1142764 #1142774 #1143016 #1143562 #1143789 #1144300 #1144500 #1144510 #1144515 #1144889 #1145086 #1145119 #1145551 #1145587 #1145626 #1145744 #1145750 #1145753 #1145758 #1145769 #1145873 #1146416 #1146419 #1146683 #1146869 #1148169 #1149075 #1149210 #1149353 #1149409 #1149425 #1149633 #1150113 #1150154 #1150180 #1150314 #1150729 #1151097 #1151280 #1151399 #1151467 #1151481 #1151666 #1151875 #1152170 #1152290 #1152514 #1152735 #1153277 #1153578 #1154275 #1155656 #1155794 Cross-References: CVE-2019-10088 CVE-2019-10093 CVE-2019-10094 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has 56 fixes is now available. Description: This update fixes the following issues: cobbler: - Fix for install loop caused autoinstallation profiles (bsc#1151875) - Update module config description to match new parameters - Add config migration script and runs it in post-install script - Fix for config backups in post install script (bsc#1149075) - Move apache config file cobbler.conf to conf.d directory and remove the VirtualHost container as it overwrite rules already set in conf.d - Realignment with Cobbler 3.0.0 release candidate. - Fix for typo in settings for scm_track module. - Optimization for settings loading in scm_track module. cpu-mitigations-formula: - Fix grub entry changed for sle12* so it matches sle15* (bsc#1145873) mgr-osad: - Obsolete all old python2-osa* packages to avoid conflicts (bsc#1152290) patterns-suse-manager: - Add recommends for cpu-mitigations-formula pgjdbc-ng: - Allow dots in database name (bsc#1146416) prometheus-exporters-formula: - Allow to configure arbitrary arguments when running exporters - Add support for Debian/Ubuntu and Red Hat systems (RHEL/CentOS) - Install the LICENSE together with the package py26-compat-salt: - Get tornado dependency from the system on SLE12 (bsc#1149409) python-susemanager-retail: - Update to version 0.1.1568808472.be9f236 - Parse parition type 82 as swap in SLEPOS migration (bsc#1136959) - Allow kernel command line for branches to be set as an option to retail_branch_init CLI - Automatically calculate dhcp dynamic range from branch ip if not set python-urlgrabber: - Allow non-integer values for URLGRABBER_DEBUG env variable (bsc#1152514) - Fixes usage of log level lookup for Python3 (bsc#1146683) spacecmd: - Java api expects content as encoded string instead of encode bytes like before (bsc#1153277) - Fix building and installing on CentOS8/RES8/RHEL8 - Check that a channel doesn't have clones before deleting it (bsc#1138454) spacewalk-admin: - Avoid a "Permission denied" salt error when publisher_acl is set (bsc#1150154) spacewalk-backend: - Fix re-registration with re-activation key (bsc#1154275) - Change the default value of taskomatic maxmemory to 4GB - Add basic support for importing modular repositories - Import additional fields for Deb packages - Add script to update additional fields in the DB for existing Deb packages - Use active values for diskchecker mails - Parse restart_suggested flag from patches and set it as keywords (bsc#1151467) - Improve error message when deleting channel that's in a content lifecycle project (bsc#1145769) - Prevent "reposync" crash when handling metadata on RPM repos (bsc#1138358) - Do not show expected WARNING messages from "c_rehash" - Fix misspelling in spacewalk-repo-sync (bsc#1149633) - Remove credentials also from potential rhn.conf backup files in spacewalk-debug (bsc#1146419) - Do not crash 'rhn-satellite-exporter' with ModuleNotFound error (bsc#1146869) - Spacewalk-remove-channel check that channel doesn't have cloned channels before deleting it (bsc#1138454) - Fix broken spacewalk-data-fsck utility - Add '--latest' support for reposync on DEB based repositories - Do not try to download RPMs from the unresolved mirrorlist URL - Fix encoding issues with DB bytes values (bsc#1144300) - Fix import of rhnAuthPAM to avoid issues when using rhnpush. - Avoid traceback on mgr-inter-sync when there are problems with cache of packages (bsc#1143016) spacewalk-branding: - Improve menu scrollbar style for firefox - Add UI message when salt-formulas system folders are unreachable (bsc#1142309) spacewalk-certs-tools: - Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353) spacewalk-client-tools: - Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353) - Enable spacewalk-update-service on package installation (bsc#1143789) - Invalidate cache 5 minutes before actual expiration(bsc#1143562) spacewalk-config: - Change the default value of taskomatic maxmemory to 4GB - Resolve modules.yaml file for modular repositories spacewalk-java: - Change the default value of taskomatic maxmemory to 4GB - Silence cache strategy Hibernate warning - Return result in compatible type to what defined in database procedure (bsc#1150729) - Allow channels names to start with numbers - Fix: handle special deb package names (bsc#1150113) - Remove extra spaces in dependencies fields in Debian repo Packages file (bsc#1145551) - Allow monitoring for managed systems running Ubuntu 18.04 and RedHat 6/7 - Improve performance for 'Manage Software Channels' view (bsc#1151399) - Import additional fields for Deb packages - Use value from systemd unit file if not set in /etc/rhn/rhn.conf - Implement "keyword" filter for Content Lifecycle Management - Add support for Azure, Amazon EC2, and Google Compute Engine as Virtual Host Manager. - Allow ssl connections from Tomcat to Postgres (bsc#1149210) - Use default in case taskomatic.java.maxmemory is unset - Fix parsing of /etc/rhn/rhn.conf for taskomatic.java.maxmemory (bsc#1151097) - Change form order and change project creation message (bsc#1145744) - Use 'SCC organization credentials' instead of 'SCC credentials' in error message (bsc#1149425) - Implement "regular expression" Filter for Content Lifecycle Management matching package names, patch name, patch synopsis and package names in patches - Implement provisioning for salt clients - Explicitly mention in API docs that to preserve LF/CR, user needs to encode the data(bsc#1135442) - New Single Page Application engine for the UI. It can be enabled with the config 'web.spa.enable' set to true - Check that a channel doesn't have clones before deleting it (bsc#1138454) - Fix documentation of contentmanagement handler (bsc#1145753) - Add new API endpoint to list available Filter Criteria - Improve API documentation of Filter Criteria - Implement "patch contains package" Filter for Content Lifecycle Management - Implement Filter Patch "by type" Content Lifecycle Management - Improve websocket authentication to prevent errors in logs (bsc#1138454) - Implement filtering errata by synopsis in Content Lifecycle Management - Normalize date formats for actions, notifications and clm (bsc#1142774) - Implement ALLOW filters in Content Lifecycle Management - Implement "by date" Filter for Content Lifecycle Management - UI render without error if salt-formulas system folders are unreachable (bsc#1142309) - Cloning Errata from a specific channel should not take packages from other channels (bsc#1142764) - Add susemanager as prerequired for spacewalk-java spacewalk-setup: - Fix cobbler authentication module configuration required for new cobbler package - Configure 150 Tomcat workers by default, matching httpds MaxClients spacewalk-utils: - Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578) - Common-channels: Fix repo type assignment for type YUM spacewalk-web: - Redirect to project when canceling creating a filter (bsc#1145750) - Better visualization of the filters attached to a CLM Project. Allow/deny are now split - Fix ui issues with content lifecycle project list page (bsc#1145587) - Implement "keyword" filter for Content Lifecycle Management - Enable Azure, Amazon EC2 and Google Compute Engine as available Virtual host Managers - Trim strings when creating/updating image stores/profiles (bsc#1133429) - Show loading spin while loading salt keys data (bsc#1150180) - CLM - Disable clones by default of the shown CLM Project sources - Change form order and change project creation message (bsc#1145744) - Add UI message when salt-formulas system folders are unreachable (bsc#1142309) - Implement "regular expression" Filter for Content Lifecycle Management matching package names, patch name, patch synopsis and package names in patches - New Single Page Application engine for the UI. It can be enabled with the config 'web.spa.enable' set to true - Add environment label when deleting environment (bsc#1145758) - Change color of disabled build button on clp page (bsc#1145626) - Fix the 'include recommended' button on channels selection in SSM (bsc#1145086) - Implement "patch contains package" Filter for Content Lifecycle Management - Implement Filter Patch "by type" Content Lifecycle Management - Implement filtering errata by synopsis in Content Lifecycle Management - Normalize date formats for actions, notifications and clm (bsc#1142774) - Implement ALLOW filters in Content Lifecycle Management - Implement "by date" Filter for Content Lifecycle Management susemanager: - Require dmidecode only for SLE12 aarch64 and x86_64 (bsc#1152170) - Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314) - Fix test for btrfs subvolume for new btrfs version (bsc#1151666) - Ensure working directory is /root during setup (bsc#1148169) - Dmidecode does not exist on s390x (bsc#1145119) susemanager-docs_en: - Update text and images (mu-4.0.3); many changes caused by Technical and Content Reviews. - Added partition permissions to Install Guide (bsc#1152735) - Move Disconnected Setup from Client Config to Admin Guide - Updated references to documentation.suse.com (was: www.suse.com/documentation) - Increase default value for taskomatic to 4GB - Registering to proxy information in Install Guide - Edits to Prometheus section in Admin Guide - Update database migration section in Upgrade Guide - Update server update, upgrade, and migration chapters in Upgrade Guide - Update server installation and setup chapters - Update proxy installation and setup chapters - Add section about maintenance window in Admin Guide - Update Kubernetes chapter - Admin Guide: ISS: Adapt the CA path to correspond to SLES 15.1 - Update image management - Update channel management screenshot in Reference - Update CLM - Provide basic documentation on foreign clients - Update info on mgr-sync - New images added to Retail Guide - Minor edits in Salt Guide - Improvements to Troubleshooting section in Admin Guide - Removed reference to SLP in Install Guide - Minor edits to SSM in Client Config Guide susemanager-schema: - Fix in schema migration script when recreating the 'suseUserRoleView' (bsc#1151280) - Fix: handle special deb package names (bsc#1150113) - Refactor in suseChannelUserRoleView for retrieving the parent_channel_id (bsc#1151399) - Add tables rhnPackageExtraTag and rhnPackageExtraTagKey - Allow monitoring for Ubuntu systems - Add new types needed for Azure, Amazon EC2 and Google CE - Enable provisioning for salt clients - Allow package changelog entries with more than 3000 characters (bsc#1144889) susemanager-sls: - Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314) - Introduce dnf-susemanager-plugin for RHEL8 minions - Provide custom grain to report "instance id" when running on Public Cloud instances - Disable legacy startup events for new minions - Implement provisioning for salt clients - Dmidecode does not exist on ppc64le and s390x (bsc#1145119) - Update susemanager.conf to use adler32 for computing the server_id for new minions - Do not show errors when polling internal metadata API (bsc#1155794) - Add missing "public_cloud" custom grain (bsc#1155656) susemanager-sync-data: - Ubuntu repositories released tika-core: - New upstream version 1.2.2. Fixes: * OOM from a crafted Zip File in Apache Tika's RecursiveParserWrapper (CVE-2019-10088) (bsc#1144500). * Denial of Service in Apache Tika's 2003ml and 2006ml Parsers (CVE-2019-10093) (bsc#1144510). * StackOverflow from Crafted Package/Compressed Files in Apache Tika's RecursiveParserWrapper (CVE-2019-10094) (bsc#1144515). virtual-host-gatherer: - Add new modules to deal with Amazon EC2, Azure and Google Compute Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2019-2930=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): patterns-suma_retail-4.0-9.3.8 patterns-suma_server-4.0-9.3.8 spacewalk-branding-4.0.14-3.6.8 susemanager-4.0.17-3.6.9 susemanager-tools-4.0.17-3.6.9 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): cobbler-3.0.0+git20190806.32c4bae0-7.3.7 cpu-mitigations-formula-0.1-4.6.7 mgr-osa-dispatcher-4.0.10-3.6.8 pgjdbc-ng-0.7.1-3.3.8 prometheus-exporters-formula-0.4-3.3.7 pxe-default-image-sle15-4.0.0-20191106084601 py26-compat-salt-2016.11.10-10.8.8 python3-mgr-osa-common-4.0.10-3.6.8 python3-mgr-osa-dispatcher-4.0.10-3.6.8 python3-spacewalk-backend-libs-4.0.27-3.13.9 python3-spacewalk-certs-tools-4.0.12-3.6.8 python3-spacewalk-client-tools-4.0.10-3.6.8 python3-susemanager-retail-1.0.1568808472.be9f236-3.6.7 python3-urlgrabber-3.10.2.1py2_3-6.22.6 spacecmd-4.0.16-3.6.7 spacewalk-admin-4.0.8-3.3.8 spacewalk-backend-4.0.27-3.13.9 spacewalk-backend-app-4.0.27-3.13.9 spacewalk-backend-applet-4.0.27-3.13.9 spacewalk-backend-config-files-4.0.27-3.13.9 spacewalk-backend-config-files-common-4.0.27-3.13.9 spacewalk-backend-config-files-tool-4.0.27-3.13.9 spacewalk-backend-iss-4.0.27-3.13.9 spacewalk-backend-iss-export-4.0.27-3.13.9 spacewalk-backend-package-push-server-4.0.27-3.13.9 spacewalk-backend-server-4.0.27-3.13.9 spacewalk-backend-sql-4.0.27-3.13.9 spacewalk-backend-sql-postgresql-4.0.27-3.13.9 spacewalk-backend-tools-4.0.27-3.13.9 spacewalk-backend-xml-export-libs-4.0.27-3.13.9 spacewalk-backend-xmlrpc-4.0.27-3.13.9 spacewalk-base-4.0.16-3.9.8 spacewalk-base-minimal-4.0.16-3.9.8 spacewalk-base-minimal-config-4.0.16-3.9.8 spacewalk-certs-tools-4.0.12-3.6.8 spacewalk-client-tools-4.0.10-3.6.8 spacewalk-config-4.0.13-3.3.7 spacewalk-html-4.0.16-3.9.8 spacewalk-java-4.0.25-3.10.5 spacewalk-java-config-4.0.25-3.10.5 spacewalk-java-lib-4.0.25-3.10.5 spacewalk-java-postgresql-4.0.25-3.10.5 spacewalk-setup-4.0.11-3.6.7 spacewalk-taskomatic-4.0.25-3.10.5 spacewalk-utils-4.0.13-3.6.8 susemanager-doc-indexes-4.0-10.9.8 susemanager-docs_en-4.0-10.9.7 susemanager-docs_en-pdf-4.0-10.9.7 susemanager-retail-tools-1.0.1568808472.be9f236-3.6.7 susemanager-schema-4.0.16-3.8.5 susemanager-sls-4.0.22-3.10.4 susemanager-sync-data-4.0.13-3.6.7 susemanager-web-libs-4.0.16-3.9.8 tika-core-1.22-3.3.7 virtual-host-gatherer-1.0.19-3.3.8 virtual-host-gatherer-Kubernetes-1.0.19-3.3.8 virtual-host-gatherer-VMware-1.0.19-3.3.8 virtual-host-gatherer-libcloud-1.0.19-3.3.8 References: https://www.suse.com/security/cve/CVE-2019-10088.html https://www.suse.com/security/cve/CVE-2019-10093.html https://www.suse.com/security/cve/CVE-2019-10094.html https://bugzilla.suse.com/1133429 https://bugzilla.suse.com/1135442 https://bugzilla.suse.com/1136959 https://bugzilla.suse.com/1138358 https://bugzilla.suse.com/1138454 https://bugzilla.suse.com/1142309 https://bugzilla.suse.com/1142764 https://bugzilla.suse.com/1142774 https://bugzilla.suse.com/1143016 https://bugzilla.suse.com/1143562 https://bugzilla.suse.com/1143789 https://bugzilla.suse.com/1144300 https://bugzilla.suse.com/1144500 https://bugzilla.suse.com/1144510 https://bugzilla.suse.com/1144515 https://bugzilla.suse.com/1144889 https://bugzilla.suse.com/1145086 https://bugzilla.suse.com/1145119 https://bugzilla.suse.com/1145551 https://bugzilla.suse.com/1145587 https://bugzilla.suse.com/1145626 https://bugzilla.suse.com/1145744 https://bugzilla.suse.com/1145750 https://bugzilla.suse.com/1145753 https://bugzilla.suse.com/1145758 https://bugzilla.suse.com/1145769 https://bugzilla.suse.com/1145873 https://bugzilla.suse.com/1146416 https://bugzilla.suse.com/1146419 https://bugzilla.suse.com/1146683 https://bugzilla.suse.com/1146869 https://bugzilla.suse.com/1148169 https://bugzilla.suse.com/1149075 https://bugzilla.suse.com/1149210 https://bugzilla.suse.com/1149353 https://bugzilla.suse.com/1149409 https://bugzilla.suse.com/1149425 https://bugzilla.suse.com/1149633 https://bugzilla.suse.com/1150113 https://bugzilla.suse.com/1150154 https://bugzilla.suse.com/1150180 https://bugzilla.suse.com/1150314 https://bugzilla.suse.com/1150729 https://bugzilla.suse.com/1151097 https://bugzilla.suse.com/1151280 https://bugzilla.suse.com/1151399 https://bugzilla.suse.com/1151467 https://bugzilla.suse.com/1151481 https://bugzilla.suse.com/1151666 https://bugzilla.suse.com/1151875 https://bugzilla.suse.com/1152170 https://bugzilla.suse.com/1152290 https://bugzilla.suse.com/1152514 https://bugzilla.suse.com/1152735 https://bugzilla.suse.com/1153277 https://bugzilla.suse.com/1153578 https://bugzilla.suse.com/1154275 https://bugzilla.suse.com/1155656 https://bugzilla.suse.com/1155794 From sle-security-updates at lists.suse.com Fri Nov 8 07:11:31 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 15:11:31 +0100 (CET) Subject: SUSE-SU-2019:2932-1: moderate: Security update for rubygem-haml Message-ID: <20191108141131.EB6C8F798@maintenance.suse.de> SUSE Security Update: Security update for rubygem-haml ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2932-1 Rating: moderate References: #1155089 Cross-References: CVE-2017-1002201 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-haml fixes the following issue: - CVE-2017-1002201: Fixed an insufficient character escape that could have led to arbitrary code execution (bsc#1155089). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-2932=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2932=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2932=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ruby2.1-rubygem-haml-4.0.6-3.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-haml-4.0.6-3.3.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-haml-4.0.6-3.3.1 References: https://www.suse.com/security/cve/CVE-2017-1002201.html https://bugzilla.suse.com/1155089 From sle-security-updates at lists.suse.com Fri Nov 8 13:11:02 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 21:11:02 +0100 (CET) Subject: SUSE-SU-2019:2935-1: important: Security update for apache2-mod_auth_openidc Message-ID: <20191108201102.75B11F798@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2935-1 Rating: important References: #1153666 Cross-References: CVE-2019-14857 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-14857: Fixed an open redirect issue that exists in URLs with trailing slashes (bsc#1153666). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2935=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.7.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.7.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.7.1 References: https://www.suse.com/security/cve/CVE-2019-14857.html https://bugzilla.suse.com/1153666 From sle-security-updates at lists.suse.com Fri Nov 8 13:12:23 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 21:12:23 +0100 (CET) Subject: SUSE-SU-2019:2936-1: moderate: Security update for libssh2_org Message-ID: <20191108201223.17B29F798@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2936-1 Rating: moderate References: #1154862 Cross-References: CVE-2019-17498 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2936=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2936=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2936=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2936=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2936=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2936=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2936=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2936=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2936=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2936=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2936=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2936=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2936=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2936=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2936=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2936=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2936=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2936=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE OpenStack Cloud 8 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libssh2-devel-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libssh2-devel-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - SUSE Enterprise Storage 5 (x86_64): libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 - SUSE CaaS Platform 3.0 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 - HPE Helion Openstack 8 (x86_64): libssh2-1-1.4.3-20.14.1 libssh2-1-32bit-1.4.3-20.14.1 libssh2-1-debuginfo-1.4.3-20.14.1 libssh2-1-debuginfo-32bit-1.4.3-20.14.1 libssh2_org-debugsource-1.4.3-20.14.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://bugzilla.suse.com/1154862 From sle-security-updates at lists.suse.com Fri Nov 8 13:13:07 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 21:13:07 +0100 (CET) Subject: SUSE-SU-2019:2934-1: important: Security update for apache2-mod_auth_openidc Message-ID: <20191108201307.E6A5DF798@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2934-1 Rating: important References: #1153666 Cross-References: CVE-2019-14857 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2019-14857: Fixed an open redirect issue that exists in URLs with trailing slashes (bsc#1153666). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2934=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le x86_64): apache2-mod_auth_openidc-2.3.8-3.3.1 apache2-mod_auth_openidc-debuginfo-2.3.8-3.3.1 apache2-mod_auth_openidc-debugsource-2.3.8-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-14857.html https://bugzilla.suse.com/1153666 From sle-security-updates at lists.suse.com Fri Nov 8 13:13:51 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Nov 2019 21:13:51 +0100 (CET) Subject: SUSE-SU-2019:2937-1: moderate: Security update for rsyslog Message-ID: <20191108201351.8BDA1F798@maintenance.suse.de> SUSE Security Update: Security update for rsyslog ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2937-1 Rating: moderate References: #1141063 #1153451 #1153459 Cross-References: CVE-2019-17041 CVE-2019-17042 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for rsyslog fixes the following issues: Security issues fixed: - CVE-2019-17041: Fixed a heap overflow in the parser for AIX log messages (bsc#1153451). - CVE-2019-17042: Fixed a heap overflow in the parser for Cisco log messages (bsc#1153459). Other issue addressed: - Fixed an issue where rsyslog was SEGFAULT due to a mutex double-unlock (bsc#1141063). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2937=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2937=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2937=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2937=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2937=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2937=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 rsyslog-module-gssapi-8.33.1-3.22.4 rsyslog-module-gssapi-debuginfo-8.33.1-3.22.4 rsyslog-module-gtls-8.33.1-3.22.4 rsyslog-module-gtls-debuginfo-8.33.1-3.22.4 rsyslog-module-mmnormalize-8.33.1-3.22.4 rsyslog-module-mmnormalize-debuginfo-8.33.1-3.22.4 rsyslog-module-mysql-8.33.1-3.22.4 rsyslog-module-mysql-debuginfo-8.33.1-3.22.4 rsyslog-module-pgsql-8.33.1-3.22.4 rsyslog-module-pgsql-debuginfo-8.33.1-3.22.4 rsyslog-module-relp-8.33.1-3.22.4 rsyslog-module-relp-debuginfo-8.33.1-3.22.4 rsyslog-module-snmp-8.33.1-3.22.4 rsyslog-module-snmp-debuginfo-8.33.1-3.22.4 rsyslog-module-udpspoof-8.33.1-3.22.4 rsyslog-module-udpspoof-debuginfo-8.33.1-3.22.4 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 rsyslog-module-gssapi-8.33.1-3.22.4 rsyslog-module-gssapi-debuginfo-8.33.1-3.22.4 rsyslog-module-gtls-8.33.1-3.22.4 rsyslog-module-gtls-debuginfo-8.33.1-3.22.4 rsyslog-module-mmnormalize-8.33.1-3.22.4 rsyslog-module-mmnormalize-debuginfo-8.33.1-3.22.4 rsyslog-module-mysql-8.33.1-3.22.4 rsyslog-module-mysql-debuginfo-8.33.1-3.22.4 rsyslog-module-pgsql-8.33.1-3.22.4 rsyslog-module-pgsql-debuginfo-8.33.1-3.22.4 rsyslog-module-relp-8.33.1-3.22.4 rsyslog-module-relp-debuginfo-8.33.1-3.22.4 rsyslog-module-snmp-8.33.1-3.22.4 rsyslog-module-snmp-debuginfo-8.33.1-3.22.4 rsyslog-module-udpspoof-8.33.1-3.22.4 rsyslog-module-udpspoof-debuginfo-8.33.1-3.22.4 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 rsyslog-diag-tools-8.33.1-3.22.4 rsyslog-diag-tools-debuginfo-8.33.1-3.22.4 rsyslog-doc-8.33.1-3.22.4 rsyslog-module-dbi-8.33.1-3.22.4 rsyslog-module-dbi-debuginfo-8.33.1-3.22.4 rsyslog-module-elasticsearch-8.33.1-3.22.4 rsyslog-module-elasticsearch-debuginfo-8.33.1-3.22.4 rsyslog-module-gcrypt-8.33.1-3.22.4 rsyslog-module-gcrypt-debuginfo-8.33.1-3.22.4 rsyslog-module-mmnormalize-8.33.1-3.22.4 rsyslog-module-mmnormalize-debuginfo-8.33.1-3.22.4 rsyslog-module-omamqp1-8.33.1-3.22.4 rsyslog-module-omamqp1-debuginfo-8.33.1-3.22.4 rsyslog-module-omhttpfs-8.33.1-3.22.4 rsyslog-module-omhttpfs-debuginfo-8.33.1-3.22.4 rsyslog-module-omtcl-8.33.1-3.22.4 rsyslog-module-omtcl-debuginfo-8.33.1-3.22.4 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 rsyslog-diag-tools-8.33.1-3.22.4 rsyslog-diag-tools-debuginfo-8.33.1-3.22.4 rsyslog-doc-8.33.1-3.22.4 rsyslog-module-dbi-8.33.1-3.22.4 rsyslog-module-dbi-debuginfo-8.33.1-3.22.4 rsyslog-module-elasticsearch-8.33.1-3.22.4 rsyslog-module-elasticsearch-debuginfo-8.33.1-3.22.4 rsyslog-module-gcrypt-8.33.1-3.22.4 rsyslog-module-gcrypt-debuginfo-8.33.1-3.22.4 rsyslog-module-gtls-8.33.1-3.22.4 rsyslog-module-gtls-debuginfo-8.33.1-3.22.4 rsyslog-module-mmnormalize-8.33.1-3.22.4 rsyslog-module-mmnormalize-debuginfo-8.33.1-3.22.4 rsyslog-module-omamqp1-8.33.1-3.22.4 rsyslog-module-omamqp1-debuginfo-8.33.1-3.22.4 rsyslog-module-omhttpfs-8.33.1-3.22.4 rsyslog-module-omhttpfs-debuginfo-8.33.1-3.22.4 rsyslog-module-omtcl-8.33.1-3.22.4 rsyslog-module-omtcl-debuginfo-8.33.1-3.22.4 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): rsyslog-8.33.1-3.22.4 rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): rsyslog-8.33.1-3.22.4 rsyslog-debuginfo-8.33.1-3.22.4 rsyslog-debugsource-8.33.1-3.22.4 References: https://www.suse.com/security/cve/CVE-2019-17041.html https://www.suse.com/security/cve/CVE-2019-17042.html https://bugzilla.suse.com/1141063 https://bugzilla.suse.com/1153451 https://bugzilla.suse.com/1153459 From sle-security-updates at lists.suse.com Mon Nov 11 10:11:24 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Nov 2019 18:11:24 +0100 (CET) Subject: SUSE-SU-2019:2940-1: moderate: Security update for go1.12 Message-ID: <20191111171124.481B8F7BE@maintenance.suse.de> SUSE Security Update: Security update for go1.12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2940-1 Rating: moderate References: #1141689 #1152082 #1154402 Cross-References: CVE-2019-16276 CVE-2019-17596 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for go1.12 fixes the following issues: Security issues fixed: - CVE-2019-16276: Fixed the handling of invalid HTTP headers, which had allowed request smuggling (bsc#1152082). - CVE-2019-17596: Fixed a panic in dsa.Verify caused by invalid public keys (bsc#1154402). Non-security issue fixed: - Go was updated to version 1.12.12 (bsc#1141689). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2940=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2940=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): go1.12-1.12.12-1.20.1 go1.12-doc-1.12.12-1.20.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): go1.12-race-1.12.12-1.20.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): go1.12-1.12.12-1.20.1 go1.12-doc-1.12.12-1.20.1 References: https://www.suse.com/security/cve/CVE-2019-16276.html https://www.suse.com/security/cve/CVE-2019-17596.html https://bugzilla.suse.com/1141689 https://bugzilla.suse.com/1152082 https://bugzilla.suse.com/1154402 From sle-security-updates at lists.suse.com Mon Nov 11 13:11:03 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Nov 2019 21:11:03 +0100 (CET) Subject: SUSE-SU-2019:14215-1: moderate: Security update for tar Message-ID: <20191111201103.0E0FAF798@maintenance.suse.de> SUSE Security Update: Security update for tar ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14215-1 Rating: moderate References: #1120610 #1130496 #1152736 Cross-References: CVE-2018-20482 CVE-2019-9923 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for tar to version 1.27.1 fixes the following issues: tar 1.27.1 brings following changes (jsc#ECO-339) * Sparse files with large data * No backticks in quoting * --owner and --group names and numbers * Support for POSIX ACLs, extended attributes and SELinux context. * Passing command line arguments to external commands. * New configure option --enable-gcc-warnings, intended for debugging. * New warning control option --warning=[no-]record-size * New command line option --keep-directory-symlink * Fix unquoting of file names obtained via the -T option. * Fix GNU long link header timestamp (backward compatibility). Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-tar-14215=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-tar-14215=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-tar-14215=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-tar-14215=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): tar-1.27.1-14.8.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): tar-1.27.1-14.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): tar-debuginfo-1.27.1-14.8.1 tar-debugsource-1.27.1-14.8.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): tar-debuginfo-1.27.1-14.8.1 tar-debugsource-1.27.1-14.8.1 References: https://www.suse.com/security/cve/CVE-2018-20482.html https://www.suse.com/security/cve/CVE-2019-9923.html https://bugzilla.suse.com/1120610 https://bugzilla.suse.com/1130496 https://bugzilla.suse.com/1152736 From sle-security-updates at lists.suse.com Tue Nov 12 07:11:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Nov 2019 15:11:21 +0100 (CET) Subject: SUSE-SU-2019:2941-1: moderate: Security update for libseccomp Message-ID: <20191112141121.B9821F798@maintenance.suse.de> SUSE Security Update: Security update for libseccomp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2941-1 Rating: moderate References: #1082318 #1128828 #1142614 Cross-References: CVE-2019-9893 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2941=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2941=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2941=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2941=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2941=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2941=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2941=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2941=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2941=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2941=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2941=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2941=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2941=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2941=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2941=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2941=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE OpenStack Cloud 8 (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE OpenStack Cloud 7 (s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp-devel-2.4.1-11.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp-devel-2.4.1-11.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - SUSE Enterprise Storage 5 (x86_64): libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 - SUSE CaaS Platform 3.0 (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 - HPE Helion Openstack 8 (x86_64): libseccomp-debugsource-2.4.1-11.3.2 libseccomp2-2.4.1-11.3.2 libseccomp2-32bit-2.4.1-11.3.2 libseccomp2-debuginfo-2.4.1-11.3.2 libseccomp2-debuginfo-32bit-2.4.1-11.3.2 References: https://www.suse.com/security/cve/CVE-2019-9893.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1128828 https://bugzilla.suse.com/1142614 From sle-security-updates at lists.suse.com Tue Nov 12 16:12:29 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 00:12:29 +0100 (CET) Subject: SUSE-SU-2019:2948-1: important: Security update for the Linux Kernel Message-ID: <20191112231229.DC00DF798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2948-1 Rating: important References: #1051510 #1082635 #1083647 #1090631 #1096254 #1117665 #1119461 #1119465 #1123034 #1135966 #1135967 #1137040 #1138190 #1139073 #1140090 #1143706 #1144338 #1144903 #1146612 #1149119 #1150457 #1151225 #1152624 #1153476 #1153509 #1153969 #1154737 #1154848 #1154858 #1154905 #1154959 #1155178 #1155179 #1155184 #1155186 #1155671 Cross-References: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-16233 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 30 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 Other security fixes: - CVE-2019-0154: Fixed a local denial of service via read of unprotected i915 registers. (bsc#1135966) - CVE-2019-0155: Fixed privilege escalation in the i915 driver. Batch buffers from usermode could have escalated privileges via blitter command stream. (bsc#1135967) - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). The following non-security bugs were fixed: - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda: Add Elkhart Lake PCI ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ieee802154: ca8210: prevent memory leak (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86: mmu: Recovery of shattered NX large pages (bsc#1117665, CVE-2018-12207). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net/smc: fix SMCD link group creation with VLAN id (bsc#1154959). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rds: Fix warning (bsc#1154848). - reiserfs: fix extended attributes on the root directory (bsc#1151225). - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fix a potential NULL pointer dereference (bsc#1150457 CVE-2019-16233). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - skge: fix checksum byte order (networking-stable-19_09_30). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - vfs: Make filldir[64]() verify the directory entry filename is valid (bsc#1144903, CVE-2019-10220). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/tsx: Add config options to set tsx=on|off|auto (bsc#1139073, CVE-2019-11135). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2019-2948=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kernel-default-kgraft-4.12.14-95.40.1 kernel-default-kgraft-devel-4.12.14-95.40.1 kgraft-patch-4_12_14-95_40-default-1-6.3.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16233.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1151225 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154959 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 16:19:00 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 00:19:00 +0100 (CET) Subject: SUSE-SU-2019:2949-1: important: Security update for the Linux Kernel Message-ID: <20191112231900.AEB81F798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2949-1 Rating: important References: #1051510 #1084878 #1117665 #1131107 #1133140 #1135966 #1135967 #1136261 #1137865 #1139073 #1140671 #1141013 #1141054 #1142458 #1143187 #1144123 #1144903 #1145477 #1146042 #1146163 #1146285 #1146361 #1146378 #1146391 #1146413 #1146425 #1146512 #1146514 #1146516 #1146519 #1146524 #1146526 #1146529 #1146540 #1146543 #1146547 #1146550 #1146584 #1146589 #1147022 #1147122 #1148394 #1148938 #1149083 #1149376 #1149522 #1149527 #1149555 #1149612 #1150025 #1150112 #1150452 #1150457 #1150465 #1150727 #1150942 #1151347 #1151350 #1152685 #1152782 #1152788 #1153158 #1153263 #1154103 #1154372 #1155131 #1155671 Cross-References: CVE-2016-10906 CVE-2017-18379 CVE-2017-18509 CVE-2017-18551 CVE-2017-18595 CVE-2018-12207 CVE-2018-20976 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-13272 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-14835 CVE-2019-15098 CVE-2019-15211 CVE-2019-15212 CVE-2019-15214 CVE-2019-15215 CVE-2019-15216 CVE-2019-15217 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15239 CVE-2019-15290 CVE-2019-15291 CVE-2019-15505 CVE-2019-15666 CVE-2019-15807 CVE-2019-15902 CVE-2019-15924 CVE-2019-15926 CVE-2019-15927 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16413 CVE-2019-16995 CVE-2019-17055 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 CVE-2019-9456 CVE-2019-9506 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 49 vulnerabilities and has 18 fixes is now available. Description: The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). - CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems (bnc#1151347). - CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376). - CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device (bnc#1146519). - CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service (bnc#1148938). - CVE-2019-13272: Fixed a mishandled the recording of the credentials of a process that wants to create a ptrace relationship, which allowed local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). (bnc#1140671). - CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350). - CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic (bnc#1147122). - CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555). - CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112). - CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device (bnc#1146361). - CVE-2019-15924: A a NULL pointer dereference has been fixed in the drivers/net/ethernet/intel/fm10k module (bnc#1149612). - CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025). - CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. (bnc#1149527). - CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module (bnc#1149522). - CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm module that could cause denial of service (bnc#1148394). - CVE-2017-18379: An out-of-boundary access was fixed in the drivers/nvme/target module (bnc#1143187). - CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device (bnc#1146519 1146524). - CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device (bnc#1146519 1146526). - CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device (bnc#1146519 1146529). - CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512). - CVE-2019-14815: A missing length check while parsing WMM IEs was fixed (bsc#1146512, bsc#1146514, bsc#1146516). - CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516). - CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477) - CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka "KNOB") that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865). - CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed (bnc#1146378). - CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378). - CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write queue between disconnection and re-connection, a local attacker could trigger multiple use-after-free conditions. This could result in kernel crashes or potentially in privilege escalation. (bnc#1146589) - CVE-2019-15212: A double-free issue was fixed in drivers/usb driver (bnc#1146391). - CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc (bnc#1146584). - CVE-2019-15211: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/v4l2-core driver (bnc#1146519). - CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519). - CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed (bnc#1146519). - CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver (bnc#1146413). - CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425). - CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver (bnc#1146285). - CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver (bnc#1146163). - CVE-2019-0154: An unprotected read access to i915 registers has been fixed that could have been abused to facilitate a local denial-of-service attack. (bsc#1135966) - CVE-2019-0155: A privilege escalation vulnerability has been fixed in the i915 module that allowed batch buffers from user mode to gain super user privileges. (bsc#1135967) The following non-security bugs were fixed: - array_index_nospec: Sanitize speculative array (bsc#1155671) - bonding/802.3ad: fix link_failure_count tracking (bsc#1141013). - bonding/802.3ad: fix slave link initialization transition states (bsc#1141013). - bonding: correctly update link status during mii-commit phase (bsc#1141013). - bonding: fix active-backup transition (bsc#1141013). - bonding: make speed, duplex setting consistent with link state (bsc#1141013). - bonding: ratelimit failed speed/duplex update warning (bsc#1141013). - bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013). - bonding: set default miimon value for non-arp modes if not set (bsc#1141013). - bonding: speed/duplex update at NETDEV_UP event (bsc#1141013). - cifs: fix panic in smb2_reconnect (bsc#1142458). - cifs: handle netapp error codes (bsc#1136261). - cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083). - kvm: mmu: drop vcpu param in gpte_access (bsc#1117665). - kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665). - kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665). - kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665). - kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665). - kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665). - kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665). - kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665). - kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665). - kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665). - kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - kvm: x86: simplify ept_misconfig (bsc#1117665). - media: smsusb: better handle optional alignment (bsc#1146413). - pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263). - powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107). - powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484). - powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840). - powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107). - scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ("scsi: scsi_transport_fc: return -EBUSY for deleted vport") an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host(). - swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140). - vmci: Release resource if the work is already queued (bsc#1051510). - x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2949=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2949=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2949=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2949=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2949=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2019-2949=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2949=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2949=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-default-kgraft-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-default-kgraft-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-default-kgraft-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.107.1 cluster-md-kmp-default-debuginfo-4.4.180-94.107.1 dlm-kmp-default-4.4.180-94.107.1 dlm-kmp-default-debuginfo-4.4.180-94.107.1 gfs2-kmp-default-4.4.180-94.107.1 gfs2-kmp-default-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 ocfs2-kmp-default-4.4.180-94.107.1 ocfs2-kmp-default-debuginfo-4.4.180-94.107.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 - SUSE Enterprise Storage 5 (x86_64): kernel-default-kgraft-4.4.180-94.107.1 - SUSE Enterprise Storage 5 (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - SUSE CaaS Platform 3.0 (x86_64): kernel-default-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.107.1 kernel-macros-4.4.180-94.107.1 kernel-source-4.4.180-94.107.1 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.107.1 kernel-default-base-4.4.180-94.107.1 kernel-default-base-debuginfo-4.4.180-94.107.1 kernel-default-debuginfo-4.4.180-94.107.1 kernel-default-debugsource-4.4.180-94.107.1 kernel-default-devel-4.4.180-94.107.1 kernel-default-kgraft-4.4.180-94.107.1 kernel-syms-4.4.180-94.107.1 References: https://www.suse.com/security/cve/CVE-2016-10906.html https://www.suse.com/security/cve/CVE-2017-18379.html https://www.suse.com/security/cve/CVE-2017-18509.html https://www.suse.com/security/cve/CVE-2017-18551.html https://www.suse.com/security/cve/CVE-2017-18595.html https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20976.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-13272.html https://www.suse.com/security/cve/CVE-2019-14814.html https://www.suse.com/security/cve/CVE-2019-14815.html https://www.suse.com/security/cve/CVE-2019-14816.html https://www.suse.com/security/cve/CVE-2019-14821.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-15098.html https://www.suse.com/security/cve/CVE-2019-15211.html https://www.suse.com/security/cve/CVE-2019-15212.html https://www.suse.com/security/cve/CVE-2019-15214.html https://www.suse.com/security/cve/CVE-2019-15215.html https://www.suse.com/security/cve/CVE-2019-15216.html https://www.suse.com/security/cve/CVE-2019-15217.html https://www.suse.com/security/cve/CVE-2019-15218.html https://www.suse.com/security/cve/CVE-2019-15219.html https://www.suse.com/security/cve/CVE-2019-15220.html https://www.suse.com/security/cve/CVE-2019-15221.html https://www.suse.com/security/cve/CVE-2019-15239.html https://www.suse.com/security/cve/CVE-2019-15290.html https://www.suse.com/security/cve/CVE-2019-15291.html https://www.suse.com/security/cve/CVE-2019-15505.html https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2019-15807.html https://www.suse.com/security/cve/CVE-2019-15902.html https://www.suse.com/security/cve/CVE-2019-15924.html https://www.suse.com/security/cve/CVE-2019-15926.html https://www.suse.com/security/cve/CVE-2019-15927.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16413.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://www.suse.com/security/cve/CVE-2019-9456.html https://www.suse.com/security/cve/CVE-2019-9506.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1084878 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1131107 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1136261 https://bugzilla.suse.com/1137865 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140671 https://bugzilla.suse.com/1141013 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1142458 https://bugzilla.suse.com/1143187 https://bugzilla.suse.com/1144123 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145477 https://bugzilla.suse.com/1146042 https://bugzilla.suse.com/1146163 https://bugzilla.suse.com/1146285 https://bugzilla.suse.com/1146361 https://bugzilla.suse.com/1146378 https://bugzilla.suse.com/1146391 https://bugzilla.suse.com/1146413 https://bugzilla.suse.com/1146425 https://bugzilla.suse.com/1146512 https://bugzilla.suse.com/1146514 https://bugzilla.suse.com/1146516 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146524 https://bugzilla.suse.com/1146526 https://bugzilla.suse.com/1146529 https://bugzilla.suse.com/1146540 https://bugzilla.suse.com/1146543 https://bugzilla.suse.com/1146547 https://bugzilla.suse.com/1146550 https://bugzilla.suse.com/1146584 https://bugzilla.suse.com/1146589 https://bugzilla.suse.com/1147022 https://bugzilla.suse.com/1147122 https://bugzilla.suse.com/1148394 https://bugzilla.suse.com/1148938 https://bugzilla.suse.com/1149083 https://bugzilla.suse.com/1149376 https://bugzilla.suse.com/1149522 https://bugzilla.suse.com/1149527 https://bugzilla.suse.com/1149555 https://bugzilla.suse.com/1149612 https://bugzilla.suse.com/1150025 https://bugzilla.suse.com/1150112 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150727 https://bugzilla.suse.com/1150942 https://bugzilla.suse.com/1151347 https://bugzilla.suse.com/1151350 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1154103 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1155131 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 16:28:26 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 00:28:26 +0100 (CET) Subject: SUSE-SU-2019:2952-1: important: Security update for the Linux Kernel Message-ID: <20191112232826.A9E5AF798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2952-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1111666 #1112178 #1113994 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135967 #1137040 #1137799 #1137861 #1138190 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1149853 #1150452 #1150457 #1150465 #1150875 #1151508 #1151807 #1152033 #1152624 #1152665 #1152685 #1152696 #1152697 #1152788 #1152790 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153607 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154242 #1154268 #1154354 #1154372 #1154521 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1154956 #1155061 #1155178 #1155179 #1155184 #1155186 #1155671 Cross-References: CVE-2018-12207 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 111 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - Add kernel module compression support (bsc#1135854) - acpi / CPPC: do not require the _PSD method (bsc#1051510). - acpi / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - acpi: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: firewire-motu: add support for MOTU 4pre (bsc#1111666). - alsa: hda - Add a quirk model for fixing Huawei Matebook X right speaker (bsc#1051510). - alsa: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda - Force runtime PM on Nvidia HDMI codecs (bsc#1051510). - alsa: hda - Inform too slow responses (bsc#1051510). - alsa: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: hda/hdmi - Do not report spurious jack state changes (bsc#1051510). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - alsa: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek - Enable headset mic on Asus MJ401TA (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek - Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek - pci quirk for Medion E4254 (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake pci ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake pci ID (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add DSD support for EVGA NU Audio (bsc#1051510). - alsa: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bsc#1051510). - alsa: usb-audio: Add Hiby device family to quirks for native DSD support (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Clean up check_input_term() (bsc#1051510). - alsa: usb-audio: DSD auto-detection for Playback Designs (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1111666). - alsa: usb-audio: Fix copy&paste error in the validator (bsc#1111666). - alsa: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() (bsc#1051510). - alsa: usb-audio: More validations of descriptor units (bsc#1051510). - alsa: usb-audio: Remove superfluous bLength checks (bsc#1051510). - alsa: usb-audio: Simplify parse_audio_unit() (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - alsa: usb-audio: Unify audioformat release code (bsc#1051510). - alsa: usb-audio: Unify the release of usb_mixer_elem_info objects (bsc#1051510). - alsa: usb-audio: Update DSD support quirks for Oppo and Rotel (bsc#1051510). - alsa: usb-audio: fix PCM device order (bsc#1051510). - alsa: usb-audio: remove some dead code (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - arm64/cpufeature: Convert hook_lock to raw_spin_lock_t in cpu_enable_ssbs() (jsc#ECO-561). - arm64: Add decoding macros for CP15_32 and CP15_64 traps (jsc#ECO-561). - arm64: Add part number for Neoverse N1 (jsc#ECO-561). - arm64: Add silicon-errata.txt entry for ARM erratum 1188873 (jsc#ECO-561). - arm64: Apply ARM64_ERRATUM_1188873 to Neoverse-N1 (jsc#ECO-561). - arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671). - arm64: Fix mismatched cache line size detection (jsc#ECO-561,jsc#SLE-10671). - arm64: Fix silly typo in comment (jsc#ECO-561). - arm64: Force SSBS on context switch (jsc#ECO-561). - arm64: Introduce sysreg_clear_set() (jsc#ECO-561). - arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT (jsc#ECO-561). - arm64: Restrict ARM64_ERRATUM_1188873 mitigation to AArch32 (jsc#ECO-561). - arm64: arch_timer: avoid unused function warning (jsc#ECO-561). - arm64: compat: Add CNTFRQ trap handler (jsc#ECO-561). - arm64: compat: Add CNTVCT trap handler (jsc#ECO-561). - arm64: compat: Add condition code checks and IT advance (jsc#ECO-561). - arm64: compat: Add cp15_32 and cp15_64 handler arrays (jsc#ECO-561). - arm64: compat: Add separate CP15 trapping hook (jsc#ECO-561). - arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space (jsc#ECO-561,jsc#SLE-10671). - arm64: cpu: Move errata and feature enable callbacks closer to callers (jsc#ECO-561). - arm64: cpu_errata: Remove ARM64_MISMATCHED_CACHE_LINE_SIZE (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: Fix handling of CTR_EL0.IDC field (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: Trap CTR_EL0 access only where it is necessary (jsc#ECO-561,jsc#SLE-10671). - arm64: cpufeature: ctr: Fix cpu capability check for late CPUs (jsc#ECO-561,jsc#SLE-10671). - arm64: entry: Allow handling of undefined instructions from EL1 (jsc#ECO-561). - arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671). - arm64: fix SSBS sanitization (jsc#ECO-561). - arm64: force_signal_inject: WARN if called from kernel context (jsc#ECO-561). - arm64: kill change_cpacr() (jsc#ECO-561). - arm64: kill config_sctlr_el1() (jsc#ECO-561). - arm64: kvm: Add invalidate_icache_range helper (jsc#ECO-561,jsc#SLE-10671). - arm64: kvm: PTE/PMD S2 XN bit definition (jsc#ECO-561,jsc#SLE-10671). - arm64: move SCTLR_EL{1,2} assertions to <asm/sysreg.h> (jsc#ECO-561). - arm64: ssbd: Drop #ifdefs for PR_SPEC_STORE_BYPASS (jsc#ECO-561). - arm: kvm: Add optimized PIPT icache flushing (jsc#ECO-561,jsc#SLE-10671). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: Intel: NHLT: Fix debug print format (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - bnxt_en: Add pci IDs for 57500 series NPAR devices (bsc#1153607). - boot: Sign non-x86 kernels when possible (boo#1134303) - bpf: fix use after free in prog symbol exposure (bsc#1083647). - brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bsc#1111666). - brcmfmac: sdio: Do not tune while the card is off (bsc#1111666). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - config: arm64: enable erratum 1418040 and 1542419 - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: do not dma memory off of the stack (bsc#1152790). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080). - drm/amd/display: Restore backlight brightness after system resume (bsc#1112178) - drm/amd/display: fix issue where 252-255 values are clipped (bsc#1111666). - drm/amd/display: reprogram VM config when system resume (bsc#1111666). - drm/amd/display: support spdif (bsc#1111666). - drm/amd/dm: Understand why attaching path/tile properties are needed (bsc#1111666). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amd/pp: Fix truncated clock value when set watermark (bsc#1111666). - drm/amdgpu/gfx9: Update gfx9 golden settings (bsc#1111666). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/amdgpu: Fix KFD-related kernel oops on Hawaii (bsc#1111666). - drm/amdgpu: Update gc_9_0 golden settings (bsc#1111666). - drm/amdkfd: Add missing Polaris10 ID (bsc#1111666). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors (bsc#1111666). - drm/atomic_helper: Disallow new modesets on unregistered connectors (bsc#1111666). - drm/atomic_helper: Stop modesets on unregistered connectors harder (bsc#1111666). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/bridge: tfp410: fix memleak in get_modes() (bsc#1111666). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gvt: update vgpu workload head pointer correctly (bsc#1112178) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Cleanup gt powerstate from gem (bsc#1111666). - drm/i915: Disable Secure Batches for gen6+ (bsc#1135967) - drm/i915: Fix intel_dp_mst_best_encoder() (bsc#1111666). - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Remove Master tables from cmdparser (bsc#1135967) - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Restore sane defaults for KMS on GEM error load (bsc#1111666). - drm/i915: Support ro ppgtt mapped cmdparser shadow (bsc#1135967) - drm/mediatek: set DMA max segment size (bsc#1111666). - drm/msm/dsi: Fix return value check for clk_get_parent (bsc#1111666). - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling (bsc#1111666). - drm/nouveau/kms/nv50-: Do not create MSTMs for eDP connectors (bsc#1112178) - drm/nouveau/volt: Fix for some cards having 0 maximum voltage (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1111666). - drm/panel: check failure cases in the probe func (bsc#1111666). - drm/panel: make drm_panel.h self-contained (bsc#1111666). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed (bsc#1111666). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/rockchip: Check for fast link training before enabling psr (bsc#1111666). - drm/stm: attach gem fence to atomic state (bsc#1111666). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - drm: add __user attribute to ptr_to_compat() (bsc#1111666). - drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC (bsc#1111666). - drm: rcar-du: lvds: Fix bridge_to_rcar_lvds (bsc#1111666). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/arm: Show SMBIOS bank/device location in CPER and GHES error logs (bsc#1152033). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of pcie fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices (jsc#ECO-561). - irqchip/gic-v3-its: Fix command queue pointer comparison bug (jsc#ECO-561). - irqchip/gic-v3-its: Fix misuse of GENMASK macro (jsc#ECO-561). - iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (bsc#1111666). - ixgbe: Fix secpath usage for IPsec TX offload (bsc#1113994 bsc#1151807). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_connector.registered type changes (bsc#1111666). - kABI workaround for mmc_host retune_crc_disable flag addition (bsc#1111666). - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop vcpu param in gpte_access (bsc#1117665). - kvm: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: arm/arm64: Clean dcache to PoC when changing PTE due to CoW (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Detangle kvm_mmu.h from kvm_hyp.h (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Drop vcpu parameter from guest cache maintenance operartions (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Limit icache invalidation to prefetch aborts (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Only clean the dcache on translation fault (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Preserve Exec permission across R/W permission faults (jsc#ECO-561,jsc#SLE-10671). - kvm: arm/arm64: Split dcache/icache flushing (jsc#ECO-561,jsc#SLE-10671). - kvm: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully disabled and !vhe (jsc#ECO-561). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - libnvdimm/security: provide fix for secure-erase to use zero-key (bsc#1149853). - lpfc: Add FA-WWN Async Event reporting (bsc#1154521). - lpfc: Add FC-AL support to lpe32000 models (bsc#1154521). - lpfc: Add additional discovery log messages (bsc#1154521). - lpfc: Add log macros to allow print by serverity or verbocity setting (bsc#1154521). - lpfc: Fix SLI3 hba in loop mode not discovering devices (bsc#1154521). - lpfc: Fix bad ndlp ptr in xri aborted handling (bsc#1154521). - lpfc: Fix hardlockup in lpfc_abort_handler (bsc#1154521). - lpfc: Fix lockdep errors in sli_ringtx_put (bsc#1154521). - lpfc: Fix reporting of read-only fw error errors (bsc#1154521). - lpfc: Make FW logging dynamically configurable (bsc#1154521). - lpfc: Remove lock contention target write path (bsc#1154521). - lpfc: Revise interrupt coalescing for missing scenarios (bsc#1154521). - lpfc: Slight fast-path Performance optimizations (bsc#1154521). - lpfc: Update lpfc version to 12.6.0.0 (bsc#1154521). - lpfc: fix coverity error of dereference after null check (bsc#1154521). - lpfc: fix lpfc_nvmet_mrq to be bound by hdw queue count (bsc#1154521). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: core: API to temporarily disable retuning for SDIO CRC errors (bsc#1111666). - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bsc#1111666). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfs: fix incorrectly backported patch (boo#1154189 bsc#1154747). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: PM: Fix pci_power_up() (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the pci domain numbers (bsc#1153263). - pinctrl: cherryview: restore Strago DMI workaround for all versions (bsc#1111666). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: i2c-multi-instantiate: Derive the device name from parent (bsc#1111666). - platform/x86: i2c-multi-instantiate: Fail the probe if no IRQ provided (bsc#1111666). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - powerplay: Respect units on max dcfclk watermark (bsc#1111666). - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma/hns: Add reset process for function-clear (bsc#1155061). - rdma/hns: Remove the some magic number (bsc#1155061). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091). - s390/pci: add mio_enabled attribute (bsc#1152665 LTC#181729). - s390/pci: correctly handle MIO opt-out (bsc#1152665 LTC#181729). - s390/pci: deal with devices that have no support for MIO instructions (bsc#1152665 LTC#181729). - s390/pci: fix MSI message data (bsc#1152697 LTC#181730). - s390: add support for IBM z15 machines (bsc#1152696 LTC#181731). - s390: fix setting of mio addressing control (bsc#1152665 LTC#181729). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Check queue pointer before use (bsc#1154242). - scsi: lpfc: Complete removal of FCoE T10 PI support on SLI-4 adapters (bsc#1154521). - scsi: lpfc: Convert existing %pf users to %ps (bsc#1154521). - scsi: lpfc: Fix GPF on scsi command completion (bsc#1154521). - scsi: lpfc: Fix NVME io abort failures causing hangs (bsc#1154521). - scsi: lpfc: Fix NVMe ABTS in response to receiving an ABTS (bsc#1154521). - scsi: lpfc: Fix coverity errors on NULL pointer checks (bsc#1154521). - scsi: lpfc: Fix device recovery errors after PLOGI failures (bsc#1154521). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix discovery failures when target device connectivity bounces (bsc#1154521). - scsi: lpfc: Fix hdwq sgl locks and irq handling (bsc#1154521). - scsi: lpfc: Fix host hang at boot or slow boot (bsc#1154521). - scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq (bsc#1154521). - scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq (bsc#1154521). - scsi: lpfc: Fix locking on mailbox command completion (bsc#1154521). - scsi: lpfc: Fix miss of register read failure check (bsc#1154521). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix premature re-enabling of interrupts in lpfc_sli_host_down (bsc#1154521). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs (bsc#1154521). - scsi: lpfc: Fix rpi release when deleting vport (bsc#1154521). - scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() (bsc#1154521). - scsi: lpfc: Make function lpfc_defer_pt2pt_acc static (bsc#1154521). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: lpfc: Update async event logging (bsc#1154521). - scsi: lpfc: Update lpfc version to 12.4.0.1 (bsc#1154521). - scsi: lpfc: cleanup: remove unused fcp_txcmlpq_cnt (bsc#1154521). - scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: bcm2835-audio: Fix draining behavior regression (bsc#1111666). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2019-2952=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): kernel-devel-azure-4.12.14-8.19.1 kernel-source-azure-4.12.14-8.19.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64): kernel-azure-4.12.14-8.19.1 kernel-azure-base-4.12.14-8.19.1 kernel-azure-base-debuginfo-4.12.14-8.19.1 kernel-azure-debuginfo-4.12.14-8.19.1 kernel-azure-devel-4.12.14-8.19.1 kernel-syms-azure-4.12.14-8.19.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1137861 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1149853 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1151807 https://bugzilla.suse.com/1152033 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152665 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152696 https://bugzilla.suse.com/1152697 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152790 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153607 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154242 https://bugzilla.suse.com/1154268 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154521 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1155061 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 16:44:30 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 00:44:30 +0100 (CET) Subject: SUSE-SU-2019:2946-1: important: Security update for the Linux Kernel Message-ID: <20191112234430.CBAD7F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2946-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135966 #1135967 #1137040 #1137799 #1138190 #1139073 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1150452 #1150457 #1150465 #1150875 #1151508 #1152624 #1152685 #1152788 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153646 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154354 #1154372 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1155178 #1155179 #1155184 #1155186 #1155671 Cross-References: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 93 fixes is now available. Description: The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-0154: Fix a local denial of service via read of unprotected i915 registers. (bsc#1135966) - CVE-2019-0155: Fix privilege escalation in the i915 driver. Batch buffers from usermode could have escalated privileges via blitter command stream. (bsc#1135967) - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465) - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - acpi / CPPC: do not require the _PSD method (bsc#1051510). - acpi / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - acpi: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda - Inform too slow responses (bsc#1051510). - alsa: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - alsa: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek - Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake pci ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake pci ID (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: Intel: NHLT: Fix debug print format (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - boot: Sign non-x86 kernels when possible (boo#1134303) - bpf: fix use after free in prog symbol exposure (bsc#1083647). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of pcie fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary: Drop .kernel-binary.spec.buildenv (boo#1154578). - kernel-binary: check also bzImage on s390/s390x Starting with 4.19-rc1, uncompressed image is no longer built on s390x. - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop vcpu param in gpte_access (bsc#1117665). - kvm: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: mmu: Recovery of shattered NX large pages (bsc#1117665, CVE-2018-12207). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in ibSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - mem: /dev/mem: Bail out upon SIGKILL (git-fixes). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: enforce CAP_NET_RAW for raw sockets (bsc#1152788 CVE-2019-17056). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfs: NFSv4 Check the return value of update_open_stateid (boo#1154189 bsc#1154747). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: PM: Fix pci_power_up() (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the pci domain numbers (bsc#1153263). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fix a potential NULL pointer dereference (bsc#1150457 CVE-2019-16233). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vfs: Make filldir[64]() verify the directory entry filename is valid (bsc#1144903). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - x86/tsx: Add config options to set tsx=on|off|auto (bsc#1139073, CVE-2019-11135). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2019-2946=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 kernel-default-livepatch-4.12.14-150.41.1 kernel-livepatch-4_12_14-150_41-default-1-1.3.1 kernel-livepatch-4_12_14-150_41-default-debuginfo-1-1.3.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 16:59:46 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 00:59:46 +0100 (CET) Subject: SUSE-SU-2019:2955-1: important: Security update for qemu Message-ID: <20191112235946.CA03DF79E@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2955-1 Rating: important References: #1079730 #1098403 #1111025 #1117665 #1119991 #1143794 #1144087 #1145379 #1145427 #1145436 #1145774 #1146873 #1149811 #1152506 Cross-References: CVE-2018-12207 CVE-2018-20126 CVE-2019-11135 CVE-2019-12068 CVE-2019-14378 CVE-2019-15890 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 8 fixes is now available. Description: This update for qemu fixes the following issues: qemu was updated to v3.1.1.1, a stable, bug-fix-only release, which includes 2 fixes we already carry, as well as one additional use- after-free fix in slirp. (CVE-2018-20126 bsc#1119991, CVE-2019-14378 bsc#1143794, and CVE-2019-15890 bsc#1149811 respectively) Security issues fixed: - CVE-2019-12068: Fixed potential DOS in lsi scsi controller emulation (bsc#1146873) - CVE-2019-11135: Expose taa-no "feature", indicating CPU does not have the TSX Async Abort vulnerability. (bsc#1152506) - CVE-2018-12207: Expose pschange-mc-no "feature", indicating CPU does not have the page size change machine check vulnerability (bsc#1117665) Other issues fixed: - Change how this bug gets fixed (bsc#1144087) - Disable file locking in the Xen PV disk backend to avoid locking issues with PV domUs during migration. The issues triggered by the locking can not be properly handled in libxl. The locking introduced in qemu-2.10 was removed again in qemu-4.0. (bsc#1079730, bsc#1098403, bsc#1111025, bsc#1145427, bsc#1145774) - Feature support for vfio-ccw dasd ipl (bsc#1145379 jira-SLE-6132) - Additional hardware instruction support for s390, also update qemu linux headers to 5.2-rc1 (bsc#1145436 jira-SLE-6237) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2955=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2955=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2955=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-9.6.2 qemu-block-curl-3.1.1.1-9.6.2 qemu-block-curl-debuginfo-3.1.1.1-9.6.2 qemu-block-iscsi-3.1.1.1-9.6.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.6.2 qemu-block-rbd-3.1.1.1-9.6.2 qemu-block-rbd-debuginfo-3.1.1.1-9.6.2 qemu-block-ssh-3.1.1.1-9.6.2 qemu-block-ssh-debuginfo-3.1.1.1-9.6.2 qemu-debuginfo-3.1.1.1-9.6.2 qemu-debugsource-3.1.1.1-9.6.2 qemu-guest-agent-3.1.1.1-9.6.2 qemu-guest-agent-debuginfo-3.1.1.1-9.6.2 qemu-lang-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x x86_64): qemu-kvm-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64): qemu-arm-3.1.1.1-9.6.2 qemu-arm-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (ppc64le): qemu-ppc-3.1.1.1-9.6.2 qemu-ppc-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): qemu-ipxe-1.0.0+-9.6.2 qemu-seabios-1.12.0-9.6.2 qemu-sgabios-8-9.6.2 qemu-vgabios-1.12.0-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): qemu-audio-alsa-3.1.1.1-9.6.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.6.2 qemu-audio-oss-3.1.1.1-9.6.2 qemu-audio-oss-debuginfo-3.1.1.1-9.6.2 qemu-audio-pa-3.1.1.1-9.6.2 qemu-audio-pa-debuginfo-3.1.1.1-9.6.2 qemu-ui-curses-3.1.1.1-9.6.2 qemu-ui-curses-debuginfo-3.1.1.1-9.6.2 qemu-ui-gtk-3.1.1.1-9.6.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.6.2 qemu-x86-3.1.1.1-9.6.2 qemu-x86-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x): qemu-s390-3.1.1.1-9.6.2 qemu-s390-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-block-dmg-3.1.1.1-9.6.2 qemu-block-dmg-debuginfo-3.1.1.1-9.6.2 qemu-debuginfo-3.1.1.1-9.6.2 qemu-debugsource-3.1.1.1-9.6.2 qemu-extra-3.1.1.1-9.6.2 qemu-extra-debuginfo-3.1.1.1-9.6.2 qemu-linux-user-3.1.1.1-9.6.2 qemu-linux-user-debuginfo-3.1.1.1-9.6.2 qemu-linux-user-debugsource-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le x86_64): qemu-s390-3.1.1.1-9.6.2 qemu-s390-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x): qemu-audio-alsa-3.1.1.1-9.6.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.6.2 qemu-audio-oss-3.1.1.1-9.6.2 qemu-audio-oss-debuginfo-3.1.1.1-9.6.2 qemu-audio-pa-3.1.1.1-9.6.2 qemu-audio-pa-debuginfo-3.1.1.1-9.6.2 qemu-ui-curses-3.1.1.1-9.6.2 qemu-ui-curses-debuginfo-3.1.1.1-9.6.2 qemu-ui-gtk-3.1.1.1-9.6.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.6.2 qemu-x86-3.1.1.1-9.6.2 qemu-x86-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x x86_64): qemu-arm-3.1.1.1-9.6.2 qemu-arm-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x x86_64): qemu-ppc-3.1.1.1-9.6.2 qemu-ppc-debuginfo-3.1.1.1-9.6.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): qemu-seabios-1.12.0-9.6.2 qemu-sgabios-8-9.6.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-3.1.1.1-9.6.2 qemu-debugsource-3.1.1.1-9.6.2 qemu-tools-3.1.1.1-9.6.2 qemu-tools-debuginfo-3.1.1.1-9.6.2 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20126.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-14378.html https://www.suse.com/security/cve/CVE-2019-15890.html https://bugzilla.suse.com/1079730 https://bugzilla.suse.com/1098403 https://bugzilla.suse.com/1111025 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119991 https://bugzilla.suse.com/1143794 https://bugzilla.suse.com/1144087 https://bugzilla.suse.com/1145379 https://bugzilla.suse.com/1145427 https://bugzilla.suse.com/1145436 https://bugzilla.suse.com/1145774 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1152506 From sle-security-updates at lists.suse.com Tue Nov 12 17:02:19 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:02:19 +0100 (CET) Subject: SUSE-SU-2019:2961-1: important: Security update for xen Message-ID: <20191113000219.0C22EF798@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2961-1 Rating: important References: #1027519 #1152497 #1154448 #1154456 #1154458 #1154460 #1154461 #1154464 #1155945 Cross-References: CVE-2018-12207 CVE-2019-11135 CVE-2019-18420 CVE-2019-18421 CVE-2019-18422 CVE-2019-18423 CVE-2019-18424 CVE-2019-18425 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. (bsc#1155945) - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. (bsc#1152497). - CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). (bsc#1154460). - CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified. (bsc#1154464) - CVE-2019-18424: An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. (bsc#1154461). - CVE-2019-18421: A malicious PV guest administrator may have been able to escalate their privilege to that of the host. (bsc#1154458). - CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that of the guest kernel. (bsc#1154456). - CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash, resulting in a Denial of Service (Dos). (bsc#1154448) - Upstream bug fixes (bsc#1027519) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2961=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2961=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2961=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): xen-4.12.1_04-3.6.1 xen-debugsource-4.12.1_04-3.6.1 xen-devel-4.12.1_04-3.6.1 xen-tools-4.12.1_04-3.6.1 xen-tools-debuginfo-4.12.1_04-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 x86_64): xen-debugsource-4.12.1_04-3.6.1 xen-doc-html-4.12.1_04-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64): xen-4.12.1_04-3.6.1 xen-devel-4.12.1_04-3.6.1 xen-libs-4.12.1_04-3.6.1 xen-libs-debuginfo-4.12.1_04-3.6.1 xen-tools-4.12.1_04-3.6.1 xen-tools-debuginfo-4.12.1_04-3.6.1 xen-tools-domU-4.12.1_04-3.6.1 xen-tools-domU-debuginfo-4.12.1_04-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): xen-libs-32bit-4.12.1_04-3.6.1 xen-libs-32bit-debuginfo-4.12.1_04-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): xen-debugsource-4.12.1_04-3.6.1 xen-libs-4.12.1_04-3.6.1 xen-libs-debuginfo-4.12.1_04-3.6.1 xen-tools-domU-4.12.1_04-3.6.1 xen-tools-domU-debuginfo-4.12.1_04-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-18420.html https://www.suse.com/security/cve/CVE-2019-18421.html https://www.suse.com/security/cve/CVE-2019-18422.html https://www.suse.com/security/cve/CVE-2019-18423.html https://www.suse.com/security/cve/CVE-2019-18424.html https://www.suse.com/security/cve/CVE-2019-18425.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1152497 https://bugzilla.suse.com/1154448 https://bugzilla.suse.com/1154456 https://bugzilla.suse.com/1154458 https://bugzilla.suse.com/1154460 https://bugzilla.suse.com/1154461 https://bugzilla.suse.com/1154464 https://bugzilla.suse.com/1155945 From sle-security-updates at lists.suse.com Tue Nov 12 17:04:08 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:04:08 +0100 (CET) Subject: SUSE-SU-2019:2959-1: important: Security update for ucode-intel Message-ID: <20191113000408.2FF7AF798@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2959-1 Rating: important References: #1139073 #1141035 #1154043 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) - requires coreutils for the %post script (bsc#1154043) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2959=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2959=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2959=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2959=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2959=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2959=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2959=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2959=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2959=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2959=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2959=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2959=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2959=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2959=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2959=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2959=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - SUSE CaaS Platform 3.0 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20191112-13.53.1 ucode-intel-debuginfo-20191112-13.53.1 ucode-intel-debugsource-20191112-13.53.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1154043 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Tue Nov 12 17:05:13 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:05:13 +0100 (CET) Subject: SUSE-SU-2019:2953-1: important: Security update for the Linux Kernel Message-ID: <20191113000513.8B6ADF798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2953-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1114279 #1117665 #1119461 #1119465 #1122363 #1123034 #1123080 #1127155 #1133140 #1134303 #1135642 #1135854 #1135873 #1135967 #1137040 #1137799 #1137861 #1138190 #1139073 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1150452 #1150457 #1150465 #1150875 #1151225 #1151508 #1151680 #1152497 #1152505 #1152506 #1152624 #1152685 #1152782 #1152788 #1152791 #1153108 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154354 #1154372 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1154956 #1154959 #1155178 #1155179 #1155184 #1155186 #1155671 #1155692 #1155812 #1155817 #1155836 #1155945 #1155982 #1156187 #919448 #987367 #998153 Cross-References: CVE-2018-12207 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17055 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 CVE-2019-18805 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 115 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 Azure Kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 (bnc#1117665 1152505 1155812 1155817 1155945) - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 (bnc#1139073 1152497 1152505 1152506). - CVE-2019-18805: There was a signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6 (bnc#1156187). - CVE-2019-17055: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782). - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - /dev/mem: Bail out upon SIGKILL (git-fixes). - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - ACPI / CPPC: do not require the _PSD method (bsc#1051510). - ACPI / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - Add kernel module compression support (bsc#1135854) For enabling the kernel module compress, add the item COMPRESS_MODULES="xz" in config.sh, then mkspec will pass it to the spec file. - alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP (bsc#1151680). - ALSA: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - ALSA: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - ALSA: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - ALSA: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - ALSA: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - ALSA: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - ALSA: hda - Inform too slow responses (bsc#1051510). - ALSA: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - ALSA: hda/ca0132 - Fix possible workqueue stall (bsc#1155836). - ALSA: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - ALSA: hda/realtek - Add support for ALC623 (bsc#1051510). - ALSA: hda/realtek - Add support for ALC711 (bsc#1051510). - ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - ALSA: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - ALSA: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - ALSA: hda/realtek - Fix alienware headset mic (bsc#1051510). - ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - ALSA: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - ALSA: hda: Add Elkhart Lake PCI ID (bsc#1051510). - ALSA: hda: Add support of Zhaoxin controller (bsc#1051510). - ALSA: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - ALSA: hda: Flush interrupts on disabling (bsc#1051510). - ALSA: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - ALSA: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - ALSA: timer: Fix mutex deadlock at releasing card (bsc#1051510). - ALSA: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - ASoC: Define a set of DAPM pre/post-up events (bsc#1051510). - ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - ASoC: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - ASoC: Intel: NHLT: Fix debug print format (bsc#1051510). - ASoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - ASoC: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - Blacklist "signal: Correct namespace fixups of si_pid and si_uid" (bsc#1142667) - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - Btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - Btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: dev: call netif_carrier_off() in register_candev() (bsc#1051510). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dmaengine: bcm2835: Print error in case setting DMA mask fails (bsc#1051510). - dmaengine: imx-sdma: fix size check for sdma script_number (bsc#1051510). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - HID: apple: Fix stuck function keys when using FN (bsc#1051510). - HID: fix error message in hid_open_report() (bsc#1051510). - HID: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - HID: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - HID: prodikeys: Fix general protection fault during probe (bsc#1051510). - HID: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - IB/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - IB/core: Add mitigation for Spectre V1 (bsc#1155671) - IB/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - IB/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - IB/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - IB/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - Input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - Input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - iwlwifi: do not panic in error path on non-msix systems (bsc#1155692). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel-binary.spec.in: Obsolete kgraft packages only when not building them. - kernel-binary: check also bzImage on s390/s390x Starting with 4.19-rc1, uncompressed image is no longer built on s390x. If file "image" is not found in arch/s390/boot after the build, try bzImage instead. For now, install bzImage under the name image-* until we know grub2 and our grub2 scripts can handle correct name. - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - KVM: MMU: drop vcpu param in gpte_access (bsc#1117665). - KVM: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - KVM: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - KVM: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - KVM: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - Move the upstreamed ath6kl fix into the sorted section - Move the upstreamed cfg80211 fix into the sorted section - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net/smc: fix SMCD link group creation with VLAN id (bsc#1154959). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - NFC: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - NFC: pn533: fix use-after-free and memleaks (bsc#1051510). - NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - Parametrize kgraft vs livepatch. - PCI: Correct pci=resource_alignment parameter example (bsc#1051510). - PCI: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - PCI: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263). - PCI: PM: Fix pci_power_up() (bsc#1051510). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Export maximum memory value (bsc#1122363). - powerpc/pseries: Export raw per-CPU VPA data via debugfs (). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - Pull packaging cleanup from mkubecek. - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - RDMA/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - RDMA: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - README.BRANCH: Add Denis as branch maintainer - reiserfs: fix extended attributes on the root directory (bsc#1151225). - Revert "ALSA: hda: Flush interrupts on disabling" (bsc#1051510). - Revert "drm/radeon: Fix EEH during kexec" (bsc#1051510). - Revert "Revert "rpm/kernel-binary.spec.in: rename kGraft to KLP ()"" This reverts commit 468af43c8fd8509820798b6d8ed363fc417ca939 Should get this rename again with next SLE15 merge. - Revert synaptics-rmi4 patch due to regression (bsc#1155982) Also blacklisting it - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - scripts/arch-symbols: add missing link. - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - Sign non-x86 kernels when possible (boo#1134303) - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - USB: adutux: fix NULL-derefs on disconnect (bsc#1142635). - USB: adutux: fix use-after-free on disconnect (bsc#1142635). - USB: adutux: fix use-after-free on release (bsc#1051510). - USB: chaoskey: fix use-after-free on release (bsc#1051510). - USB: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode (bsc#1051510). - USB: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - USB: iowarrior: fix use-after-free on disconnect (bsc#1051510). - USB: iowarrior: fix use-after-free on release (bsc#1051510). - USB: ldusb: fix control-message timeout (bsc#1051510). - USB: ldusb: fix memleak on disconnect (bsc#1051510). - USB: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - USB: ldusb: fix read info leaks (bsc#1051510). - USB: ldusb: fix ring-buffer locking (bsc#1051510). - USB: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - USB: legousbtower: fix deadlock on disconnect (bsc#1142635). - USB: legousbtower: fix memleak on disconnect (bsc#1051510). - USB: legousbtower: fix open after failed reset request (bsc#1142635). - USB: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - USB: legousbtower: fix slab info leak at probe (bsc#1142635). - USB: legousbtower: fix use-after-free on release (bsc#1051510). - USB: microtek: fix info-leak at probe (bsc#1142635). - USB: serial: fix runtime PM after driver unbind (bsc#1051510). - USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - USB: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - USB: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - USB: serial: option: add Telit FN980 compositions (bsc#1051510). - USB: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - USB: serial: whiteheat: fix potential slab corruption (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - USB: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - USB: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - USB: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - USB: usblcd: fix I/O after disconnect (bsc#1142635). - USB: usblp: fix runtime PM after driver unbind (bsc#1051510). - USB: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - USB: yurex: Do not retry on unexpected errors (bsc#1051510). - USB: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vhost_net: conditionally enable tx polling (bsc#1145099). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (bsc#1065600). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xen/xenbus: fix self-deadlock after killing user process (bsc#1065600). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2953=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-azure-4.12.14-6.29.1 kernel-source-azure-4.12.14-6.29.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-azure-4.12.14-6.29.1 kernel-azure-base-4.12.14-6.29.1 kernel-azure-base-debuginfo-4.12.14-6.29.1 kernel-azure-debuginfo-4.12.14-6.29.1 kernel-azure-debugsource-4.12.14-6.29.1 kernel-azure-devel-4.12.14-6.29.1 kernel-syms-azure-4.12.14-6.29.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://www.suse.com/security/cve/CVE-2019-18805.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1122363 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1127155 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1137861 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151225 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1151680 https://bugzilla.suse.com/1152497 https://bugzilla.suse.com/1152505 https://bugzilla.suse.com/1152506 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153108 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1154959 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/1155692 https://bugzilla.suse.com/1155812 https://bugzilla.suse.com/1155817 https://bugzilla.suse.com/1155836 https://bugzilla.suse.com/1155945 https://bugzilla.suse.com/1155982 https://bugzilla.suse.com/1156187 https://bugzilla.suse.com/919448 https://bugzilla.suse.com/987367 https://bugzilla.suse.com/998153 From sle-security-updates at lists.suse.com Tue Nov 12 17:21:19 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:21:19 +0100 (CET) Subject: SUSE-SU-2019:2958-1: important: Security update for ucode-intel Message-ID: <20191113002119.5C651F798@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2958-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2958=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20191112-3.9.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Tue Nov 12 17:23:10 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:23:10 +0100 (CET) Subject: SUSE-SU-2019:2947-1: important: Security update for the Linux Kernel Message-ID: <20191113002310.127A0F798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2947-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1111666 #1112178 #1113994 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135967 #1137040 #1137799 #1137861 #1138190 #1139073 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1149853 #1150452 #1150457 #1150465 #1150875 #1151508 #1151807 #1152033 #1152624 #1152665 #1152685 #1152696 #1152697 #1152788 #1152790 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153607 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154242 #1154268 #1154354 #1154372 #1154521 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1154956 #1155061 #1155178 #1155179 #1155184 #1155186 #1155671 #802154 #814594 #919448 #987367 #998153 Cross-References: CVE-2018-12207 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 117 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - acpi: cppc: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - acpi: cppc: do not require the _PSD method (bsc#1051510). - acpi: processor: do not print errors for processorIDs == 0xff (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: firewire-motu: add support for MOTU 4pre (bsc#1111666). - alsa: hda/hdmi: Do not report spurious jack state changes (bsc#1051510). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek: Add support for ALC623 (bsc#1051510). - alsa: hda/realtek: Add support for ALC711 (bsc#1051510). - alsa: hda/realtek: Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek: Enable headset mic on Asus MJ401TA (bsc#1051510). - alsa: hda/realtek: Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek: Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek: PCI quirk for Medion E4254 (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel: remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake PCI ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - alsa: hda: Add a quirk model for fixing Huawei Matebook X right speaker (bsc#1051510). - alsa: hda: Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda: Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda: Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda: Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Force runtime PM on Nvidia HDMI codecs (bsc#1051510). - alsa: hda: Inform too slow responses (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: hda: Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add DSD support for EVGA NU Audio (bsc#1051510). - alsa: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bsc#1051510). - alsa: usb-audio: Add Hiby device family to quirks for native DSD support (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Clean up check_input_term() (bsc#1051510). - alsa: usb-audio: DSD auto-detection for Playback Designs (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1111666). - alsa: usb-audio: Fix copy&paste error in the validator (bsc#1111666). - alsa: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() (bsc#1051510). - alsa: usb-audio: More validations of descriptor units (bsc#1051510). - alsa: usb-audio: Remove superfluous bLength checks (bsc#1051510). - alsa: usb-audio: Simplify parse_audio_unit() (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - alsa: usb-audio: Unify audioformat release code (bsc#1051510). - alsa: usb-audio: Unify the release of usb_mixer_elem_info objects (bsc#1051510). - alsa: usb-audio: Update DSD support quirks for Oppo and Rotel (bsc#1051510). - alsa: usb-audio: fix PCM device order (bsc#1051510). - alsa: usb-audio: remove some dead code (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: intel: nhlt: Fix debug print format (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - bnxt_en: Add PCI IDs for 57500 series NPAR devices (bsc#1153607). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bsc#1111666). - brcmfmac: sdio: Do not tune while the card is off (bsc#1111666). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg: Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg: Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg: consolidation of duplicate code (bsc#1154737). - crypto: af_alg: fix race accessing cipher request (bsc#1154737). - crypto: af_alg: remove locking in async callback (bsc#1154737). - crypto: af_alg: update correct dst SGL entry (bsc#1051510). - crypto: af_alg: wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif: return error code when no data was processed (bsc#1154737). - crypto: algif_aead: copy AAD from src to dst (bsc#1154737). - crypto: algif_aead: fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead: overhaul memory management (bsc#1154737). - crypto: algif_aead: skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher: overhaul memory management (bsc#1154737). - crypto: talitos: fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: do not dma memory off of the stack (bsc#1152790). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - drm/amd/display: Restore backlight brightness after system resume (bsc#1112178) - drm/amd/display: fix issue where 252-255 values are clipped (bsc#1111666). - drm/amd/display: reprogram VM config when system resume (bsc#1111666). - drm/amd/display: support spdif (bsc#1111666). - drm/amd/dm: Understand why attaching path/tile properties are needed (bsc#1111666). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amd/pp: Fix truncated clock value when set watermark (bsc#1111666). - drm/amdgpu/gfx9: Update gfx9 golden settings (bsc#1111666). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/amdgpu: Fix KFD-related kernel oops on Hawaii (bsc#1111666). - drm/amdgpu: Update gc_9_0 golden settings (bsc#1111666). - drm/amdkfd: Add missing Polaris10 ID (bsc#1111666). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors (bsc#1111666). - drm/atomic_helper: Disallow new modesets on unregistered connectors (bsc#1111666). - drm/atomic_helper: Stop modesets on unregistered connectors harder (bsc#1111666). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/bridge: tfp410: fix memleak in get_modes() (bsc#1111666). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gvt: update vgpu workload head pointer correctly (bsc#1112178) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Cleanup gt powerstate from gem (bsc#1111666). - drm/i915: Disable Secure Batches for gen6+ (bsc#1135967) - drm/i915: Fix intel_dp_mst_best_encoder() (bsc#1111666). - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Remove Master tables from cmdparser (bsc#1135967) - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Restore sane defaults for KMS on GEM error load (bsc#1111666). - drm/i915: Support ro ppgtt mapped cmdparser shadow (bsc#1135967) - drm/mediatek: set DMA max segment size (bsc#1111666). - drm/msm/dsi: Fix return value check for clk_get_parent (bsc#1111666). - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling (bsc#1111666). - drm/nouveau/kms/nv50-: Do not create MSTMs for eDP connectors (bsc#1112178) - drm/nouveau/volt: Fix for some cards having 0 maximum voltage (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1111666). - drm/panel: check failure cases in the probe func (bsc#1111666). - drm/panel: make drm_panel.h self-contained (bsc#1111666). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed (bsc#1111666). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/rockchip: Check for fast link training before enabling psr (bsc#1111666). - drm/stm: attach gem fence to atomic state (bsc#1111666). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - drm: add __user attribute to ptr_to_compat() (bsc#1111666). - drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC (bsc#1111666). - drm: rcar-du: lvds: Fix bridge_to_rcar_lvds (bsc#1111666). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/arm: Show SMBIOS bank/device location in CPER and GHES error logs (bsc#1152033). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core: do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: da9063: fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4: avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (bsc#1111666). - ixgbe: Fix secpath usage for IPsec TX offload (bsc#1113994 bsc#1151807). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_connector.registered type changes (bsc#1111666). - kABI workaround for mmc_host retune_crc_disable flag addition (bsc#1111666). - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel-binary.spec.in: Obsolete kgraft packages only when not building them. - kernel-binary: Drop .kernel-binary.spec.buildenv (boo#1154578). Without this patch, /usr/src/linux- at VERSION@- at RELEASE_SHORT@-obj/x86_64/vanilla/.kernel-binary. spec.buildenv contained rpm %_smp_mflags in a line like export MAKE_ARGS=" --output-sync -j4" This made it hard to produce bit-identical builds. - kernel-binary: check also bzImage on s390/s390x Starting with 4.19-rc1, uncompressed image is no longer built on s390x. If file "image" is not found in arch/s390/boot after the build, try bzImage instead. For now, install bzImage under the name image-* until we know grub2 and our grub2 scripts can handle correct name. - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: mmu: drop vcpu param in gpte_access (bsc#1117665). - kvm: ppc: book3s hv: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - libnvdimm/security: provide fix for secure-erase to use zero-key (bsc#1149853). - lpfc: Add FA-WWN Async Event reporting (bsc#1154521). - lpfc: Add FC-AL support to lpe32000 models (bsc#1154521). - lpfc: Add additional discovery log messages (bsc#1154521). - lpfc: Add log macros to allow print by serverity or verbocity setting (bsc#1154521). - lpfc: Fix SLI3 hba in loop mode not discovering devices (bsc#1154521). - lpfc: Fix bad ndlp ptr in xri aborted handling (bsc#1154521). - lpfc: Fix hardlockup in lpfc_abort_handler (bsc#1154521). - lpfc: Fix lockdep errors in sli_ringtx_put (bsc#1154521). - lpfc: Fix reporting of read-only fw error errors (bsc#1154521). - lpfc: Make FW logging dynamically configurable (bsc#1154521). - lpfc: Remove lock contention target write path (bsc#1154521). - lpfc: Revise interrupt coalescing for missing scenarios (bsc#1154521). - lpfc: Slight fast-path Performance optimizations (bsc#1154521). - lpfc: Update lpfc version to 12.6.0.0 (bsc#1154521). - lpfc: fix coverity error of dereference after null check (bsc#1154521). - lpfc: fix lpfc_nvmet_mrq to be bound by hdw queue count (bsc#1154521). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - misdn: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: core: API to temporarily disable retuning for SDIO CRC errors (bsc#1111666). - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bsc#1111666). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfsv4.1: backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263). - pci: pm: Fix pci_power_up() (bsc#1051510). - pinctrl: cherryview: restore Strago DMI workaround for all versions (bsc#1111666). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: i2c-multi-instantiate: Derive the device name from parent (bsc#1111666). - platform/x86: i2c-multi-instantiate: Fail the probe if no IRQ provided (bsc#1111666). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - powerplay: Respect units on max dcfclk watermark (bsc#1111666). - qed: iwarp: Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iwarp: Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iwarp: Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iwarp: fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma/hns: Add reset process for function-clear (bsc#1155061). - rdma/hns: Remove the some magic number (bsc#1155061). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091). - s390/pci: add mio_enabled attribute (bsc#1152665 LTC#181729). - s390/pci: correctly handle MIO opt-out (bsc#1152665 LTC#181729). - s390/pci: deal with devices that have no support for MIO instructions (bsc#1152665 LTC#181729). - s390/pci: fix MSI message data (bsc#1152697 LTC#181730). - s390: add support for IBM z15 machines (bsc#1152696 LTC#181731). - s390: fix setting of mio addressing control (bsc#1152665 LTC#181729). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Check queue pointer before use (bsc#1154242). - scsi: lpfc: Complete removal of FCoE T10 PI support on SLI-4 adapters (bsc#1154521). - scsi: lpfc: Convert existing %pf users to %ps (bsc#1154521). - scsi: lpfc: Fix GPF on scsi command completion (bsc#1154521). - scsi: lpfc: Fix NVME io abort failures causing hangs (bsc#1154521). - scsi: lpfc: Fix NVMe ABTS in response to receiving an ABTS (bsc#1154521). - scsi: lpfc: Fix coverity errors on NULL pointer checks (bsc#1154521). - scsi: lpfc: Fix device recovery errors after PLOGI failures (bsc#1154521). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix discovery failures when target device connectivity bounces (bsc#1154521). - scsi: lpfc: Fix hdwq sgl locks and irq handling (bsc#1154521). - scsi: lpfc: Fix host hang at boot or slow boot (bsc#1154521). - scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq (bsc#1154521). - scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq (bsc#1154521). - scsi: lpfc: Fix locking on mailbox command completion (bsc#1154521). - scsi: lpfc: Fix miss of register read failure check (bsc#1154521). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix premature re-enabling of interrupts in lpfc_sli_host_down (bsc#1154521). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs (bsc#1154521). - scsi: lpfc: Fix rpi release when deleting vport (bsc#1154521). - scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() (bsc#1154521). - scsi: lpfc: Make function lpfc_defer_pt2pt_acc static (bsc#1154521). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: lpfc: Update async event logging (bsc#1154521). - scsi: lpfc: Update lpfc version to 12.4.0.1 (bsc#1154521). - scsi: lpfc: cleanup: remove unused fcp_txcmlpq_cnt (bsc#1154521). - scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: bcm2835-audio: Fix draining behavior regression (bsc#1111666). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2019-2947=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 kernel-default-livepatch-4.12.14-197.26.1 kernel-default-livepatch-devel-4.12.14-197.26.1 kernel-livepatch-4_12_14-197_26-default-1-3.5.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1137861 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1149853 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1151807 https://bugzilla.suse.com/1152033 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152665 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152696 https://bugzilla.suse.com/1152697 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152790 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153607 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154242 https://bugzilla.suse.com/1154268 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154521 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1155061 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/802154 https://bugzilla.suse.com/814594 https://bugzilla.suse.com/919448 https://bugzilla.suse.com/987367 https://bugzilla.suse.com/998153 From sle-security-updates at lists.suse.com Tue Nov 12 17:41:28 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:41:28 +0100 (CET) Subject: SUSE-SU-2019:2948-1: important: Security update for the Linux Kernel Message-ID: <20191113004128.568DCF798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2948-1 Rating: important References: #1051510 #1082635 #1083647 #1090631 #1096254 #1117665 #1119461 #1119465 #1123034 #1135966 #1135967 #1137040 #1138190 #1139073 #1140090 #1143706 #1144338 #1144903 #1146612 #1149119 #1150457 #1151225 #1152624 #1153476 #1153509 #1153969 #1154737 #1154848 #1154858 #1154905 #1154959 #1155178 #1155179 #1155184 #1155186 #1155671 Cross-References: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-16233 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 30 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 Other security fixes: - CVE-2019-0154: Fixed a local denial of service via read of unprotected i915 registers. (bsc#1135966) - CVE-2019-0155: Fixed privilege escalation in the i915 driver. Batch buffers from usermode could have escalated privileges via blitter command stream. (bsc#1135967) - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). The following non-security bugs were fixed: - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda: Add Elkhart Lake PCI ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ieee802154: ca8210: prevent memory leak (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86: mmu: Recovery of shattered NX large pages (bsc#1117665, CVE-2018-12207). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net/smc: fix SMCD link group creation with VLAN id (bsc#1154959). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rds: Fix warning (bsc#1154848). - reiserfs: fix extended attributes on the root directory (bsc#1151225). - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fix a potential NULL pointer dereference (bsc#1150457 CVE-2019-16233). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - skge: fix checksum byte order (networking-stable-19_09_30). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - vfs: Make filldir[64]() verify the directory entry filename is valid (bsc#1144903, CVE-2019-10220). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/tsx: Add config options to set tsx=on|off|auto (bsc#1139073, CVE-2019-11135). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2019-2948=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2948=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2948=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2019-2948=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2019-2948=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2948=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): kernel-default-debuginfo-4.12.14-95.40.1 kernel-default-debugsource-4.12.14-95.40.1 kernel-default-extra-4.12.14-95.40.1 kernel-default-extra-debuginfo-4.12.14-95.40.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-95.40.2 kernel-obs-build-debugsource-4.12.14-95.40.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): kernel-docs-4.12.14-95.40.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.40.1 kernel-default-base-4.12.14-95.40.1 kernel-default-base-debuginfo-4.12.14-95.40.1 kernel-default-debuginfo-4.12.14-95.40.1 kernel-default-debugsource-4.12.14-95.40.1 kernel-default-devel-4.12.14-95.40.1 kernel-syms-4.12.14-95.40.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-4.12.14-95.40.1 kernel-macros-4.12.14-95.40.1 kernel-source-4.12.14-95.40.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.40.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): kernel-default-man-4.12.14-95.40.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kernel-default-kgraft-4.12.14-95.40.1 kernel-default-kgraft-devel-4.12.14-95.40.1 kgraft-patch-4_12_14-95_40-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.40.1 cluster-md-kmp-default-debuginfo-4.12.14-95.40.1 dlm-kmp-default-4.12.14-95.40.1 dlm-kmp-default-debuginfo-4.12.14-95.40.1 gfs2-kmp-default-4.12.14-95.40.1 gfs2-kmp-default-debuginfo-4.12.14-95.40.1 kernel-default-debuginfo-4.12.14-95.40.1 kernel-default-debugsource-4.12.14-95.40.1 ocfs2-kmp-default-4.12.14-95.40.1 ocfs2-kmp-default-debuginfo-4.12.14-95.40.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): kernel-default-4.12.14-95.40.1 kernel-default-debuginfo-4.12.14-95.40.1 kernel-default-debugsource-4.12.14-95.40.1 kernel-default-devel-4.12.14-95.40.1 kernel-default-devel-debuginfo-4.12.14-95.40.1 kernel-default-extra-4.12.14-95.40.1 kernel-default-extra-debuginfo-4.12.14-95.40.1 kernel-syms-4.12.14-95.40.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): kernel-devel-4.12.14-95.40.1 kernel-macros-4.12.14-95.40.1 kernel-source-4.12.14-95.40.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16233.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1151225 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154959 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 17:46:27 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:46:27 +0100 (CET) Subject: SUSE-SU-2019:2745-2: moderate: Security update for libcaca Message-ID: <20191113004627.4211FF79E@maintenance.suse.de> SUSE Security Update: Security update for libcaca ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2745-2 Rating: moderate References: #1120470 #1120502 #1120503 #1120504 #1120584 #1120589 Cross-References: CVE-2018-20544 CVE-2018-20545 CVE-2018-20546 CVE-2018-20547 CVE-2018-20548 CVE-2018-20549 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for libcaca fixes the following issues: Security issues fixed: - CVE-2018-20544: Fixed a floating point exception at caca/dither.c (bsc#1120502) - CVE-2018-20545: Fixed a WRITE memory access in the load_image function at common-image.c for 4bpp (bsc#1120584) - CVE-2018-20546: Fixed a READ memory access in the get_rgba_default function at caca/dither.c for bpp (bsc#1120503) - CVE-2018-20547: Fixed a READ memory access in the get_rgba_default function at caca/dither.c for 24bpp (bsc#1120504) - CVE-2018-20548: Fixed a WRITE memory access in the load_image function at common-image.c for 1bpp (bsc#1120589) - CVE-2018-20549: Fixed a WRITE memory access in the caca_file_read function at caca/file.c (bsc#1120470) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2745=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2745=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libcaca-debugsource-0.99.beta18-14.3.27 libcaca-devel-0.99.beta18-14.3.27 libcaca0-plugins-0.99.beta18-14.3.27 libcaca0-plugins-debuginfo-0.99.beta18-14.3.27 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libcaca-debugsource-0.99.beta18-14.3.27 libcaca0-0.99.beta18-14.3.27 libcaca0-debuginfo-0.99.beta18-14.3.27 References: https://www.suse.com/security/cve/CVE-2018-20544.html https://www.suse.com/security/cve/CVE-2018-20545.html https://www.suse.com/security/cve/CVE-2018-20546.html https://www.suse.com/security/cve/CVE-2018-20547.html https://www.suse.com/security/cve/CVE-2018-20548.html https://www.suse.com/security/cve/CVE-2018-20549.html https://bugzilla.suse.com/1120470 https://bugzilla.suse.com/1120502 https://bugzilla.suse.com/1120503 https://bugzilla.suse.com/1120504 https://bugzilla.suse.com/1120584 https://bugzilla.suse.com/1120589 From sle-security-updates at lists.suse.com Tue Nov 12 17:47:50 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 01:47:50 +0100 (CET) Subject: SUSE-SU-2019:2946-1: important: Security update for the Linux Kernel Message-ID: <20191113004750.18134F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2946-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135966 #1135967 #1137040 #1137799 #1138190 #1139073 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1150452 #1150457 #1150465 #1150875 #1151508 #1152624 #1152685 #1152788 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153646 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154354 #1154372 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1155178 #1155179 #1155184 #1155186 #1155671 Cross-References: CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 Affected Products: SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Legacy Software 15 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 93 fixes is now available. Description: The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-0154: Fix a local denial of service via read of unprotected i915 registers. (bsc#1135966) - CVE-2019-0155: Fix privilege escalation in the i915 driver. Batch buffers from usermode could have escalated privileges via blitter command stream. (bsc#1135967) - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465) - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - acpi / CPPC: do not require the _PSD method (bsc#1051510). - acpi / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - acpi: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda - Inform too slow responses (bsc#1051510). - alsa: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - alsa: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek - Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake pci ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake pci ID (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: Intel: NHLT: Fix debug print format (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - boot: Sign non-x86 kernels when possible (boo#1134303) - bpf: fix use after free in prog symbol exposure (bsc#1083647). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of pcie fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary: Drop .kernel-binary.spec.buildenv (boo#1154578). - kernel-binary: check also bzImage on s390/s390x Starting with 4.19-rc1, uncompressed image is no longer built on s390x. - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop vcpu param in gpte_access (bsc#1117665). - kvm: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: mmu: Recovery of shattered NX large pages (bsc#1117665, CVE-2018-12207). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in ibSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - mem: /dev/mem: Bail out upon SIGKILL (git-fixes). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: enforce CAP_NET_RAW for raw sockets (bsc#1152788 CVE-2019-17056). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfs: NFSv4 Check the return value of update_open_stateid (boo#1154189 bsc#1154747). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: PM: Fix pci_power_up() (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the pci domain numbers (bsc#1153263). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fix a potential NULL pointer dereference (bsc#1150457 CVE-2019-16233). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vfs: Make filldir[64]() verify the directory entry filename is valid (bsc#1144903). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - x86/tsx: Add config options to set tsx=on|off|auto (bsc#1139073, CVE-2019-11135). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-2946=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2946=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2019-2946=1 - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2019-2946=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2946=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2946=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2019-2946=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 kernel-default-extra-4.12.14-150.41.1 kernel-default-extra-debuginfo-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): kernel-default-base-4.12.14-150.41.1 kernel-default-base-debuginfo-4.12.14-150.41.1 kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 kernel-obs-qa-4.12.14-150.41.1 kselftests-kmp-default-4.12.14-150.41.1 kselftests-kmp-default-debuginfo-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): kernel-docs-html-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 kernel-default-livepatch-4.12.14-150.41.1 kernel-livepatch-4_12_14-150_41-default-1-1.3.1 kernel-livepatch-4_12_14-150_41-default-debuginfo-1-1.3.1 - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 reiserfs-kmp-default-4.12.14-150.41.1 reiserfs-kmp-default-debuginfo-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-150.41.1 kernel-obs-build-debugsource-4.12.14-150.41.1 kernel-syms-4.12.14-150.41.1 kernel-vanilla-base-4.12.14-150.41.1 kernel-vanilla-base-debuginfo-4.12.14-150.41.1 kernel-vanilla-debuginfo-4.12.14-150.41.1 kernel-vanilla-debugsource-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): kernel-docs-4.12.14-150.41.1 kernel-source-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-150.41.1 kernel-default-base-4.12.14-150.41.1 kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 kernel-default-devel-4.12.14-150.41.1 kernel-default-devel-debuginfo-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): kernel-devel-4.12.14-150.41.1 kernel-macros-4.12.14-150.41.1 - SUSE Linux Enterprise Module for Basesystem 15 (s390x): kernel-default-man-4.12.14-150.41.1 kernel-zfcpdump-4.12.14-150.41.1 kernel-zfcpdump-debuginfo-4.12.14-150.41.1 kernel-zfcpdump-debugsource-4.12.14-150.41.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.41.1 cluster-md-kmp-default-debuginfo-4.12.14-150.41.1 dlm-kmp-default-4.12.14-150.41.1 dlm-kmp-default-debuginfo-4.12.14-150.41.1 gfs2-kmp-default-4.12.14-150.41.1 gfs2-kmp-default-debuginfo-4.12.14-150.41.1 kernel-default-debuginfo-4.12.14-150.41.1 kernel-default-debugsource-4.12.14-150.41.1 ocfs2-kmp-default-4.12.14-150.41.1 ocfs2-kmp-default-debuginfo-4.12.14-150.41.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 From sle-security-updates at lists.suse.com Tue Nov 12 18:02:05 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:02:05 +0100 (CET) Subject: SUSE-SU-2019:2957-1: important: Security update for ucode-intel Message-ID: <20191113010205.B3FBCF79E@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2957-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2957=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): ucode-intel-20191112-3.28.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Tue Nov 12 18:03:07 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:03:07 +0100 (CET) Subject: SUSE-SU-2019:2719-2: moderate: Security update for python-xdg Message-ID: <20191113010307.66FF1F79E@maintenance.suse.de> SUSE Security Update: Security update for python-xdg ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2719-2 Rating: moderate References: #859835 Cross-References: CVE-2014-1624 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-xdg fixes the following issues: Security issue fixed: - CVE-2014-1624: Fixed a TOCTOU race condition in get_runtime_dir(). (bsc#859835) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2719=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): python-xdg-0.25-9.3.1 References: https://www.suse.com/security/cve/CVE-2014-1624.html https://bugzilla.suse.com/859835 From sle-security-updates at lists.suse.com Tue Nov 12 18:05:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:05:21 +0100 (CET) Subject: SUSE-SU-2019:2752-2: moderate: Security update for sysstat Message-ID: <20191113010521.3173FF79E@maintenance.suse.de> SUSE Security Update: Security update for sysstat ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2752-2 Rating: moderate References: #1150114 Cross-References: CVE-2019-16167 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sysstat fixes the following issue: - CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2752=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): sysstat-12.0.2-10.27.1 sysstat-debuginfo-12.0.2-10.27.1 sysstat-debugsource-12.0.2-10.27.1 sysstat-isag-12.0.2-10.27.1 References: https://www.suse.com/security/cve/CVE-2019-16167.html https://bugzilla.suse.com/1150114 From sle-security-updates at lists.suse.com Tue Nov 12 18:06:01 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:06:01 +0100 (CET) Subject: SUSE-SU-2019:2748-2: moderate: Security update for python Message-ID: <20191113010601.A6BFFF79E@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2748-2 Rating: moderate References: #1149955 #1153238 Cross-References: CVE-2019-16056 CVE-2019-16935 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python fixes the following issues: Security issue fixed: - CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955). - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-2748=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2748=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.13-28.36.1 python-base-debugsource-2.7.13-28.36.1 python-devel-2.7.13-28.36.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.13-28.36.1 libpython2_7-1_0-debuginfo-2.7.13-28.36.1 python-2.7.13-28.36.1 python-base-2.7.13-28.36.1 python-base-debuginfo-2.7.13-28.36.1 python-base-debugsource-2.7.13-28.36.1 python-curses-2.7.13-28.36.1 python-curses-debuginfo-2.7.13-28.36.1 python-debuginfo-2.7.13-28.36.1 python-debugsource-2.7.13-28.36.1 python-demo-2.7.13-28.36.1 python-devel-2.7.13-28.36.1 python-gdbm-2.7.13-28.36.1 python-gdbm-debuginfo-2.7.13-28.36.1 python-idle-2.7.13-28.36.1 python-tk-2.7.13-28.36.1 python-tk-debuginfo-2.7.13-28.36.1 python-xml-2.7.13-28.36.1 python-xml-debuginfo-2.7.13-28.36.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.13-28.36.1 libpython2_7-1_0-debuginfo-32bit-2.7.13-28.36.1 python-32bit-2.7.13-28.36.1 python-base-32bit-2.7.13-28.36.1 python-base-debuginfo-32bit-2.7.13-28.36.1 python-debuginfo-32bit-2.7.13-28.36.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.13-28.36.1 python-doc-pdf-2.7.13-28.36.1 References: https://www.suse.com/security/cve/CVE-2019-16056.html https://www.suse.com/security/cve/CVE-2019-16935.html https://bugzilla.suse.com/1149955 https://bugzilla.suse.com/1153238 From sle-security-updates at lists.suse.com Tue Nov 12 18:06:48 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:06:48 +0100 (CET) Subject: SUSE-SU-2019:1391-2: moderate: Security update for evolution Message-ID: <20191113010648.EBFC2F79E@maintenance.suse.de> SUSE Security Update: Security update for evolution ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:1391-2 Rating: moderate References: #1125230 Cross-References: CVE-2018-15587 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for evolution fixes the following issue: Security issue fixed: - CVE-2018-15587: Fixed OpenPGP signatures spoofing via specially crafted email that contains a valid signature (bsc#1125230). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-1391=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-1391=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): evolution-3.22.6-19.9.1 evolution-debuginfo-3.22.6-19.9.1 evolution-debugsource-3.22.6-19.9.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): evolution-lang-3.22.6-19.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): evolution-debuginfo-3.22.6-19.9.1 evolution-debugsource-3.22.6-19.9.1 evolution-devel-3.22.6-19.9.1 References: https://www.suse.com/security/cve/CVE-2018-15587.html https://bugzilla.suse.com/1125230 From sle-security-updates at lists.suse.com Tue Nov 12 18:07:28 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:07:28 +0100 (CET) Subject: SUSE-SU-2019:2962-1: important: Security update for xen Message-ID: <20191113010728.EBB71F79E@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2962-1 Rating: important References: #1152497 #1154448 #1154456 #1154458 #1154461 #1155945 Cross-References: CVE-2018-12207 CVE-2019-11135 CVE-2019-18420 CVE-2019-18421 CVE-2019-18424 CVE-2019-18425 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. (bsc#1155945) - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. (bsc#1152497). - CVE-2019-18424: An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. (bsc#1154461). - CVE-2019-18421: A malicious PV guest administrator may have been able to escalate their privilege to that of the host. (bsc#1154458). - CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that of the guest kernel. (bsc#1154456). - CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash, resulting in a Denial of Service (Dos). (bsc#1154448) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2962=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2962=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2962=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 x86_64): xen-debugsource-4.11.2_04-2.17.1 xen-devel-4.11.2_04-2.17.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): xen-4.11.2_04-2.17.1 xen-debugsource-4.11.2_04-2.17.1 xen-doc-html-4.11.2_04-2.17.1 xen-libs-32bit-4.11.2_04-2.17.1 xen-libs-4.11.2_04-2.17.1 xen-libs-debuginfo-32bit-4.11.2_04-2.17.1 xen-libs-debuginfo-4.11.2_04-2.17.1 xen-tools-4.11.2_04-2.17.1 xen-tools-debuginfo-4.11.2_04-2.17.1 xen-tools-domU-4.11.2_04-2.17.1 xen-tools-domU-debuginfo-4.11.2_04-2.17.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): xen-4.11.2_04-2.17.1 xen-debugsource-4.11.2_04-2.17.1 xen-libs-32bit-4.11.2_04-2.17.1 xen-libs-4.11.2_04-2.17.1 xen-libs-debuginfo-32bit-4.11.2_04-2.17.1 xen-libs-debuginfo-4.11.2_04-2.17.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-18420.html https://www.suse.com/security/cve/CVE-2019-18421.html https://www.suse.com/security/cve/CVE-2019-18424.html https://www.suse.com/security/cve/CVE-2019-18425.html https://bugzilla.suse.com/1152497 https://bugzilla.suse.com/1154448 https://bugzilla.suse.com/1154456 https://bugzilla.suse.com/1154458 https://bugzilla.suse.com/1154461 https://bugzilla.suse.com/1155945 From sle-security-updates at lists.suse.com Tue Nov 12 18:08:49 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:08:49 +0100 (CET) Subject: SUSE-SU-2019:2727-2: moderate: Security update for dhcp Message-ID: <20191113010849.3D372F79E@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2727-2 Rating: moderate References: #1089524 #1134078 #1136572 Cross-References: CVE-2019-6470 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for dhcp fixes the following issues: Secuirty issue fixed: - CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078). Bug fixes: - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524). - Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2727=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2727=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.3-10.19.1 dhcp-debugsource-4.3.3-10.19.1 dhcp-devel-4.3.3-10.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.19.1 dhcp-client-4.3.3-10.19.1 dhcp-client-debuginfo-4.3.3-10.19.1 dhcp-debuginfo-4.3.3-10.19.1 dhcp-debugsource-4.3.3-10.19.1 dhcp-relay-4.3.3-10.19.1 dhcp-relay-debuginfo-4.3.3-10.19.1 dhcp-server-4.3.3-10.19.1 dhcp-server-debuginfo-4.3.3-10.19.1 References: https://www.suse.com/security/cve/CVE-2019-6470.html https://bugzilla.suse.com/1089524 https://bugzilla.suse.com/1134078 https://bugzilla.suse.com/1136572 From sle-security-updates at lists.suse.com Tue Nov 12 18:09:47 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:09:47 +0100 (CET) Subject: SUSE-SU-2019:2956-1: important: Security update for qemu Message-ID: <20191113010947.0EFA7F79E@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2956-1 Rating: important References: #1119991 #1146873 #1152506 #1153358 #1155812 Cross-References: CVE-2018-12207 CVE-2018-20126 CVE-2019-11135 CVE-2019-12068 Affected Products: SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: - Remove a backslash "\" escape character from 80-qemu-ga.rules (bsc#1153358) Unlike sles 15 or newer guests, The udev rule file of qemu guest agent in sles 12 sp4 or newer guest only needs one escape character. - Fix use-after-free in slirp (CVE-2018-20126 bsc#1119991) - Fix potential DOS in lsi scsi controller emulation (CVE-2019-12068 bsc#1146873) - Expose taa-no "feature", indicating CPU does not have the TSX Async Abort vulnerability. (CVE-2019-11135 bsc#1152506) - Expose pschange-mc-no "feature", indicating CPU does not have the page size change machine check vulnerability (CVE-2018-12207 bsc#1155812) - Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE12-SP4 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2956=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2956=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): qemu-2.11.2-5.23.2 qemu-block-curl-2.11.2-5.23.2 qemu-block-curl-debuginfo-2.11.2-5.23.2 qemu-block-iscsi-2.11.2-5.23.2 qemu-block-iscsi-debuginfo-2.11.2-5.23.2 qemu-block-ssh-2.11.2-5.23.2 qemu-block-ssh-debuginfo-2.11.2-5.23.2 qemu-debugsource-2.11.2-5.23.2 qemu-guest-agent-2.11.2-5.23.2 qemu-guest-agent-debuginfo-2.11.2-5.23.2 qemu-lang-2.11.2-5.23.2 qemu-tools-2.11.2-5.23.2 qemu-tools-debuginfo-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 x86_64): qemu-block-rbd-2.11.2-5.23.2 qemu-block-rbd-debuginfo-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): qemu-kvm-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64): qemu-arm-2.11.2-5.23.2 qemu-arm-debuginfo-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (ppc64le): qemu-ppc-2.11.2-5.23.2 qemu-ppc-debuginfo-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (noarch): qemu-ipxe-1.0.0+-5.23.2 qemu-seabios-1.11.0-5.23.2 qemu-sgabios-8-5.23.2 qemu-vgabios-1.11.0-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (x86_64): qemu-x86-2.11.2-5.23.2 - SUSE Linux Enterprise Server 12-SP4 (s390x): qemu-s390-2.11.2-5.23.2 qemu-s390-debuginfo-2.11.2-5.23.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): qemu-2.11.2-5.23.2 qemu-block-curl-2.11.2-5.23.2 qemu-block-curl-debuginfo-2.11.2-5.23.2 qemu-debugsource-2.11.2-5.23.2 qemu-kvm-2.11.2-5.23.2 qemu-tools-2.11.2-5.23.2 qemu-tools-debuginfo-2.11.2-5.23.2 qemu-x86-2.11.2-5.23.2 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): qemu-ipxe-1.0.0+-5.23.2 qemu-seabios-1.11.0-5.23.2 qemu-sgabios-8-5.23.2 qemu-vgabios-1.11.0-5.23.2 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20126.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-12068.html https://bugzilla.suse.com/1119991 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1152506 https://bugzilla.suse.com/1153358 https://bugzilla.suse.com/1155812 From sle-security-updates at lists.suse.com Tue Nov 12 18:11:13 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:11:13 +0100 (CET) Subject: SUSE-SU-2019:2947-1: important: Security update for the Linux Kernel Message-ID: <20191113011113.85418F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2947-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1111666 #1112178 #1113994 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135967 #1137040 #1137799 #1137861 #1138190 #1139073 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1149853 #1150452 #1150457 #1150465 #1150875 #1151508 #1151807 #1152033 #1152624 #1152665 #1152685 #1152696 #1152697 #1152788 #1152790 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153607 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154242 #1154268 #1154354 #1154372 #1154521 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1154956 #1155061 #1155178 #1155179 #1155184 #1155186 #1155671 #802154 #814594 #919448 #987367 #998153 Cross-References: CVE-2018-12207 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 117 fixes is now available. Description: The SUSE Linux Enterprise 15-SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - acpi: cppc: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - acpi: cppc: do not require the _PSD method (bsc#1051510). - acpi: processor: do not print errors for processorIDs == 0xff (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: firewire-motu: add support for MOTU 4pre (bsc#1111666). - alsa: hda/hdmi: Do not report spurious jack state changes (bsc#1051510). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek: Add support for ALC623 (bsc#1051510). - alsa: hda/realtek: Add support for ALC711 (bsc#1051510). - alsa: hda/realtek: Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek: Enable headset mic on Asus MJ401TA (bsc#1051510). - alsa: hda/realtek: Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek: Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek: PCI quirk for Medion E4254 (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel: remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake PCI ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510). - alsa: hda: Add a quirk model for fixing Huawei Matebook X right speaker (bsc#1051510). - alsa: hda: Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda: Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda: Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda: Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Force runtime PM on Nvidia HDMI codecs (bsc#1051510). - alsa: hda: Inform too slow responses (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: hda: Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add DSD support for EVGA NU Audio (bsc#1051510). - alsa: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bsc#1051510). - alsa: usb-audio: Add Hiby device family to quirks for native DSD support (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Clean up check_input_term() (bsc#1051510). - alsa: usb-audio: DSD auto-detection for Playback Designs (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1111666). - alsa: usb-audio: Fix copy&paste error in the validator (bsc#1111666). - alsa: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() (bsc#1051510). - alsa: usb-audio: More validations of descriptor units (bsc#1051510). - alsa: usb-audio: Remove superfluous bLength checks (bsc#1051510). - alsa: usb-audio: Simplify parse_audio_unit() (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - alsa: usb-audio: Unify audioformat release code (bsc#1051510). - alsa: usb-audio: Unify the release of usb_mixer_elem_info objects (bsc#1051510). - alsa: usb-audio: Update DSD support quirks for Oppo and Rotel (bsc#1051510). - alsa: usb-audio: fix PCM device order (bsc#1051510). - alsa: usb-audio: remove some dead code (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: intel: nhlt: Fix debug print format (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - bnxt_en: Add PCI IDs for 57500 series NPAR devices (bsc#1153607). - bpf: fix use after free in prog symbol exposure (bsc#1083647). - brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bsc#1111666). - brcmfmac: sdio: Do not tune while the card is off (bsc#1111666). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg: Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg: Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg: consolidation of duplicate code (bsc#1154737). - crypto: af_alg: fix race accessing cipher request (bsc#1154737). - crypto: af_alg: remove locking in async callback (bsc#1154737). - crypto: af_alg: update correct dst SGL entry (bsc#1051510). - crypto: af_alg: wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif: return error code when no data was processed (bsc#1154737). - crypto: algif_aead: copy AAD from src to dst (bsc#1154737). - crypto: algif_aead: fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead: overhaul memory management (bsc#1154737). - crypto: algif_aead: skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher: overhaul memory management (bsc#1154737). - crypto: talitos: fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: do not dma memory off of the stack (bsc#1152790). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - drm/amd/display: Restore backlight brightness after system resume (bsc#1112178) - drm/amd/display: fix issue where 252-255 values are clipped (bsc#1111666). - drm/amd/display: reprogram VM config when system resume (bsc#1111666). - drm/amd/display: support spdif (bsc#1111666). - drm/amd/dm: Understand why attaching path/tile properties are needed (bsc#1111666). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amd/pp: Fix truncated clock value when set watermark (bsc#1111666). - drm/amdgpu/gfx9: Update gfx9 golden settings (bsc#1111666). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/amdgpu: Fix KFD-related kernel oops on Hawaii (bsc#1111666). - drm/amdgpu: Update gc_9_0 golden settings (bsc#1111666). - drm/amdkfd: Add missing Polaris10 ID (bsc#1111666). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors (bsc#1111666). - drm/atomic_helper: Disallow new modesets on unregistered connectors (bsc#1111666). - drm/atomic_helper: Stop modesets on unregistered connectors harder (bsc#1111666). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/bridge: tfp410: fix memleak in get_modes() (bsc#1111666). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gvt: update vgpu workload head pointer correctly (bsc#1112178) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Cleanup gt powerstate from gem (bsc#1111666). - drm/i915: Disable Secure Batches for gen6+ (bsc#1135967) - drm/i915: Fix intel_dp_mst_best_encoder() (bsc#1111666). - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Remove Master tables from cmdparser (bsc#1135967) - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Restore sane defaults for KMS on GEM error load (bsc#1111666). - drm/i915: Support ro ppgtt mapped cmdparser shadow (bsc#1135967) - drm/mediatek: set DMA max segment size (bsc#1111666). - drm/msm/dsi: Fix return value check for clk_get_parent (bsc#1111666). - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling (bsc#1111666). - drm/nouveau/kms/nv50-: Do not create MSTMs for eDP connectors (bsc#1112178) - drm/nouveau/volt: Fix for some cards having 0 maximum voltage (bsc#1111666). - drm/omap: fix max fclk divider for omap36xx (bsc#1111666). - drm/panel: check failure cases in the probe func (bsc#1111666). - drm/panel: make drm_panel.h self-contained (bsc#1111666). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed (bsc#1111666). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/rockchip: Check for fast link training before enabling psr (bsc#1111666). - drm/stm: attach gem fence to atomic state (bsc#1111666). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - drm: add __user attribute to ptr_to_compat() (bsc#1111666). - drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC (bsc#1111666). - drm: rcar-du: lvds: Fix bridge_to_rcar_lvds (bsc#1111666). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/arm: Show SMBIOS bank/device location in CPER and GHES error logs (bsc#1152033). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of PCIe fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core: do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: da9063: fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4: avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (bsc#1111666). - ixgbe: Fix secpath usage for IPsec TX offload (bsc#1113994 bsc#1151807). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_connector.registered type changes (bsc#1111666). - kABI workaround for mmc_host retune_crc_disable flag addition (bsc#1111666). - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel-binary.spec.in: Obsolete kgraft packages only when not building them. - kernel-binary: Drop .kernel-binary.spec.buildenv (boo#1154578). Without this patch, /usr/src/linux- at VERSION@- at RELEASE_SHORT@-obj/x86_64/vanilla/.kernel-binary. spec.buildenv contained rpm %_smp_mflags in a line like export MAKE_ARGS=" --output-sync -j4" This made it hard to produce bit-identical builds. - kernel-binary: check also bzImage on s390/s390x Starting with 4.19-rc1, uncompressed image is no longer built on s390x. If file "image" is not found in arch/s390/boot after the build, try bzImage instead. For now, install bzImage under the name image-* until we know grub2 and our grub2 scripts can handle correct name. - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: mmu: drop vcpu param in gpte_access (bsc#1117665). - kvm: ppc: book3s hv: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - libnvdimm/security: provide fix for secure-erase to use zero-key (bsc#1149853). - lpfc: Add FA-WWN Async Event reporting (bsc#1154521). - lpfc: Add FC-AL support to lpe32000 models (bsc#1154521). - lpfc: Add additional discovery log messages (bsc#1154521). - lpfc: Add log macros to allow print by serverity or verbocity setting (bsc#1154521). - lpfc: Fix SLI3 hba in loop mode not discovering devices (bsc#1154521). - lpfc: Fix bad ndlp ptr in xri aborted handling (bsc#1154521). - lpfc: Fix hardlockup in lpfc_abort_handler (bsc#1154521). - lpfc: Fix lockdep errors in sli_ringtx_put (bsc#1154521). - lpfc: Fix reporting of read-only fw error errors (bsc#1154521). - lpfc: Make FW logging dynamically configurable (bsc#1154521). - lpfc: Remove lock contention target write path (bsc#1154521). - lpfc: Revise interrupt coalescing for missing scenarios (bsc#1154521). - lpfc: Slight fast-path Performance optimizations (bsc#1154521). - lpfc: Update lpfc version to 12.6.0.0 (bsc#1154521). - lpfc: fix coverity error of dereference after null check (bsc#1154521). - lpfc: fix lpfc_nvmet_mrq to be bound by hdw queue count (bsc#1154521). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - misdn: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: core: API to temporarily disable retuning for SDIO CRC errors (bsc#1111666). - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bsc#1111666). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfsv4.1: backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263). - pci: pm: Fix pci_power_up() (bsc#1051510). - pinctrl: cherryview: restore Strago DMI workaround for all versions (bsc#1111666). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: i2c-multi-instantiate: Derive the device name from parent (bsc#1111666). - platform/x86: i2c-multi-instantiate: Fail the probe if no IRQ provided (bsc#1111666). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - powerplay: Respect units on max dcfclk watermark (bsc#1111666). - qed: iwarp: Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iwarp: Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iwarp: Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iwarp: fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma/hns: Add reset process for function-clear (bsc#1155061). - rdma/hns: Remove the some magic number (bsc#1155061). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091). - s390/pci: add mio_enabled attribute (bsc#1152665 LTC#181729). - s390/pci: correctly handle MIO opt-out (bsc#1152665 LTC#181729). - s390/pci: deal with devices that have no support for MIO instructions (bsc#1152665 LTC#181729). - s390/pci: fix MSI message data (bsc#1152697 LTC#181730). - s390: add support for IBM z15 machines (bsc#1152696 LTC#181731). - s390: fix setting of mio addressing control (bsc#1152665 LTC#181729). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Check queue pointer before use (bsc#1154242). - scsi: lpfc: Complete removal of FCoE T10 PI support on SLI-4 adapters (bsc#1154521). - scsi: lpfc: Convert existing %pf users to %ps (bsc#1154521). - scsi: lpfc: Fix GPF on scsi command completion (bsc#1154521). - scsi: lpfc: Fix NVME io abort failures causing hangs (bsc#1154521). - scsi: lpfc: Fix NVMe ABTS in response to receiving an ABTS (bsc#1154521). - scsi: lpfc: Fix coverity errors on NULL pointer checks (bsc#1154521). - scsi: lpfc: Fix device recovery errors after PLOGI failures (bsc#1154521). - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix discovery failures when target device connectivity bounces (bsc#1154521). - scsi: lpfc: Fix hdwq sgl locks and irq handling (bsc#1154521). - scsi: lpfc: Fix host hang at boot or slow boot (bsc#1154521). - scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq (bsc#1154521). - scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq (bsc#1154521). - scsi: lpfc: Fix locking on mailbox command completion (bsc#1154521). - scsi: lpfc: Fix miss of register read failure check (bsc#1154521). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix premature re-enabling of interrupts in lpfc_sli_host_down (bsc#1154521). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs (bsc#1154521). - scsi: lpfc: Fix rpi release when deleting vport (bsc#1154521). - scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() (bsc#1154521). - scsi: lpfc: Make function lpfc_defer_pt2pt_acc static (bsc#1154521). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: lpfc: Update async event logging (bsc#1154521). - scsi: lpfc: Update lpfc version to 12.4.0.1 (bsc#1154521). - scsi: lpfc: cleanup: remove unused fcp_txcmlpq_cnt (bsc#1154521). - scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: bcm2835-audio: Fix draining behavior regression (bsc#1111666). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2947=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2947=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2019-2947=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2019-2947=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2947=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2947=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2019-2947=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 kernel-default-extra-4.12.14-197.26.1 kernel-default-extra-debuginfo-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 kernel-obs-qa-4.12.14-197.26.1 kernel-vanilla-4.12.14-197.26.1 kernel-vanilla-base-4.12.14-197.26.1 kernel-vanilla-base-debuginfo-4.12.14-197.26.1 kernel-vanilla-debuginfo-4.12.14-197.26.1 kernel-vanilla-debugsource-4.12.14-197.26.1 kernel-vanilla-devel-4.12.14-197.26.1 kernel-vanilla-devel-debuginfo-4.12.14-197.26.1 kernel-vanilla-livepatch-devel-4.12.14-197.26.1 kselftests-kmp-default-4.12.14-197.26.1 kselftests-kmp-default-debuginfo-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.26.1 kernel-debug-base-4.12.14-197.26.1 kernel-debug-base-debuginfo-4.12.14-197.26.1 kernel-debug-debuginfo-4.12.14-197.26.1 kernel-debug-debugsource-4.12.14-197.26.1 kernel-debug-devel-4.12.14-197.26.1 kernel-debug-devel-debuginfo-4.12.14-197.26.1 kernel-debug-livepatch-devel-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.26.1 kernel-source-vanilla-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.26.1 kernel-kvmsmall-base-4.12.14-197.26.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.26.1 kernel-kvmsmall-debuginfo-4.12.14-197.26.1 kernel-kvmsmall-debugsource-4.12.14-197.26.1 kernel-kvmsmall-devel-4.12.14-197.26.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.26.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.26.1 kernel-zfcpdump-debugsource-4.12.14-197.26.1 kernel-zfcpdump-man-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 kernel-default-livepatch-4.12.14-197.26.1 kernel-default-livepatch-devel-4.12.14-197.26.1 kernel-livepatch-4_12_14-197_26-default-1-3.5.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 reiserfs-kmp-default-4.12.14-197.26.1 reiserfs-kmp-default-debuginfo-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.26.1 kernel-obs-build-debugsource-4.12.14-197.26.1 kernel-syms-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.26.1 kernel-source-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.26.1 kernel-default-base-4.12.14-197.26.1 kernel-default-base-debuginfo-4.12.14-197.26.1 kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 kernel-default-devel-4.12.14-197.26.1 kernel-default-devel-debuginfo-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.26.1 kernel-macros-4.12.14-197.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.26.1 kernel-zfcpdump-4.12.14-197.26.1 kernel-zfcpdump-debuginfo-4.12.14-197.26.1 kernel-zfcpdump-debugsource-4.12.14-197.26.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.26.1 cluster-md-kmp-default-debuginfo-4.12.14-197.26.1 dlm-kmp-default-4.12.14-197.26.1 dlm-kmp-default-debuginfo-4.12.14-197.26.1 gfs2-kmp-default-4.12.14-197.26.1 gfs2-kmp-default-debuginfo-4.12.14-197.26.1 kernel-default-debuginfo-4.12.14-197.26.1 kernel-default-debugsource-4.12.14-197.26.1 ocfs2-kmp-default-4.12.14-197.26.1 ocfs2-kmp-default-debuginfo-4.12.14-197.26.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1113994 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1137861 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1149853 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1151807 https://bugzilla.suse.com/1152033 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152665 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152696 https://bugzilla.suse.com/1152697 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152790 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153607 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154242 https://bugzilla.suse.com/1154268 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154521 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1155061 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/802154 https://bugzilla.suse.com/814594 https://bugzilla.suse.com/919448 https://bugzilla.suse.com/987367 https://bugzilla.suse.com/998153 From sle-security-updates at lists.suse.com Tue Nov 12 18:34:05 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:34:05 +0100 (CET) Subject: SUSE-SU-2019:2950-1: important: Security update for the Linux Kernel Message-ID: <20191113013405.C51C7F79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2950-1 Rating: important References: #1117665 #1123959 #1137586 #1137865 #1137944 #1139073 #1139751 #1142857 #1144903 #1145477 #1145922 #1146042 #1146163 #1146285 #1146361 #1146378 #1146391 #1146413 #1146425 #1146512 #1146514 #1146516 #1146519 #1146524 #1146526 #1146529 #1146540 #1146543 #1146547 #1146584 #1146612 #1147122 #1148938 #1149376 #1149522 #1149527 #1149555 #1150025 #1150112 #1150452 #1150457 #1150465 #1151347 #1151350 #1152782 #1152788 #1153119 #1155671 #999278 Cross-References: CVE-2016-10906 CVE-2017-18509 CVE-2017-18551 CVE-2017-18595 CVE-2018-12207 CVE-2018-20976 CVE-2019-10207 CVE-2019-10220 CVE-2019-11135 CVE-2019-11477 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-14835 CVE-2019-15098 CVE-2019-15118 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15217 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15290 CVE-2019-15291 CVE-2019-15505 CVE-2019-15807 CVE-2019-15902 CVE-2019-15926 CVE-2019-15927 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16413 CVE-2019-17055 CVE-2019-17056 CVE-2019-9456 CVE-2019-9506 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 40 vulnerabilities and has 9 fixes is now available. Description: The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). - CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems (bnc#1151347). - CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376). - CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device (bnc#11465). - CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service (bnc#1148938). - CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350). - CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic (bnc#1147122). - CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555). - CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112). - CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device (bnc#1146361). - CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025). - CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. (bnc#1149527). - CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module (bnc#1149522). - CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device (bnc#1146524). - CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device (bnc#1146526). - CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device (bnc#1146529). - CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512). - CVE-2019-14815: A missing length check while parsing WMM IEs was fixed (bsc#1146512, bsc#1146514, bsc#1146516). - CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516). - CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477) - CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka "KNOB") that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865). - CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed (bnc#1146378). - CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378). - CVE-2019-15212: A double-free issue was fixed in drivers/usb driver (bnc#1146391). - CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc (bnc#1146584). - CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519). - CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver (bnc#1146413). - CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425). - CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver (bnc#1146285). - CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver (bnc#1146163). - CVE-2019-10207: Add checks for missing tty operations to prevent unprivileged user to execute 0x0 address (bsc#1142857 bsc#1123959) - CVE-2019-15118: ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term leading to kernel stack exhaustion (bsc#1145922). The following non-security bugs were fixed: - array_index_nospec: Sanitize speculative array (bsc#1155671) - hpsa: move lockup_detected attribute to host attr (bsc#999278, bsc#1153119). - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop read-only large sptes when creating lower level sptes (bsc#1117665). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - media: smsusb: better handle optional alignment (bsc#1146413). - mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (bsc#1137944). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - tcp: Be more careful in tcp_fragment() (bsc#1137586 bsc#1139751). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2950=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2950=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2019-2950=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kernel-default-3.12.74-60.64.124.1 kernel-default-base-3.12.74-60.64.124.1 kernel-default-base-debuginfo-3.12.74-60.64.124.1 kernel-default-debuginfo-3.12.74-60.64.124.1 kernel-default-debugsource-3.12.74-60.64.124.1 kernel-default-devel-3.12.74-60.64.124.1 kernel-syms-3.12.74-60.64.124.1 kernel-xen-3.12.74-60.64.124.1 kernel-xen-base-3.12.74-60.64.124.1 kernel-xen-base-debuginfo-3.12.74-60.64.124.1 kernel-xen-debuginfo-3.12.74-60.64.124.1 kernel-xen-debugsource-3.12.74-60.64.124.1 kernel-xen-devel-3.12.74-60.64.124.1 kgraft-patch-3_12_74-60_64_124-default-1-2.3.1 kgraft-patch-3_12_74-60_64_124-xen-1-2.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): kernel-devel-3.12.74-60.64.124.1 kernel-macros-3.12.74-60.64.124.1 kernel-source-3.12.74-60.64.124.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): kernel-default-3.12.74-60.64.124.1 kernel-default-base-3.12.74-60.64.124.1 kernel-default-base-debuginfo-3.12.74-60.64.124.1 kernel-default-debuginfo-3.12.74-60.64.124.1 kernel-default-debugsource-3.12.74-60.64.124.1 kernel-default-devel-3.12.74-60.64.124.1 kernel-syms-3.12.74-60.64.124.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): kernel-devel-3.12.74-60.64.124.1 kernel-macros-3.12.74-60.64.124.1 kernel-source-3.12.74-60.64.124.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kernel-xen-3.12.74-60.64.124.1 kernel-xen-base-3.12.74-60.64.124.1 kernel-xen-base-debuginfo-3.12.74-60.64.124.1 kernel-xen-debuginfo-3.12.74-60.64.124.1 kernel-xen-debugsource-3.12.74-60.64.124.1 kernel-xen-devel-3.12.74-60.64.124.1 kgraft-patch-3_12_74-60_64_124-default-1-2.3.1 kgraft-patch-3_12_74-60_64_124-xen-1-2.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x): kernel-default-man-3.12.74-60.64.124.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.74-60.64.124.1 kernel-ec2-debuginfo-3.12.74-60.64.124.1 kernel-ec2-debugsource-3.12.74-60.64.124.1 kernel-ec2-devel-3.12.74-60.64.124.1 kernel-ec2-extra-3.12.74-60.64.124.1 kernel-ec2-extra-debuginfo-3.12.74-60.64.124.1 References: https://www.suse.com/security/cve/CVE-2016-10906.html https://www.suse.com/security/cve/CVE-2017-18509.html https://www.suse.com/security/cve/CVE-2017-18551.html https://www.suse.com/security/cve/CVE-2017-18595.html https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20976.html https://www.suse.com/security/cve/CVE-2019-10207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11477.html https://www.suse.com/security/cve/CVE-2019-14814.html https://www.suse.com/security/cve/CVE-2019-14815.html https://www.suse.com/security/cve/CVE-2019-14816.html https://www.suse.com/security/cve/CVE-2019-14821.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-15098.html https://www.suse.com/security/cve/CVE-2019-15118.html https://www.suse.com/security/cve/CVE-2019-15212.html https://www.suse.com/security/cve/CVE-2019-15215.html https://www.suse.com/security/cve/CVE-2019-15216.html https://www.suse.com/security/cve/CVE-2019-15217.html https://www.suse.com/security/cve/CVE-2019-15218.html https://www.suse.com/security/cve/CVE-2019-15219.html https://www.suse.com/security/cve/CVE-2019-15220.html https://www.suse.com/security/cve/CVE-2019-15221.html https://www.suse.com/security/cve/CVE-2019-15290.html https://www.suse.com/security/cve/CVE-2019-15291.html https://www.suse.com/security/cve/CVE-2019-15505.html https://www.suse.com/security/cve/CVE-2019-15807.html https://www.suse.com/security/cve/CVE-2019-15902.html https://www.suse.com/security/cve/CVE-2019-15926.html https://www.suse.com/security/cve/CVE-2019-15927.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16413.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-9456.html https://www.suse.com/security/cve/CVE-2019-9506.html https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1123959 https://bugzilla.suse.com/1137586 https://bugzilla.suse.com/1137865 https://bugzilla.suse.com/1137944 https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1139751 https://bugzilla.suse.com/1142857 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145477 https://bugzilla.suse.com/1145922 https://bugzilla.suse.com/1146042 https://bugzilla.suse.com/1146163 https://bugzilla.suse.com/1146285 https://bugzilla.suse.com/1146361 https://bugzilla.suse.com/1146378 https://bugzilla.suse.com/1146391 https://bugzilla.suse.com/1146413 https://bugzilla.suse.com/1146425 https://bugzilla.suse.com/1146512 https://bugzilla.suse.com/1146514 https://bugzilla.suse.com/1146516 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146524 https://bugzilla.suse.com/1146526 https://bugzilla.suse.com/1146529 https://bugzilla.suse.com/1146540 https://bugzilla.suse.com/1146543 https://bugzilla.suse.com/1146547 https://bugzilla.suse.com/1146584 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1147122 https://bugzilla.suse.com/1148938 https://bugzilla.suse.com/1149376 https://bugzilla.suse.com/1149522 https://bugzilla.suse.com/1149527 https://bugzilla.suse.com/1149555 https://bugzilla.suse.com/1150025 https://bugzilla.suse.com/1150112 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1151347 https://bugzilla.suse.com/1151350 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1153119 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/999278 From sle-security-updates at lists.suse.com Tue Nov 12 18:40:42 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:40:42 +0100 (CET) Subject: SUSE-SU-2019:2954-1: important: Security update for qemu Message-ID: <20191113014042.4ED2CF79E@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2954-1 Rating: important References: #1119991 #1146873 #1152506 #1155812 Cross-References: CVE-2018-12207 CVE-2018-20126 CVE-2019-11135 CVE-2019-12068 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for qemu fixes the following issues: - Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE15 - Fix use-after-free in slirp (CVE-2018-20126 bsc#1119991) - Fix potential DOS in lsi scsi controller emulation (CVE-2019-12068 bsc#1146873) - Expose taa-no "feature", indicating CPU does not have the TSX Async Abort vulnerability. (CVE-2019-11135 bsc#1152506) - Expose pschange-mc-no "feature", indicating CPU does not have the page size change machine check vulnerability (CVE-2018-12207 bsc#1155812) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2954=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2954=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2954=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): qemu-2.11.2-9.33.1 qemu-block-curl-2.11.2-9.33.1 qemu-block-curl-debuginfo-2.11.2-9.33.1 qemu-block-iscsi-2.11.2-9.33.1 qemu-block-iscsi-debuginfo-2.11.2-9.33.1 qemu-block-rbd-2.11.2-9.33.1 qemu-block-rbd-debuginfo-2.11.2-9.33.1 qemu-block-ssh-2.11.2-9.33.1 qemu-block-ssh-debuginfo-2.11.2-9.33.1 qemu-debuginfo-2.11.2-9.33.1 qemu-debugsource-2.11.2-9.33.1 qemu-guest-agent-2.11.2-9.33.1 qemu-guest-agent-debuginfo-2.11.2-9.33.1 qemu-lang-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (s390x x86_64): qemu-kvm-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64): qemu-arm-2.11.2-9.33.1 qemu-arm-debuginfo-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (ppc64le): qemu-ppc-2.11.2-9.33.1 qemu-ppc-debuginfo-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (x86_64): qemu-x86-2.11.2-9.33.1 qemu-x86-debuginfo-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (noarch): qemu-ipxe-1.0.0+-9.33.1 qemu-seabios-1.11.0-9.33.1 qemu-sgabios-8-9.33.1 qemu-vgabios-1.11.0-9.33.1 - SUSE Linux Enterprise Module for Server Applications 15 (s390x): qemu-s390-2.11.2-9.33.1 qemu-s390-debuginfo-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): qemu-block-dmg-2.11.2-9.33.1 qemu-block-dmg-debuginfo-2.11.2-9.33.1 qemu-debuginfo-2.11.2-9.33.1 qemu-debugsource-2.11.2-9.33.1 qemu-extra-2.11.2-9.33.1 qemu-extra-debuginfo-2.11.2-9.33.1 qemu-linux-user-2.11.2-9.33.1 qemu-linux-user-debuginfo-2.11.2-9.33.1 qemu-linux-user-debugsource-2.11.2-9.33.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-2.11.2-9.33.1 qemu-debugsource-2.11.2-9.33.1 qemu-tools-2.11.2-9.33.1 qemu-tools-debuginfo-2.11.2-9.33.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20126.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-12068.html https://bugzilla.suse.com/1119991 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1152506 https://bugzilla.suse.com/1155812 From sle-security-updates at lists.suse.com Tue Nov 12 18:41:52 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:41:52 +0100 (CET) Subject: SUSE-SU-2019:2960-1: important: Security update for xen Message-ID: <20191113014152.308CDF79E@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2960-1 Rating: important References: #1152497 #1154448 #1154456 #1154458 #1154461 #1155945 Cross-References: CVE-2018-12207 CVE-2019-11135 CVE-2019-18420 CVE-2019-18421 CVE-2019-18424 CVE-2019-18425 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. (bsc#1155945) - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. (bsc#1152497). - CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that of the guest kernel. (bsc#1154456). - CVE-2019-18421: A malicious PV guest administrator may have been able to escalate their privilege to that of the host. (bsc#1154458). - CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash, resulting in a Denial of Service (Dos). (bsc#1154448) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2960=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2960=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (x86_64): xen-4.10.4_06-3.25.1 xen-debugsource-4.10.4_06-3.25.1 xen-devel-4.10.4_06-3.25.1 xen-tools-4.10.4_06-3.25.1 xen-tools-debuginfo-4.10.4_06-3.25.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): xen-debugsource-4.10.4_06-3.25.1 xen-libs-4.10.4_06-3.25.1 xen-libs-debuginfo-4.10.4_06-3.25.1 xen-tools-domU-4.10.4_06-3.25.1 xen-tools-domU-debuginfo-4.10.4_06-3.25.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-18420.html https://www.suse.com/security/cve/CVE-2019-18421.html https://www.suse.com/security/cve/CVE-2019-18424.html https://www.suse.com/security/cve/CVE-2019-18425.html https://bugzilla.suse.com/1152497 https://bugzilla.suse.com/1154448 https://bugzilla.suse.com/1154456 https://bugzilla.suse.com/1154458 https://bugzilla.suse.com/1154461 https://bugzilla.suse.com/1155945 From sle-security-updates at lists.suse.com Tue Nov 12 18:43:14 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 02:43:14 +0100 (CET) Subject: SUSE-SU-2019:2951-1: important: Security update for the Linux Kernel Message-ID: <20191113014314.7AEECF79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2951-1 Rating: important References: #1046299 #1046303 #1046305 #1050244 #1050536 #1050545 #1051510 #1055186 #1061840 #1064802 #1065600 #1066129 #1073513 #1082635 #1083647 #1086323 #1087092 #1089644 #1090631 #1093205 #1096254 #1097583 #1097584 #1097585 #1097586 #1097587 #1097588 #1098291 #1101674 #1109158 #1114279 #1117665 #1119461 #1119465 #1123034 #1123080 #1133140 #1134303 #1135642 #1135854 #1135873 #1135967 #1137040 #1137799 #1138190 #1140090 #1140729 #1140845 #1140883 #1141600 #1142635 #1142667 #1143706 #1144338 #1144375 #1144449 #1144903 #1145099 #1146612 #1148410 #1149119 #1150452 #1150457 #1150465 #1150875 #1151508 #1152624 #1152685 #1152782 #1152788 #1152791 #1153112 #1153158 #1153236 #1153263 #1153476 #1153509 #1153646 #1153681 #1153713 #1153717 #1153718 #1153719 #1153811 #1153969 #1154108 #1154189 #1154354 #1154372 #1154578 #1154607 #1154608 #1154610 #1154611 #1154651 #1154737 #1154747 #1154848 #1154858 #1154905 #1154956 #1155178 #1155179 #1155184 #1155186 #1155671 #1155692 #1155836 #1155982 #1156187 Cross-References: CVE-2018-12207 CVE-2019-10220 CVE-2019-11135 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16995 CVE-2019-17055 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 CVE-2019-18805 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 98 fixes is now available. Description: The SUSE Linux Enterprise 15 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). - CVE-2019-18805: Fix signed integer overflow in tcp_ack_update_rtt() that could have lead to a denial of service or possibly unspecified other impact (bsc#1156187) - CVE-2019-17055: The AF_ISDN network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782) The following non-security bugs were fixed: - 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510). - Add kernel module compression support (bsc#1135854) For enabling the kernel module compress, add the item COMPRESS_MODULES="xz" in config.sh, then mkspec will pass it to the spec file. - acpi / CPPC: do not require the _PSD method (bsc#1051510). - acpi / processor: do not print errors for processorIDs == 0xff (bsc#1051510). - acpi: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510). - act_mirred: Fix mirred_init_module error handling (bsc#1051510). - alsa: bebob: Fix prototype of helper function to return negative value (bsc#1051510). - alsa: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510). - alsa: hda - Apply AMD controller workaround for Raven platform (bsc#1051510). - alsa: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510). - alsa: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510). - alsa: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510). - alsa: hda - Inform too slow responses (bsc#1051510). - alsa: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510). - alsa: hda/ca0132 - Fix possible workqueue stall (bsc#1155836). - alsa: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510). - alsa: hda/realtek - Add support for ALC623 (bsc#1051510). - alsa: hda/realtek - Add support for ALC711 (bsc#1051510). - alsa: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510). - alsa: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510). - alsa: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510). - alsa: hda/realtek - Fix alienware headset mic (bsc#1051510). - alsa: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510). - alsa: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510). - alsa: hda: Add Elkhart Lake pci ID (bsc#1051510). - alsa: hda: Add Tigerlake/Jasperlake pci ID (bsc#1051510). - alsa: hda: Add support of Zhaoxin controller (bsc#1051510). - alsa: hda: Flush interrupts on disabling (bsc#1051510). - alsa: hda: Set fifo_size for both playback and capture streams (bsc#1051510). - alsa: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510). - alsa: line6: sizeof (byte) is always 1, use that fact (bsc#1051510). - alsa: timer: Fix mutex deadlock at releasing card (bsc#1051510). - alsa: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510). - alsa: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510). - alsa: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510). - appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30). - asoc: Define a set of DAPM pre/post-up events (bsc#1051510). - asoc: Intel: Fix use of potentially uninitialized variable (bsc#1051510). - asoc: Intel: NHLT: Fix debug print format (bsc#1051510). - asoc: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510). - asoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510). - asoc: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510). - asoc: sgtl5000: Fix charge pump source assignment (bsc#1051510). - auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510). - ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - blk-wbt: abstract out end IO completion handler (bsc#1135873). - blk-wbt: fix has-sleeper queueing check (bsc#1135873). - blk-wbt: improve waking of tasks (bsc#1135873). - blk-wbt: move disable check into get_limit() (bsc#1135873). - blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873). - block: add io timeout to sysfs (bsc#1148410). - block: do not show io_timeout if driver has no timeout handler (bsc#1148410). - bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510). - bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ). - boot: Sign non-x86 kernels when possible (boo#1134303) - bpf: fix use after free in prog symbol exposure (bsc#1083647). - bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15). - btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651). - btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607). - btrfs: bail out gracefully rather than BUG_ON (bsc#1153646). - btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178). - btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713). - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179). - btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651). - btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186). - btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184). - can: dev: call netif_carrier_off() in register_candev() (bsc#1051510). - can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510). - can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510). - cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15). - cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510). - ceph: fix directories inode i_blkbits initialization (bsc#1153717). - ceph: reconnect connection if session hang in opening state (bsc#1153718). - ceph: update the mtime when truncating up (bsc#1153719). - cfg80211: Purge frame registrations on iftype change (bsc#1051510). - cfg80211: add and use strongly typed element iteration macros (bsc#1051510). - clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510). - clk: qoriq: Fix -Wunused-const-variable (bsc#1051510). - clk: sirf: Do not reference clk_init_data after registration (bsc#1051510). - clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510). - crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737). - crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510). - crypto: af_alg - consolidation of duplicate code (bsc#1154737). - crypto: af_alg - fix race accessing cipher request (bsc#1154737). - crypto: af_alg - remove locking in async callback (bsc#1154737). - crypto: af_alg - update correct dst SGL entry (bsc#1051510). - crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737). - crypto: algif - return error code when no data was processed (bsc#1154737). - crypto: algif_aead - copy AAD from src to dst (bsc#1154737). - crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737). - crypto: algif_aead - overhaul memory management (bsc#1154737). - crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737). - crypto: algif_skcipher - overhaul memory management (bsc#1154737). - crypto: talitos - fix missing break in switch statement (bsc#1142635). - cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584). - cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129). - cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129). - cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513). - cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129). - cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05). - dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080). - dmaengine: bcm2835: Print error in case setting DMA mask fails (bsc#1051510). - dmaengine: imx-sdma: fix size check for sdma script_number (bsc#1051510). - drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510). - drm/amdgpu/si: fix ASIC tests (git-fixes). - drm/amdgpu: Check for valid number of registers to read (bsc#1051510). - drm/ast: Fixed reboot test may cause system hanged (bsc#1051510). - drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510). - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510). - drm/i915/cmdparser: Add support for backward jumps (bsc#1135967) - drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967) - drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967) - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967) - drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967) - drm/i915/gtt: Disable read-only support under GVT (bsc#1135967) - drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967) - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967) - drm/i915: Add support for mandatory cmdparsing (bsc#1135967) - drm/i915: Allow parsing of unsized batches (bsc#1135967) - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967) - drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967) - drm/i915: Remove Master tables from cmdparser - drm/i915: Rename gen7 cmdparser tables (bsc#1135967) - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967) - drm/msm/dsi: Implement reset correctly (bsc#1051510). - drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510). - drm/radeon: Fix EEH during kexec (bsc#1051510). - drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510). - drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510). - drm: Flush output polling on shutdown (bsc#1051510). - e1000e: add workaround for possible stalled packet (bsc#1051510). - efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510). - efi: cper: print AER info of pcie fatal error (bsc#1051510). - efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510). - firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes). - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510). - hid: apple: Fix stuck function keys when using FN (bsc#1051510). - hid: fix error message in hid_open_report() (bsc#1051510). - hid: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510). - hid: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510). - hid: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510). - hid: prodikeys: Fix general protection fault during probe (bsc#1051510). - hid: sony: Fix memory corruption issue on cleanup (bsc#1051510). - hso: fix NULL-deref on tty open (bsc#1051510). - hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510). - hwrng: core - do not wait on add_early_randomness() (git-fixes). - hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). - i2c: riic: Clear NACK in tend isr (bsc#1051510). - ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154108) - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449). - ib/mlx5: Consolidate use_umr checks into single function (bsc#1093205). - ib/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205). - ib/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305). - ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510). - ieee802154: ca8210: prevent memory leak (bsc#1051510). - ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - iio: adc: ad799x: fix probe error handling (bsc#1051510). - iio: light: opt3001: fix mutex unlock race (bsc#1051510). - ima: always return negative code for error (bsc#1051510). - input: Revert synaptics-rmi4 patch due to regression (bsc#1155982) - input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510). - input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510). - integrity: prevent deadlock during digsig verification (bsc#1090631). - iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799). - iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608). - iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799). - iommu/amd: Remove domain->updated (bsc#1154610). - iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611). - ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510). - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15). - ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05). - ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05). - iwlwifi: do not panic in error path on non-msix systems (bsc#1155692). - ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674). - ixgbe: sync the first fragment unconditionally (bsc#1133140). - kABI workaround for crypto/af_alg changes (bsc#1154737). - kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967) - kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510). - kabi/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code. - kabi: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578). - kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354). It is not strictly necessary to uncompress it so maybe the ghost file can be 0 size in this case. - kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop vcpu param in gpte_access (bsc#1117665). - kvm: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510). - libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510). - mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510). - mac80211: Reject malformed SSID elements (bsc#1051510). - mac80211: accept deauth frames in IBSS mode (bsc#1051510). - mac80211: fix txq null pointer dereference (bsc#1051510). - macsec: drop skb sk before calling gro_cells_receive (bsc#1051510). - md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090). - md/raid0: fix warning message for parameter default_layout (bsc#1140090). - media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642). - media: cpia2_usb: fix memory leaks (bsc#1051510). - media: dvb-core: fix a memory leak bug (bsc#1051510). - media: exynos4-is: fix leaked of_node references (bsc#1051510). - media: gspca: zero usb_buf on error (bsc#1051510). - media: hdpvr: Add device num check and handling (bsc#1051510). - media: hdpvr: add terminating 0 at end of string (bsc#1051510). - media: i2c: ov5645: Fix power sequence (bsc#1051510). - media: iguanair: add sanity checks (bsc#1051510). - media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510). - media: omap3isp: Set device on omap3isp subdevs (bsc#1051510). - media: ov9650: add a sanity check (bsc#1051510). - media: radio/si470x: kill urb on error (bsc#1051510). - media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510). - media: saa7146: add cleanup in hexium_attach() (bsc#1051510). - media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510). - media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510). - media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510). - memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510). - mfd: intel-lpss: Remove D3cold delay (bsc#1051510). - mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05). - mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510). - mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510). - mmc: sdhci: improve ADMA error reporting (bsc#1051510). - net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes). - net/mlx4_en: fix a memory leak bug (bsc#1046299). - net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ). - net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ). - net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30). - net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05). - net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848). - net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848). - net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30). - net: Fix null de-reference of device refcount (networking-stable-19_09_15). - net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612). - net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05). - net: fix skb use after free in netpoll (networking-stable-19_09_05). - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15). - net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes). - net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05). - net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30). - net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05). - net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05). - net_sched: add policy validation for action attributes (networking-stable-19_09_30). - net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - nfc: fix attrs checks in netlink interface (bsc#1051510). - nfc: fix memory leak in llcp_sock_bind() (bsc#1051510). - nfc: pn533: fix use-after-free and memleaks (bsc#1051510). - nfs: fix regression (boo#1154189 bsc#1154747). - nfsv4.1 - backchannel request should hold ref on xprt (bsc#1152624). - nl80211: fix null pointer dereference (bsc#1051510). - objtool: Clobber user CFLAGS variable (bsc#1153236). - openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30). - packaging: add support for riscv64 - pci: Correct pci=resource_alignment parameter example (bsc#1051510). - pci: PM: Fix pci_power_up() (bsc#1051510). - pci: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092). - pci: hv: Use bytes 4 and 5 from instance ID as the pci domain numbers (bsc#1153263). - pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510). - platform/x86: classmate-laptop: remove unused variable (bsc#1051510). - platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510). - power: supply: sysfs: ratelimit property read error message (bsc#1051510). - powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186). - powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186). - powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186). - powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186). - powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186). - powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186). - powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186). - powerpc/mm: Properly invalidate when setting process table base (bsc#1055186). - powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186). - powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778). - powerpc/pseries: Remove confusing warning message (bsc#1109158). - powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778). - qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545). - qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545). - qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545). - qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545). - qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05). - r8152: Set macpassthru in reset_resume callback (bsc#1051510). - rdma/bnxt_re: Fix spelling mistake "missin_resp" -> "missing_resp" (bsc#1050244). - rdma: Fix goto target to release the allocated memory (bsc#1050244). - rds: Fix warning (bsc#1154848). - rpm/config.sh: Enable livepatch. - rpm/constraints.in: lower disk space required for ARM With a requirement of 35GB, only 2 slow workers are usable for ARM. Current aarch64 build requires 27G and armv6/7 requires 14G. Set requirements respectively to 30GB and 20GB. - rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users. - rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo. - rpm/kernel-binary.spec.in: build kernel-*-kgraft only for default SLE kernel RT and Azure variants are excluded for the moment. (bsc#1141600) - rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2. - rpm/kernel-binary.spec.in: support partial rt debug config. - rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119). - rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE. - rpm/mkspec: Correct tarball URL for rc kernels. - rpm/mkspec: Make building DTBs optional. - rpm/modflist: Simplify compression support. - rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x. - rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with ".ko" which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize ".ko.xz" in addition to ".ko". - rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635). - s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476). - s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855). - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05). - sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05). - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15). - sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/arch-symbols: add missing link. - scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040). - scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845). - scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883). - scsi: lpfc: Remove bg debugfs buffers (bsc#1144375). - scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291). - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291). - scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034). - scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729). - scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054). - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15). - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15). - skge: fix checksum byte order (networking-stable-19_09_30). - sock_diag: fix autoloading of the raw_diag module (bsc#1152791). - sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791). - staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510). - staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510). - supporte.conf: add efivarfs to kernel-default-base (bsc#1154858). - tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes). - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15). - tcp: inherit timestamp on mtu probe (networking-stable-19_09_05). - tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05). - thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510). - thermal_hwmon: Sanitize thermal_zone type (bsc#1051510). - tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15). - tipc: fix unlimited bundling of small messages (networking-stable-19_10_05). - tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508). - tun: fix use-after-free when register netdev failed (networking-stable-19_09_15). - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099). - usb: adutux: fix NULL-derefs on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on disconnect (bsc#1142635). - usb: adutux: fix use-after-free on release (bsc#1051510). - usb: chaoskey: fix use-after-free on release (bsc#1051510). - usb: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510). - usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode (bsc#1051510). - usb: iowarrior: fix use-after-free after driver unbind (bsc#1051510). - usb: iowarrior: fix use-after-free on disconnect (bsc#1051510). - usb: iowarrior: fix use-after-free on release (bsc#1051510). - usb: ldusb: fix NULL-derefs on driver unbind (bsc#1051510). - usb: ldusb: fix control-message timeout (bsc#1051510). - usb: ldusb: fix memleak on disconnect (bsc#1051510). - usb: ldusb: fix read info leaks (bsc#1051510). - usb: ldusb: fix ring-buffer locking (bsc#1051510). - usb: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510). - usb: legousbtower: fix deadlock on disconnect (bsc#1142635). - usb: legousbtower: fix memleak on disconnect (bsc#1051510). - usb: legousbtower: fix open after failed reset request (bsc#1142635). - usb: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635). - usb: legousbtower: fix slab info leak at probe (bsc#1142635). - usb: legousbtower: fix use-after-free on release (bsc#1051510). - usb: microtek: fix info-leak at probe (bsc#1142635). - usb: serial: fix runtime PM after driver unbind (bsc#1051510). - usb: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510). - usb: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510). - usb: serial: option: add Telit FN980 compositions (bsc#1051510). - usb: serial: option: add support for Cinterion CLS8 devices (bsc#1051510). - usb: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510). - usb: serial: whiteheat: fix potential slab corruption (bsc#1051510). - usb: udc: lpc32xx: fix bad bit shift operation (bsc#1051510). - usb: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510). - usb: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510). - usb: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510). - usb: usblcd: fix I/O after disconnect (bsc#1142635). - usb: usblp: fix runtime PM after driver unbind (bsc#1051510). - usb: usblp: fix use-after-free on disconnect (bsc#1051510). - usb: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510). - usb: yurex: Do not retry on unexpected errors (bsc#1051510). - usb: yurex: fix NULL-derefs on disconnect (bsc#1051510). - usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510). - usbnet: sanity checking of packet sizes and device mtu (bsc#1051510). - vfio_pci: Restore original state on release (bsc#1051510). - vhost_net: conditionally enable tx polling (bsc#1145099). - video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510). - vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05). - watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510). - x86/asm: Fix MWAITX C-state hint value (bsc#1114279). - x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969). - x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969). - x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279). - xen/netback: fix error path of xenvif_connect_data() (bsc#1065600). - xen/pv: Fix Xen PV guest int3 handling (bsc#1153811). - xhci: Check all endpoints for LPM timeout (bsc#1051510). - xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510). - xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510). - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2019-2951=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2951=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (x86_64): kernel-azure-4.12.14-5.44.1 kernel-azure-base-4.12.14-5.44.1 kernel-azure-base-debuginfo-4.12.14-5.44.1 kernel-azure-debuginfo-4.12.14-5.44.1 kernel-azure-devel-4.12.14-5.44.1 kernel-syms-azure-4.12.14-5.44.1 - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): kernel-devel-azure-4.12.14-5.44.1 kernel-source-azure-4.12.14-5.44.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-devel-azure-4.12.14-5.44.1 kernel-source-azure-4.12.14-5.44.1 References: https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://www.suse.com/security/cve/CVE-2019-18805.html https://bugzilla.suse.com/1046299 https://bugzilla.suse.com/1046303 https://bugzilla.suse.com/1046305 https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1050536 https://bugzilla.suse.com/1050545 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1073513 https://bugzilla.suse.com/1082635 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1086323 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089644 https://bugzilla.suse.com/1090631 https://bugzilla.suse.com/1093205 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1097583 https://bugzilla.suse.com/1097584 https://bugzilla.suse.com/1097585 https://bugzilla.suse.com/1097586 https://bugzilla.suse.com/1097587 https://bugzilla.suse.com/1097588 https://bugzilla.suse.com/1098291 https://bugzilla.suse.com/1101674 https://bugzilla.suse.com/1109158 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1119461 https://bugzilla.suse.com/1119465 https://bugzilla.suse.com/1123034 https://bugzilla.suse.com/1123080 https://bugzilla.suse.com/1133140 https://bugzilla.suse.com/1134303 https://bugzilla.suse.com/1135642 https://bugzilla.suse.com/1135854 https://bugzilla.suse.com/1135873 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137040 https://bugzilla.suse.com/1137799 https://bugzilla.suse.com/1138190 https://bugzilla.suse.com/1140090 https://bugzilla.suse.com/1140729 https://bugzilla.suse.com/1140845 https://bugzilla.suse.com/1140883 https://bugzilla.suse.com/1141600 https://bugzilla.suse.com/1142635 https://bugzilla.suse.com/1142667 https://bugzilla.suse.com/1143706 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144375 https://bugzilla.suse.com/1144449 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145099 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148410 https://bugzilla.suse.com/1149119 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150875 https://bugzilla.suse.com/1151508 https://bugzilla.suse.com/1152624 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1152791 https://bugzilla.suse.com/1153112 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1153236 https://bugzilla.suse.com/1153263 https://bugzilla.suse.com/1153476 https://bugzilla.suse.com/1153509 https://bugzilla.suse.com/1153646 https://bugzilla.suse.com/1153681 https://bugzilla.suse.com/1153713 https://bugzilla.suse.com/1153717 https://bugzilla.suse.com/1153718 https://bugzilla.suse.com/1153719 https://bugzilla.suse.com/1153811 https://bugzilla.suse.com/1153969 https://bugzilla.suse.com/1154108 https://bugzilla.suse.com/1154189 https://bugzilla.suse.com/1154354 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1154578 https://bugzilla.suse.com/1154607 https://bugzilla.suse.com/1154608 https://bugzilla.suse.com/1154610 https://bugzilla.suse.com/1154611 https://bugzilla.suse.com/1154651 https://bugzilla.suse.com/1154737 https://bugzilla.suse.com/1154747 https://bugzilla.suse.com/1154848 https://bugzilla.suse.com/1154858 https://bugzilla.suse.com/1154905 https://bugzilla.suse.com/1154956 https://bugzilla.suse.com/1155178 https://bugzilla.suse.com/1155179 https://bugzilla.suse.com/1155184 https://bugzilla.suse.com/1155186 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/1155692 https://bugzilla.suse.com/1155836 https://bugzilla.suse.com/1155982 https://bugzilla.suse.com/1156187 From sle-security-updates at lists.suse.com Wed Nov 13 13:11:49 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 21:11:49 +0100 (CET) Subject: SUSE-SU-2019:14218-1: important: Security update for the Linux Kernel Message-ID: <20191113201149.901CCF798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14218-1 Rating: important References: #1101061 #1113201 #1117665 #1131107 #1143327 #1144903 #1145477 #1145922 #1146163 #1146285 #1146361 #1146391 #1146524 #1146540 #1146547 #1146678 #1147122 #1148938 #1149376 #1149522 #1150025 #1150112 #1150452 #1150457 #1150465 #1150599 #1151347 #1151350 #1152779 #1152782 #1152786 #1152789 #1153158 #1155671 #802154 #936875 Cross-References: CVE-2017-18509 CVE-2017-18551 CVE-2018-12207 CVE-2018-20976 CVE-2019-10220 CVE-2019-11135 CVE-2019-14821 CVE-2019-14835 CVE-2019-15118 CVE-2019-15212 CVE-2019-15216 CVE-2019-15217 CVE-2019-15219 CVE-2019-15291 CVE-2019-15292 CVE-2019-15505 CVE-2019-15807 CVE-2019-15902 CVE-2019-15927 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16413 CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17133 CVE-2019-9456 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise High Availability Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 29 vulnerabilities and has 7 fixes is now available. Description: The SUSE Linux Enterprise 11-SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-17052: ax25_create in the AF_AX25 network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket, aka CID-0614e2b73768. (bnc#1152779) - CVE-2019-17055: base_sock_create in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (bnc#1152782) - CVE-2019-17054: atalk_create in the AF_APPLETALK network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c. (bnc#1152786) - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-17053: ieee802154_create in the AF_IEEE802154 network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users could create a raw socket, aka CID-e69dbd4619e7. (bnc#1152789) - CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems. (bnc#1151347) - CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function. (bnc#1146540) - CVE-2019-15807: There was a memory leak in the SAS expander driver when SAS expander discovery fails. This could cause a denial of service. (bnc#1148938) - CVE-2019-14821: An out-of-bounds access issue was found in the way Linux the kernel's KVM hypervisor implemented the Coalesced MMIO write operation. It operated on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. (bnc#1151350) - CVE-2019-15505: The Linux kernel had an out-of-bounds read via crafted USB device traffic (which may have been remote via usbip or usbredir). (bnc#1147122) - CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host. (bnc#1150112) - CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bnc#1146361) - CVE-2019-9456: In the Android kernel in Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction was not needed for exploitation. (bnc#1150025) - CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit in the file sound/usb/mixer.c. (bnc#1149522) - CVE-2019-15902: Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered)\ code lines were swapped. (bnc#1149376) - CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bnc#1146524) - CVE-2017-18509: An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue could be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurred because sk_type and protocol were not checked in the appropriate part of the ip6_mroute_* functions. (bnc#1145477) - CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bnc#1146391) - CVE-2019-15292: There was a use-after-free in atalk_proc_exit. (bnc#1146678) - CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bnc#1146547) - CVE-2018-20976: A use after free was discovered in fs/xfs/xfs_super.c, related to xfs_fs_fill_super failure. (bnc#1146285) - CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated. (bnc#1146163) - CVE-2019-15118: check_input_term in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion. (bnc#1145922) The following non-security bugs were fixed: - add a missing lfence in kernel error entry and remove a superfluous lfence in userspace interrupt exit paths - Documentation: Add ITLB_MULTIHIT documentation (bnc#1117665). - array_index_nospec: Sanitize speculative array (bsc#1155671) - cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665). - IB/core: Add mitigation for Spectre V1 (bsc#1155671) - inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state (bsc#1101061). - kABI Fix for IFU Patches (bsc#1117665). - kthread: Implement park/unpark facility (bsc#1117665). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop read-only large sptes when creating lower level sptes (bsc#1117665). - kvm: MMU: fast invalidate all pages (bsc1117665). - kvm: VMX: export PFEC.P bit on ept (bsc#1117665). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665). - mm/readahead.c: fix readahead failure for memoryless NUMA nodes and limit readahead pages (bsc#1143327). - mm: use only per-device readahead limit (bsc#1143327). - powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107). - powerpc/fsl: Add nospectre_v2 command line argument (bsc#1131107). - powerpc/fsl: Update Spectre v2 reporting (bsc#1131107). - powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107). - xfs: xfs_remove deadlocks due to inverted AGF vs AGI lock ordering (bsc#1150599). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-kernel-source-14218=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-source-14218=1 - SUSE Linux Enterprise High Availability Extension 11-SP4: zypper in -t patch slehasp4-kernel-source-14218=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-source-14218=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): kernel-default-3.0.101-108.108.1 kernel-default-base-3.0.101-108.108.1 kernel-default-devel-3.0.101-108.108.1 kernel-source-3.0.101-108.108.1 kernel-syms-3.0.101-108.108.1 kernel-trace-3.0.101-108.108.1 kernel-trace-base-3.0.101-108.108.1 kernel-trace-devel-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): kernel-ec2-3.0.101-108.108.1 kernel-ec2-base-3.0.101-108.108.1 kernel-ec2-devel-3.0.101-108.108.1 kernel-xen-3.0.101-108.108.1 kernel-xen-base-3.0.101-108.108.1 kernel-xen-devel-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64): kernel-bigmem-3.0.101-108.108.1 kernel-bigmem-base-3.0.101-108.108.1 kernel-bigmem-devel-3.0.101-108.108.1 kernel-ppc64-3.0.101-108.108.1 kernel-ppc64-base-3.0.101-108.108.1 kernel-ppc64-devel-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (s390x): kernel-default-man-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586): kernel-pae-3.0.101-108.108.1 kernel-pae-base-3.0.101-108.108.1 kernel-pae-devel-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-108.108.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-108.108.1 - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 ppc64 s390x x86_64): ocfs2-kmp-default-1.6_3.0.101_108.108-0.28.11.2 ocfs2-kmp-trace-1.6_3.0.101_108.108-0.28.11.2 - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 x86_64): ocfs2-kmp-xen-1.6_3.0.101_108.108-0.28.11.2 - SUSE Linux Enterprise High Availability Extension 11-SP4 (ppc64): ocfs2-kmp-bigmem-1.6_3.0.101_108.108-0.28.11.2 ocfs2-kmp-ppc64-1.6_3.0.101_108.108-0.28.11.2 - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586): ocfs2-kmp-pae-1.6_3.0.101_108.108-0.28.11.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-108.108.1 kernel-default-debugsource-3.0.101-108.108.1 kernel-trace-debuginfo-3.0.101-108.108.1 kernel-trace-debugsource-3.0.101-108.108.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-108.108.1 kernel-trace-devel-debuginfo-3.0.101-108.108.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-108.108.1 kernel-ec2-debugsource-3.0.101-108.108.1 kernel-xen-debuginfo-3.0.101-108.108.1 kernel-xen-debugsource-3.0.101-108.108.1 kernel-xen-devel-debuginfo-3.0.101-108.108.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-108.108.1 kernel-bigmem-debugsource-3.0.101-108.108.1 kernel-ppc64-debuginfo-3.0.101-108.108.1 kernel-ppc64-debugsource-3.0.101-108.108.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-108.108.1 kernel-pae-debugsource-3.0.101-108.108.1 kernel-pae-devel-debuginfo-3.0.101-108.108.1 References: https://www.suse.com/security/cve/CVE-2017-18509.html https://www.suse.com/security/cve/CVE-2017-18551.html https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20976.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-14821.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-15118.html https://www.suse.com/security/cve/CVE-2019-15212.html https://www.suse.com/security/cve/CVE-2019-15216.html https://www.suse.com/security/cve/CVE-2019-15217.html https://www.suse.com/security/cve/CVE-2019-15219.html https://www.suse.com/security/cve/CVE-2019-15291.html https://www.suse.com/security/cve/CVE-2019-15292.html https://www.suse.com/security/cve/CVE-2019-15505.html https://www.suse.com/security/cve/CVE-2019-15807.html https://www.suse.com/security/cve/CVE-2019-15902.html https://www.suse.com/security/cve/CVE-2019-15927.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16413.html https://www.suse.com/security/cve/CVE-2019-17052.html https://www.suse.com/security/cve/CVE-2019-17053.html https://www.suse.com/security/cve/CVE-2019-17054.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-9456.html https://bugzilla.suse.com/1101061 https://bugzilla.suse.com/1113201 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1131107 https://bugzilla.suse.com/1143327 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145477 https://bugzilla.suse.com/1145922 https://bugzilla.suse.com/1146163 https://bugzilla.suse.com/1146285 https://bugzilla.suse.com/1146361 https://bugzilla.suse.com/1146391 https://bugzilla.suse.com/1146524 https://bugzilla.suse.com/1146540 https://bugzilla.suse.com/1146547 https://bugzilla.suse.com/1146678 https://bugzilla.suse.com/1147122 https://bugzilla.suse.com/1148938 https://bugzilla.suse.com/1149376 https://bugzilla.suse.com/1149522 https://bugzilla.suse.com/1150025 https://bugzilla.suse.com/1150112 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150599 https://bugzilla.suse.com/1151347 https://bugzilla.suse.com/1151350 https://bugzilla.suse.com/1152779 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152786 https://bugzilla.suse.com/1152789 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/802154 https://bugzilla.suse.com/936875 From sle-security-updates at lists.suse.com Wed Nov 13 13:16:54 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Nov 2019 21:16:54 +0100 (CET) Subject: SUSE-SU-2019:14217-1: important: Security update for microcode_ctl Message-ID: <20191113201654.A8570F798@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14217-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for microcode_ctl fixes the following issues: - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14217=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14217=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.47.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.47.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Thu Nov 14 07:14:31 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Nov 2019 15:14:31 +0100 (CET) Subject: SUSE-SU-2019:2972-1: important: Security update for libjpeg-turbo Message-ID: <20191114141431.79E22F798@maintenance.suse.de> SUSE Security Update: Security update for libjpeg-turbo ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2972-1 Rating: important References: #1156402 Cross-References: CVE-2019-2201 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjpeg-turbo fixes the following issues: - CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo, when attempting to compress or decompress gigapixel images. [bsc#1156402] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2972=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2972=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2972=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2972=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2972=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2972=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2972=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2972=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2972=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2972=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2972=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2972=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2972=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2972=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2972=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2972=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2972=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2972=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE OpenStack Cloud 8 (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libjpeg62-devel-62.2.0-31.19.1 libjpeg8-devel-8.1.2-31.19.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libjpeg62-devel-62.2.0-31.19.1 libjpeg8-devel-8.1.2-31.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 - SUSE Enterprise Storage 5 (x86_64): libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 - HPE Helion Openstack 8 (x86_64): libjpeg-turbo-1.5.3-31.19.1 libjpeg-turbo-debuginfo-1.5.3-31.19.1 libjpeg-turbo-debugsource-1.5.3-31.19.1 libjpeg62-32bit-62.2.0-31.19.1 libjpeg62-62.2.0-31.19.1 libjpeg62-debuginfo-32bit-62.2.0-31.19.1 libjpeg62-debuginfo-62.2.0-31.19.1 libjpeg62-turbo-1.5.3-31.19.1 libjpeg62-turbo-debugsource-1.5.3-31.19.1 libjpeg8-32bit-8.1.2-31.19.1 libjpeg8-8.1.2-31.19.1 libjpeg8-debuginfo-32bit-8.1.2-31.19.1 libjpeg8-debuginfo-8.1.2-31.19.1 libturbojpeg0-8.1.2-31.19.1 libturbojpeg0-debuginfo-8.1.2-31.19.1 References: https://www.suse.com/security/cve/CVE-2019-2201.html https://bugzilla.suse.com/1156402 From sle-security-updates at lists.suse.com Thu Nov 14 07:16:16 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Nov 2019 15:16:16 +0100 (CET) Subject: SUSE-SU-2019:2971-1: important: Security update for libjpeg-turbo Message-ID: <20191114141616.E2B1AF798@maintenance.suse.de> SUSE Security Update: Security update for libjpeg-turbo ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2971-1 Rating: important References: #1156402 Cross-References: CVE-2019-2201 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjpeg-turbo fixes the following issues: - CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo, when attempting to compress or decompress gigapixel images. [bsc#1156402] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-2971=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2971=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2971=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2971=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2971=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2971=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2971=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-5.12.1 libjpeg-turbo-debuginfo-1.5.3-5.12.1 libjpeg-turbo-debugsource-1.5.3-5.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-5.12.1 libjpeg-turbo-debuginfo-1.5.3-5.12.1 libjpeg-turbo-debugsource-1.5.3-5.12.1 libjpeg62-turbo-1.5.3-5.12.1 libjpeg62-turbo-debugsource-1.5.3-5.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libjpeg62-32bit-62.2.0-5.12.1 libjpeg62-32bit-debuginfo-62.2.0-5.12.1 libjpeg62-devel-32bit-62.2.0-5.12.1 libjpeg8-devel-32bit-8.1.2-5.12.1 libturbojpeg0-32bit-8.1.2-5.12.1 libturbojpeg0-32bit-debuginfo-8.1.2-5.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-5.12.1 libjpeg-turbo-debuginfo-1.5.3-5.12.1 libjpeg-turbo-debugsource-1.5.3-5.12.1 libjpeg62-turbo-1.5.3-5.12.1 libjpeg62-turbo-debugsource-1.5.3-5.12.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (x86_64): libjpeg8-32bit-8.1.2-5.12.1 libjpeg8-32bit-debuginfo-8.1.2-5.12.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64): libjpeg8-32bit-8.1.2-5.12.1 libjpeg8-32bit-debuginfo-8.1.2-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libjpeg62-62.2.0-5.12.1 libjpeg62-debuginfo-62.2.0-5.12.1 libjpeg62-devel-62.2.0-5.12.1 libjpeg8-8.1.2-5.12.1 libjpeg8-debuginfo-8.1.2-5.12.1 libjpeg8-devel-8.1.2-5.12.1 libturbojpeg0-8.1.2-5.12.1 libturbojpeg0-debuginfo-8.1.2-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libjpeg62-62.2.0-5.12.1 libjpeg62-debuginfo-62.2.0-5.12.1 libjpeg62-devel-62.2.0-5.12.1 libjpeg8-8.1.2-5.12.1 libjpeg8-debuginfo-8.1.2-5.12.1 libjpeg8-devel-8.1.2-5.12.1 libturbojpeg0-8.1.2-5.12.1 libturbojpeg0-debuginfo-8.1.2-5.12.1 References: https://www.suse.com/security/cve/CVE-2019-2201.html https://bugzilla.suse.com/1156402 From sle-security-updates at lists.suse.com Thu Nov 14 13:11:51 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Nov 2019 21:11:51 +0100 (CET) Subject: SUSE-SU-2019:2785-2: moderate: Security update for ImageMagick Message-ID: <20191114201151.15FC8F798@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2785-2 Rating: moderate References: #1146068 #1146211 #1146212 #1146213 #1151781 #1151782 #1151783 #1151784 #1151785 #1151786 Cross-References: CVE-2019-14980 CVE-2019-15139 CVE-2019-15140 CVE-2019-15141 CVE-2019-16708 CVE-2019-16709 CVE-2019-16710 CVE-2019-16711 CVE-2019-16712 CVE-2019-16713 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for ImageMagick fixes the following issues: Security issues fixed: - CVE-2019-15139: Fixed a denial-of-service vulnerability in ReadXWDImage. (bsc#1146213) - CVE-2019-15140: Fixed a use-after-free bug in the Matlab image parser. (bsc#1146212) - CVE-2019-15141: Fixed a divide-by-zero vulnerability in the MeanShiftImage function. (bsc#1146211) - CVE-2019-14980: Fixed an application crash resulting from a heap-based buffer over-read in WriteTIFFImage. (bsc#1146068) - CVE-2019-16708: Fixed a memory leak in magick/xwindow.c (bsc#1151781). - CVE-2019-16709: Fixed a memory leak in coders/dps.c (bsc#1151782). - CVE-2019-16710: Fixed a memory leak in coders/dot.c (bsc#1151783). - CVE-2019-16711: Fixed a memory leak in Huffman2DEncodeImage in coders/ps2.c (bsc#1151784). - CVE-2019-16712: Fixed a memory leak in Huffman2DEncodeImage in coders/ps3.c (bsc#1151785). - CVE-2019-16713: Fixed a memory leak in coders/dot.c (bsc#1151786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-2785=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2785=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2785=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): ImageMagick-6.8.8.1-71.131.1 ImageMagick-debuginfo-6.8.8.1-71.131.1 ImageMagick-debugsource-6.8.8.1-71.131.1 libMagick++-6_Q16-3-6.8.8.1-71.131.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.131.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.131.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.131.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.131.1 ImageMagick-config-6-SUSE-6.8.8.1-71.131.1 ImageMagick-config-6-upstream-6.8.8.1-71.131.1 ImageMagick-debuginfo-6.8.8.1-71.131.1 ImageMagick-debugsource-6.8.8.1-71.131.1 ImageMagick-devel-6.8.8.1-71.131.1 libMagick++-6_Q16-3-6.8.8.1-71.131.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.131.1 libMagick++-devel-6.8.8.1-71.131.1 perl-PerlMagick-6.8.8.1-71.131.1 perl-PerlMagick-debuginfo-6.8.8.1-71.131.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ImageMagick-config-6-SUSE-6.8.8.1-71.131.1 ImageMagick-config-6-upstream-6.8.8.1-71.131.1 ImageMagick-debuginfo-6.8.8.1-71.131.1 ImageMagick-debugsource-6.8.8.1-71.131.1 libMagickCore-6_Q16-1-6.8.8.1-71.131.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.131.1 libMagickWand-6_Q16-1-6.8.8.1-71.131.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.131.1 References: https://www.suse.com/security/cve/CVE-2019-14980.html https://www.suse.com/security/cve/CVE-2019-15139.html https://www.suse.com/security/cve/CVE-2019-15140.html https://www.suse.com/security/cve/CVE-2019-15141.html https://www.suse.com/security/cve/CVE-2019-16708.html https://www.suse.com/security/cve/CVE-2019-16709.html https://www.suse.com/security/cve/CVE-2019-16710.html https://www.suse.com/security/cve/CVE-2019-16711.html https://www.suse.com/security/cve/CVE-2019-16712.html https://www.suse.com/security/cve/CVE-2019-16713.html https://bugzilla.suse.com/1146068 https://bugzilla.suse.com/1146211 https://bugzilla.suse.com/1146212 https://bugzilla.suse.com/1146213 https://bugzilla.suse.com/1151781 https://bugzilla.suse.com/1151782 https://bugzilla.suse.com/1151783 https://bugzilla.suse.com/1151784 https://bugzilla.suse.com/1151785 https://bugzilla.suse.com/1151786 From sle-security-updates at lists.suse.com Thu Nov 14 13:13:30 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Nov 2019 21:13:30 +0100 (CET) Subject: SUSE-SU-2019:2744-2: moderate: Security update for openconnect Message-ID: <20191114201330.F1B2DF798@maintenance.suse.de> SUSE Security Update: Security update for openconnect ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2744-2 Rating: moderate References: #1151178 Cross-References: CVE-2019-16239 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openconnect fixes the following issues: - CVE-2019-16239: Fixed a buffer overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes. (bsc#1151178) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-2744=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): openconnect-7.08-3.4.1 openconnect-debuginfo-7.08-3.4.1 openconnect-debugsource-7.08-3.4.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): openconnect-lang-7.08-3.4.1 References: https://www.suse.com/security/cve/CVE-2019-16239.html https://bugzilla.suse.com/1151178 From sle-security-updates at lists.suse.com Thu Nov 14 13:14:11 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Nov 2019 21:14:11 +0100 (CET) Subject: SUSE-SU-2019:2975-1: important: Security update for squid Message-ID: <20191114201411.A1681F798@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2975-1 Rating: important References: #1133089 #1140738 #1141329 #1141330 #1141332 #1141442 #1156323 #1156324 #1156326 #1156328 #1156329 Cross-References: CVE-2019-12523 CVE-2019-12525 CVE-2019-12526 CVE-2019-12527 CVE-2019-12529 CVE-2019-12854 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-3688 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for squid to version 4.9 fixes the following issues: Security issues fixed: - CVE-2019-13345: Fixed multiple cross-site scripting vulnerabilities in cachemgr.cgi (bsc#1140738). - CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326). - CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329). - CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328). - CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323). - CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324). Other issues addressed: * Fixed DNS failures when peer name was configured with any upper case characters * Fixed several rock cache_dir corruption issues Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2975=1 - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2975=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): squid-4.9-5.11.1 squid-debuginfo-4.9-5.11.1 squid-debugsource-4.9-5.11.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): squid-4.9-5.11.1 squid-debuginfo-4.9-5.11.1 squid-debugsource-4.9-5.11.1 References: https://www.suse.com/security/cve/CVE-2019-12523.html https://www.suse.com/security/cve/CVE-2019-12525.html https://www.suse.com/security/cve/CVE-2019-12526.html https://www.suse.com/security/cve/CVE-2019-12527.html https://www.suse.com/security/cve/CVE-2019-12529.html https://www.suse.com/security/cve/CVE-2019-12854.html https://www.suse.com/security/cve/CVE-2019-13345.html https://www.suse.com/security/cve/CVE-2019-18676.html https://www.suse.com/security/cve/CVE-2019-18677.html https://www.suse.com/security/cve/CVE-2019-18678.html https://www.suse.com/security/cve/CVE-2019-18679.html https://www.suse.com/security/cve/CVE-2019-3688.html https://bugzilla.suse.com/1133089 https://bugzilla.suse.com/1140738 https://bugzilla.suse.com/1141329 https://bugzilla.suse.com/1141330 https://bugzilla.suse.com/1141332 https://bugzilla.suse.com/1141442 https://bugzilla.suse.com/1156323 https://bugzilla.suse.com/1156324 https://bugzilla.suse.com/1156326 https://bugzilla.suse.com/1156328 https://bugzilla.suse.com/1156329 From sle-security-updates at lists.suse.com Thu Nov 14 16:11:44 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 00:11:44 +0100 (CET) Subject: SUSE-SU-2019:2976-1: important: Security update for bash Message-ID: <20191114231144.99181F798@maintenance.suse.de> SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2976-1 Rating: important References: #1138676 Cross-References: CVE-2012-6711 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bash fixes the following issues: - CVE-2012-6711: Fixed a heap-based buffer overflow during echo of unsupported characters (bsc#1138676). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2976=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2976=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): bash-4.2-83.6.1 bash-debuginfo-4.2-83.6.1 bash-debugsource-4.2-83.6.1 libreadline6-32bit-6.2-83.6.1 libreadline6-6.2-83.6.1 libreadline6-debuginfo-32bit-6.2-83.6.1 libreadline6-debuginfo-6.2-83.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): bash-doc-4.2-83.6.1 readline-doc-6.2-83.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): bash-4.2-83.6.1 bash-debuginfo-4.2-83.6.1 bash-debugsource-4.2-83.6.1 libreadline6-6.2-83.6.1 libreadline6-debuginfo-6.2-83.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libreadline6-32bit-6.2-83.6.1 libreadline6-debuginfo-32bit-6.2-83.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): bash-doc-4.2-83.6.1 readline-doc-6.2-83.6.1 References: https://www.suse.com/security/cve/CVE-2012-6711.html https://bugzilla.suse.com/1138676 From sle-security-updates at lists.suse.com Fri Nov 15 07:12:50 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 15:12:50 +0100 (CET) Subject: SUSE-SU-2019:2984-1: important: Security update for the Linux Kernel Message-ID: <20191115141250.76E77F798@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2984-1 Rating: important References: #1068032 #1084878 #1092497 #1106913 #1117665 #1135966 #1135967 #1137865 #1139550 #1140671 #1141054 #1144338 #1144903 #1145477 #1146285 #1146361 #1146378 #1146391 #1146413 #1146425 #1146512 #1146514 #1146516 #1146519 #1146584 #1147122 #1148394 #1148938 #1149376 #1149522 #1149527 #1149555 #1149612 #1149849 #1150025 #1150112 #1150223 #1150452 #1150457 #1150465 #1150466 #1151347 #1151350 #1152685 #1152782 #1152788 #1153158 #1154372 #1155671 #1155898 #1156187 Cross-References: CVE-2016-10906 CVE-2017-18509 CVE-2017-18595 CVE-2018-12207 CVE-2018-20976 CVE-2019-0154 CVE-2019-0155 CVE-2019-10220 CVE-2019-11135 CVE-2019-13272 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-14835 CVE-2019-15098 CVE-2019-15211 CVE-2019-15212 CVE-2019-15214 CVE-2019-15215 CVE-2019-15216 CVE-2019-15217 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15290 CVE-2019-15291 CVE-2019-15505 CVE-2019-15666 CVE-2019-15807 CVE-2019-15902 CVE-2019-15924 CVE-2019-15926 CVE-2019-15927 CVE-2019-16231 CVE-2019-16232 CVE-2019-16233 CVE-2019-16234 CVE-2019-16413 CVE-2019-16995 CVE-2019-17055 CVE-2019-17056 CVE-2019-17133 CVE-2019-17666 CVE-2019-18680 CVE-2019-18805 CVE-2019-9456 CVE-2019-9506 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves 49 vulnerabilities and has two fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described "Microarchitectural Data Sampling" attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158). - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). - CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782). - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). - CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems (bnc#1151347). - CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376). - CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device (bnc#1146519). - CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service (bnc#1148938). - CVE-2019-13272: Fixed a mishandled the recording of the credentials of a process that wants to create a ptrace relationship, which allowed local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). (bnc#1140671). - CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's kvm hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350). - CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic (bnc#1147122). - CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555). - CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112). - CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device (bnc#1146361). - CVE-2019-15924: A a NULL pointer dereference has been fixed in the drivers/net/ethernet/intel/fm10k module (bnc#1149612). - CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025). - CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. (bnc#1149527). - CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module (bnc#1149522). - CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm module that could cause denial of service (bnc#1148394). - CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device (bnc#1146519 1146524). - CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device (bnc#1146519 1146526). - CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device (bnc#1146519 1146529). - CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512). - CVE-2019-14815: A missing length check while parsing WMM IEs was fixed (bsc#1146512, bsc#1146514, bsc#1146516). - CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516). - CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477) - CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka "KNOB") that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865). - CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed (bnc#1146378). - CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378). - CVE-2019-15212: A double-free issue was fixed in drivers/usb driver (bnc#1146391). - CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc (bnc#1146584). - CVE-2019-15211: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/v4l2-core driver (bnc#1146519). - CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519). - CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed (bnc#1146519). - CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver (bnc#1146413). - CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425). - CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver (bnc#1146285). - CVE-2019-0154: An unprotected read access to i915 registers has been fixed that could have been abused to facilitate a local denial-of-service attack. (bsc#1135966) - CVE-2019-0155: A privilege escalation vulnerability has been fixed in the i915 module that allowed batch buffers from user mode to gain super user privileges. (bsc#1135967) - CVE-2019-16231: The fjes driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bnc#1150466) - CVE-2019-18805: Fix signed integer overflow in tcp_ack_update_rtt() that could have lead to a denial of service or possibly unspecified other impact (bsc#1156187) - CVE-2019-18680: A NULL pointer dereference in rds_tcp_kill_sock() could cause denial of service (bnc#1155898) The following non-security bugs were fixed: - cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665). - documentation: Add ITLB_MULTIHIT documentation (bnc#1117665). - ib/core: Add mitigation for Spectre V1 (bsc#1155671) - ib/core: array_index_nospec: Sanitize speculative array (bsc#1155671) - ipv6: Update ipv6 defrag code (add bsc#1141054). - ksm: cleanup stable_node chain collapse case (bnc#1144338). - ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338). - ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338). - ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338). - ksm: swap the two output parameters of chain/chain_prune (bnc#1144338). - kvm kABI Fix for NX patches (bsc#1117665). - kvm: Convert kvm_lock to a mutex (bsc#1117665). - kvm: MMU: drop vcpu param in gpte_access (bsc#1117665). - kvm: MMU: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665). - kvm: MMU: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665). - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665). - kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665). - kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665). - kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665). - kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665). - kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665). - kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665). - kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665). - kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665). - kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665). - kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665). - kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665). - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665). - kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665). - kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665). - kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665). - kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665). - kvm: x86: simplify ept_misconfig (bsc#1117665). - media: smsusb: better handle optional alignment (bsc#1146413). - mm: use upstream patch for bsc#1106913 - scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) - x86/bugs: correctly force-disable IBRS on !SKL systems (bsc#1068032, bsc#1092497). - x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665). - x86/headers: Do not include asm/processor.h in asm/atomic.h (bsc#1150223). - x86/mitigations: Backport the STIBP pile See bsc#1139550 - xen-blkfront: avoid ENOMEM in blkif_recover after migration (bsc#1149849). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2984=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2984=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2984=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2984=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2019-2984=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.125.1 kernel-default-base-4.4.121-92.125.1 kernel-default-base-debuginfo-4.4.121-92.125.1 kernel-default-debuginfo-4.4.121-92.125.1 kernel-default-debugsource-4.4.121-92.125.1 kernel-default-devel-4.4.121-92.125.1 kernel-syms-4.4.121-92.125.1 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.125.1 kernel-macros-4.4.121-92.125.1 kernel-source-4.4.121-92.125.1 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.125.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.125.1 kernel-default-base-4.4.121-92.125.1 kernel-default-base-debuginfo-4.4.121-92.125.1 kernel-default-debuginfo-4.4.121-92.125.1 kernel-default-debugsource-4.4.121-92.125.1 kernel-default-devel-4.4.121-92.125.1 kernel-syms-4.4.121-92.125.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.125.1 kernel-macros-4.4.121-92.125.1 kernel-source-4.4.121-92.125.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.125.1 kernel-default-base-4.4.121-92.125.1 kernel-default-base-debuginfo-4.4.121-92.125.1 kernel-default-debuginfo-4.4.121-92.125.1 kernel-default-debugsource-4.4.121-92.125.1 kernel-default-devel-4.4.121-92.125.1 kernel-syms-4.4.121-92.125.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.125.1 kernel-macros-4.4.121-92.125.1 kernel-source-4.4.121-92.125.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.125.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.125.1 kernel-default-base-4.4.121-92.125.1 kernel-default-base-debuginfo-4.4.121-92.125.1 kernel-default-debuginfo-4.4.121-92.125.1 kernel-default-debugsource-4.4.121-92.125.1 kernel-default-devel-4.4.121-92.125.1 kernel-syms-4.4.121-92.125.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.125.1 kernel-macros-4.4.121-92.125.1 kernel-source-4.4.121-92.125.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.125.1 cluster-md-kmp-default-debuginfo-4.4.121-92.125.1 cluster-network-kmp-default-4.4.121-92.125.1 cluster-network-kmp-default-debuginfo-4.4.121-92.125.1 dlm-kmp-default-4.4.121-92.125.1 dlm-kmp-default-debuginfo-4.4.121-92.125.1 gfs2-kmp-default-4.4.121-92.125.1 gfs2-kmp-default-debuginfo-4.4.121-92.125.1 kernel-default-debuginfo-4.4.121-92.125.1 kernel-default-debugsource-4.4.121-92.125.1 ocfs2-kmp-default-4.4.121-92.125.1 ocfs2-kmp-default-debuginfo-4.4.121-92.125.1 References: https://www.suse.com/security/cve/CVE-2016-10906.html https://www.suse.com/security/cve/CVE-2017-18509.html https://www.suse.com/security/cve/CVE-2017-18595.html https://www.suse.com/security/cve/CVE-2018-12207.html https://www.suse.com/security/cve/CVE-2018-20976.html https://www.suse.com/security/cve/CVE-2019-0154.html https://www.suse.com/security/cve/CVE-2019-0155.html https://www.suse.com/security/cve/CVE-2019-10220.html https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-13272.html https://www.suse.com/security/cve/CVE-2019-14814.html https://www.suse.com/security/cve/CVE-2019-14815.html https://www.suse.com/security/cve/CVE-2019-14816.html https://www.suse.com/security/cve/CVE-2019-14821.html https://www.suse.com/security/cve/CVE-2019-14835.html https://www.suse.com/security/cve/CVE-2019-15098.html https://www.suse.com/security/cve/CVE-2019-15211.html https://www.suse.com/security/cve/CVE-2019-15212.html https://www.suse.com/security/cve/CVE-2019-15214.html https://www.suse.com/security/cve/CVE-2019-15215.html https://www.suse.com/security/cve/CVE-2019-15216.html https://www.suse.com/security/cve/CVE-2019-15217.html https://www.suse.com/security/cve/CVE-2019-15218.html https://www.suse.com/security/cve/CVE-2019-15219.html https://www.suse.com/security/cve/CVE-2019-15220.html https://www.suse.com/security/cve/CVE-2019-15221.html https://www.suse.com/security/cve/CVE-2019-15290.html https://www.suse.com/security/cve/CVE-2019-15291.html https://www.suse.com/security/cve/CVE-2019-15505.html https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2019-15807.html https://www.suse.com/security/cve/CVE-2019-15902.html https://www.suse.com/security/cve/CVE-2019-15924.html https://www.suse.com/security/cve/CVE-2019-15926.html https://www.suse.com/security/cve/CVE-2019-15927.html https://www.suse.com/security/cve/CVE-2019-16231.html https://www.suse.com/security/cve/CVE-2019-16232.html https://www.suse.com/security/cve/CVE-2019-16233.html https://www.suse.com/security/cve/CVE-2019-16234.html https://www.suse.com/security/cve/CVE-2019-16413.html https://www.suse.com/security/cve/CVE-2019-16995.html https://www.suse.com/security/cve/CVE-2019-17055.html https://www.suse.com/security/cve/CVE-2019-17056.html https://www.suse.com/security/cve/CVE-2019-17133.html https://www.suse.com/security/cve/CVE-2019-17666.html https://www.suse.com/security/cve/CVE-2019-18680.html https://www.suse.com/security/cve/CVE-2019-18805.html https://www.suse.com/security/cve/CVE-2019-9456.html https://www.suse.com/security/cve/CVE-2019-9506.html https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1084878 https://bugzilla.suse.com/1092497 https://bugzilla.suse.com/1106913 https://bugzilla.suse.com/1117665 https://bugzilla.suse.com/1135966 https://bugzilla.suse.com/1135967 https://bugzilla.suse.com/1137865 https://bugzilla.suse.com/1139550 https://bugzilla.suse.com/1140671 https://bugzilla.suse.com/1141054 https://bugzilla.suse.com/1144338 https://bugzilla.suse.com/1144903 https://bugzilla.suse.com/1145477 https://bugzilla.suse.com/1146285 https://bugzilla.suse.com/1146361 https://bugzilla.suse.com/1146378 https://bugzilla.suse.com/1146391 https://bugzilla.suse.com/1146413 https://bugzilla.suse.com/1146425 https://bugzilla.suse.com/1146512 https://bugzilla.suse.com/1146514 https://bugzilla.suse.com/1146516 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146584 https://bugzilla.suse.com/1147122 https://bugzilla.suse.com/1148394 https://bugzilla.suse.com/1148938 https://bugzilla.suse.com/1149376 https://bugzilla.suse.com/1149522 https://bugzilla.suse.com/1149527 https://bugzilla.suse.com/1149555 https://bugzilla.suse.com/1149612 https://bugzilla.suse.com/1149849 https://bugzilla.suse.com/1150025 https://bugzilla.suse.com/1150112 https://bugzilla.suse.com/1150223 https://bugzilla.suse.com/1150452 https://bugzilla.suse.com/1150457 https://bugzilla.suse.com/1150465 https://bugzilla.suse.com/1150466 https://bugzilla.suse.com/1151347 https://bugzilla.suse.com/1151350 https://bugzilla.suse.com/1152685 https://bugzilla.suse.com/1152782 https://bugzilla.suse.com/1152788 https://bugzilla.suse.com/1153158 https://bugzilla.suse.com/1154372 https://bugzilla.suse.com/1155671 https://bugzilla.suse.com/1155898 https://bugzilla.suse.com/1156187 From sle-security-updates at lists.suse.com Fri Nov 15 07:19:49 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 15:19:49 +0100 (CET) Subject: SUSE-SU-2019:2981-1: important: Security update for ghostscript Message-ID: <20191115141949.EE060F798@maintenance.suse.de> SUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2981-1 Rating: important References: #1156275 Cross-References: CVE-2019-14869 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript fixes the following issues: - CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed an attacker to gain high privileges by a specially crafted Postscript code (bsc#1156275). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2981=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2981=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2981=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2981=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ghostscript-mini-9.27-3.24.1 ghostscript-mini-debuginfo-9.27-3.24.1 ghostscript-mini-debugsource-9.27-3.24.1 ghostscript-mini-devel-9.27-3.24.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ghostscript-mini-9.27-3.24.1 ghostscript-mini-debuginfo-9.27-3.24.1 ghostscript-mini-debugsource-9.27-3.24.1 ghostscript-mini-devel-9.27-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ghostscript-9.27-3.24.1 ghostscript-debuginfo-9.27-3.24.1 ghostscript-debugsource-9.27-3.24.1 ghostscript-devel-9.27-3.24.1 ghostscript-x11-9.27-3.24.1 ghostscript-x11-debuginfo-9.27-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): ghostscript-9.27-3.24.1 ghostscript-debuginfo-9.27-3.24.1 ghostscript-debugsource-9.27-3.24.1 ghostscript-devel-9.27-3.24.1 ghostscript-x11-9.27-3.24.1 ghostscript-x11-debuginfo-9.27-3.24.1 References: https://www.suse.com/security/cve/CVE-2019-14869.html https://bugzilla.suse.com/1156275 From sle-security-updates at lists.suse.com Fri Nov 15 07:20:40 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 15:20:40 +0100 (CET) Subject: SUSE-SU-2019:2983-1: important: Security update for ghostscript Message-ID: <20191115142040.16952F798@maintenance.suse.de> SUSE Security Update: Security update for ghostscript ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2983-1 Rating: important References: #1156275 Cross-References: CVE-2019-14869 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ghostscript fixes the following issue: - CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed an attacker to gain high privileges by a specially crafted Postscript code (bsc#1156275). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2983=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2983=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2983=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2983=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2983=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2983=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2983=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2983=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2983=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2983=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2983=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2983=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2983=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2983=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2983=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2983=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2983=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2983=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE OpenStack Cloud 8 (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE OpenStack Cloud 7 (s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-devel-9.27-23.31.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-devel-9.27-23.31.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 - HPE Helion Openstack 8 (x86_64): ghostscript-9.27-23.31.1 ghostscript-debuginfo-9.27-23.31.1 ghostscript-debugsource-9.27-23.31.1 ghostscript-x11-9.27-23.31.1 ghostscript-x11-debuginfo-9.27-23.31.1 References: https://www.suse.com/security/cve/CVE-2019-14869.html https://bugzilla.suse.com/1156275 From sle-security-updates at lists.suse.com Fri Nov 15 07:21:33 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 15:21:33 +0100 (CET) Subject: SUSE-SU-2019:2982-1: moderate: Security update for enigmail Message-ID: <20191115142133.4F3E2F798@maintenance.suse.de> SUSE Security Update: Security update for enigmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2982-1 Rating: moderate References: #1141025 #1151317 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for enigmail fixes the following issues: - SeaMonkey is no longer supported. Update description and no longer put in SeaMonkey addons path (bsc#1151317) enigmail was updated 2.1.2: * compatibility with Mozilla Thunderbird 68 * New simplified setup wizard * Full support for keys.openpgp.org * Default to ECC keys on GnuPG 2.1 or later * Autocrypt: implemented key-gossip and updates to known keys enimail was updated to 2.0.12: * set the default keyserver to keys.openpgp.org in order to mitigate the SKS Keyserver Network Attack (bsc#1141025) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2982=1 - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-2982=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): enigmail-2.1.2-3.19.1 - SUSE Linux Enterprise Workstation Extension 15 (x86_64): enigmail-2.1.2-3.19.1 References: https://bugzilla.suse.com/1141025 https://bugzilla.suse.com/1151317 From sle-security-updates at lists.suse.com Fri Nov 15 10:13:22 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 18:13:22 +0100 (CET) Subject: SUSE-SU-2019:2986-1: important: Security update for ucode-intel Message-ID: <20191115171322.74269F798@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2986-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2986=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): ucode-intel-20191112a-3.31.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Fri Nov 15 10:12:19 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 18:12:19 +0100 (CET) Subject: SUSE-SU-2019:2988-1: important: Security update for ucode-intel Message-ID: <20191115171219.58F6DF798@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2988-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2988=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2988=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2988=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2988=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2988=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2988=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2988=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2988=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2988=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2988=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2988=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2988=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2988=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-2988=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-2988=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - SUSE CaaS Platform 3.0 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20191112a-13.56.1 ucode-intel-debuginfo-20191112a-13.56.1 ucode-intel-debugsource-20191112a-13.56.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Fri Nov 15 10:16:11 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 18:16:11 +0100 (CET) Subject: SUSE-SU-2019:2989-1: moderate: Security update for slurm Message-ID: <20191115171611.88F36F798@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2989-1 Rating: moderate References: #1140709 #1153095 #1153245 Cross-References: CVE-2019-12838 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for HPC 15-SP1 SUSE Linux Enterprise Module for HPC 15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for slurm fixes the following issues: Security issue fixed: - CVE-2019-12838: Fixed an SQL injection (bsc#1140709). Non-security issue fixed: - Added X11-forwarding (bsc#1153245). - Moved srun from 'slurm' to 'slurm-node': srun is required on the nodes as well so sbatch will work. 'slurm-node' is a requirement when 'slurm' is installed (bsc#1153095). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2989=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2989=1 - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2019-2989=1 - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2019-2989=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x): libslurm32-17.11.13-6.18.1 libslurm32-debuginfo-17.11.13-6.18.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): slurm-debuginfo-17.11.13-6.18.1 slurm-debugsource-17.11.13-6.18.1 slurm-openlava-17.11.13-6.18.1 slurm-seff-17.11.13-6.18.1 slurm-sjstat-17.11.13-6.18.1 slurm-sview-17.11.13-6.18.1 slurm-sview-debuginfo-17.11.13-6.18.1 - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libslurm32-17.11.13-6.18.1 libslurm32-debuginfo-17.11.13-6.18.1 - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): libpmi0-17.11.13-6.18.1 libpmi0-debuginfo-17.11.13-6.18.1 libslurm32-17.11.13-6.18.1 libslurm32-debuginfo-17.11.13-6.18.1 perl-slurm-17.11.13-6.18.1 perl-slurm-debuginfo-17.11.13-6.18.1 slurm-17.11.13-6.18.1 slurm-auth-none-17.11.13-6.18.1 slurm-auth-none-debuginfo-17.11.13-6.18.1 slurm-config-17.11.13-6.18.1 slurm-debuginfo-17.11.13-6.18.1 slurm-debugsource-17.11.13-6.18.1 slurm-devel-17.11.13-6.18.1 slurm-doc-17.11.13-6.18.1 slurm-lua-17.11.13-6.18.1 slurm-lua-debuginfo-17.11.13-6.18.1 slurm-munge-17.11.13-6.18.1 slurm-munge-debuginfo-17.11.13-6.18.1 slurm-node-17.11.13-6.18.1 slurm-node-debuginfo-17.11.13-6.18.1 slurm-pam_slurm-17.11.13-6.18.1 slurm-pam_slurm-debuginfo-17.11.13-6.18.1 slurm-plugins-17.11.13-6.18.1 slurm-plugins-debuginfo-17.11.13-6.18.1 slurm-slurmdbd-17.11.13-6.18.1 slurm-slurmdbd-debuginfo-17.11.13-6.18.1 slurm-sql-17.11.13-6.18.1 slurm-sql-debuginfo-17.11.13-6.18.1 slurm-torque-17.11.13-6.18.1 slurm-torque-debuginfo-17.11.13-6.18.1 References: https://www.suse.com/security/cve/CVE-2019-12838.html https://bugzilla.suse.com/1140709 https://bugzilla.suse.com/1153095 https://bugzilla.suse.com/1153245 From sle-security-updates at lists.suse.com Fri Nov 15 10:14:17 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 18:14:17 +0100 (CET) Subject: SUSE-SU-2019:2987-1: important: Security update for ucode-intel Message-ID: <20191115171417.05481F798@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2987-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2987=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20191112a-3.13.2 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Fri Nov 15 10:15:12 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Nov 2019 18:15:12 +0100 (CET) Subject: SUSE-SU-2019:14220-1: important: Security update for microcode_ctl Message-ID: <20191115171512.E5393F798@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14220-1 Rating: important References: #1139073 #1141035 #1155988 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for microcode_ctl fixes the following issues: - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14220=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14220=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.50.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.50.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 From sle-security-updates at lists.suse.com Mon Nov 18 10:12:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Nov 2019 18:12:21 +0100 (CET) Subject: SUSE-SU-2019:2994-1: important: Security update for ceph Message-ID: <20191118171221.0554AF79E@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2994-1 Rating: important References: #1132767 #1134444 #1135584 #1137503 #1140491 #1141174 #1145093 #1145617 #1145618 #1145759 #1146656 #1147132 #1149093 #1150406 #1151439 #1151990 #1151991 #1151992 #1151993 #1151994 #1151995 #1152002 #1156282 Cross-References: CVE-2019-10222 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves one vulnerability and has 22 fixes is now available. Description: This update for ceph fixes the following issues: - A previous update introduced a regression with the potential to cause RocksDB data corruption in Nautilus (bsc#1156282). - Support for iSCSI target-level CHAP authentication was added (bsc#1145617). - Implemented validation and rendering of iSCSI controls based "type" (bsc#1140491). - Fixed an error while editing iSCSI image advanced settings (bsc#1146656). - Fixed a ceph-volume regression. SES customers were never exposed to this regression (bsc#1132767). - Fixed a denial of service vulnerability where an unauthenticated client of Ceph Object Gateway could trigger a crash from an uncaught exception (bsc#1145093, CVE-2019-10222) - Nautilus-based librbd clients could not open images on Jewel clusters (bsc#1151994). - The RGW num_rados_handles has been removed (bsc#1151995). - "osd_deep_scrub_large_omap_object_key_threshold" has been lowered in Nautilus (bsc#1152002). - The ceph dashboard now supports silencing Prometheus notifications (bsc#1141174). - The no{up,down,in,out} related commands have been revamped (bsc#1151990). - Radosgw-admin got two new subcommands for managing expire-stale objects (bsc#1151991).. - Deploying a single new BlueStore OSD on a cluster upgraded to SES6 from SES5 used to break pool utilization stats reported by ceph df (bsc#1151992). - Ceph clusters will issue a health warning if CRUSH tunables are older than "hammer" (bsc#1151993). - Ceph-volume prints errors to stdout with --format json (bsc#1132767). - Changing rgw-api-host in the dashboard does not get effective without disable/enable dashboard mgr module (bsc#1137503). - Silenced Alertmanager alerts in the dashboard (bsc#1141174). - Fixed e2e failures in the dashboard caused by webdriver version (bsc#1145759) - librbd always tries to acquire exclusive lock when removing image an (bsc#1149093). Fixes in ses-manual_en: - Added a new chapter with changelogs of Ceph releases. (bsc#1135584) - Rewrote rolling updates and replaced running stage.0 with manual commands to prevent infinite loop. (bsc#1134444) - Improved name of CaaSP to its fuller version. (bsc#1151439) - Verify which OSD's are going to be removed before running stage.5. (bsc#1150406) - Added two additional steps to recovering an OSD. (bsc#1147132) Fixes in ceph-iscsi: - Validate kernel LIO controls type and value (bsc#1140491) - TPG lun_id persistence (bsc#1145618) - Target level CHAP authentication (bsc#1145617) ceph-iscsi was updated to the upstream 3.2 release: - Always use host FQDN instead of shortname - Validate min/max value for target controls and rbd:user/tcmu-runner image controls (bsc#1140491) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2019-2994=1 Package List: - SUSE Enterprise Storage 6 (noarch): ceph-iscsi-3.3+1570532654.g93940a4-3.7.1 ses-admin_en-pdf-6+git145.1558531-3.17.1 ses-deployment_en-pdf-6+git145.1558531-3.17.1 ses-manual_en-6+git145.1558531-3.17.1 References: https://www.suse.com/security/cve/CVE-2019-10222.html https://bugzilla.suse.com/1132767 https://bugzilla.suse.com/1134444 https://bugzilla.suse.com/1135584 https://bugzilla.suse.com/1137503 https://bugzilla.suse.com/1140491 https://bugzilla.suse.com/1141174 https://bugzilla.suse.com/1145093 https://bugzilla.suse.com/1145617 https://bugzilla.suse.com/1145618 https://bugzilla.suse.com/1145759 https://bugzilla.suse.com/1146656 https://bugzilla.suse.com/1147132 https://bugzilla.suse.com/1149093 https://bugzilla.suse.com/1150406 https://bugzilla.suse.com/1151439 https://bugzilla.suse.com/1151990 https://bugzilla.suse.com/1151991 https://bugzilla.suse.com/1151992 https://bugzilla.suse.com/1151993 https://bugzilla.suse.com/1151994 https://bugzilla.suse.com/1151995 https://bugzilla.suse.com/1152002 https://bugzilla.suse.com/1156282 From sle-security-updates at lists.suse.com Mon Nov 18 13:11:14 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Nov 2019 21:11:14 +0100 (CET) Subject: SUSE-SU-2019:3001-1: moderate: Security update for haproxy Message-ID: <20191118201114.BFE22F79E@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3001-1 Rating: moderate References: #1142529 Cross-References: CVE-2019-14241 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for haproxy to version 2.0.5+git0.d905f49a fixes the following issues: Security issue fixed: - CVE-2019-14241: Fixed a cookie memory corruption problem. (bsc#1142529) The update to 2.0.5 brings lots of features and bugfixes: - new internal native HTTP representation called HTX, was already in 1.9 and is now enabled by default in 2.0 - end-to-end HTTP/2 support including trailers and continuation frames, as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2 preface; - server connection pooling and more advanced reuse, with ALPN protocol negotiation (already in 1.9) - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as well as on the frontend - much more scalable multi-threading, which is even enabled by default on platforms where it was successfully tested ; by default, as many threads are started as the number of CPUs haproxy is allowed to run on. This removes a lot of configuration burden in VMs and containers - automatic maxconn setting for the process and the frontends, directly based on the number of available FDs (easier configuration in containers and with systemd) - logging to stdout for use in containers and systemd (already in 1.9). Logs can now provide micro-second resolution for some events - peers now support SSL, declaration of multiple stick-tables directly in the peers section, and synchronization of server names, not just IDs - In master-worker mode, the master process now exposes its own CLI and can communicate with all other processes (including the stopping ones), even allowing to connect to their CLI and check their state. It is also possible to start some sidecar programs and monitor them from the master, and the master can automatically kill old processes that survived too many reloads - the incoming connections are load-balanced between all threads depending on their load to minimize the processing time and maximize the capacity (already in 1.9) - the SPOE connection load-balancing was significantly improved in order to reduce high percentiles of SPOA response time (already in 1.9) - the "random" load balancing algorithm and a power-of-two-choices variant were introduced - statistics improvements with per-thread counters for certain things, and a prometheus exporter for all our statistics; - lots of debugging help, it's easier to produce a core dump, there are new commands on the CLI to control various things, there is a watchdog to fail cleanly when a thread deadlock or a spinning task are detected, so overall it should provide a better experience in field and less round trips between users and developers (hence less stress during an incident). - all 3 device detection engines are now compatible with multi-threading and can be build-tested without any external dependencies - "do-resolve" http-request action to perform a DNS resolution on any, sample, and resolvers now support relying on /etc/resolv.conf to match the local resolver - log sampling and balancing : it's now possible to send 1 log every 10 to a server, or to spread the logging load over multiple log servers; - a new SPOA agent (spoa_server) allows to interface haproxy with Python and Lua programs - support for Solaris' event ports (equivalent of kqueue or epoll) which will significantly improve the performance there when dealing with numerous connections - some warnings are now reported for some deprecated options that will be removed in 2.1. Since 2.0 is long term supported, there's no emergency to convert them, however if you see these warnings, you need to understand that you're among their extremely rare users and just because of this you may be taking risks by keeping them - A new SOCKS4 server-side layer was provided ; it allows outgoing connections to be forwarded through a SOCKS4 proxy (such as ssh -D). - priority- and latency- aware server queues : it is possible now to assign priorities to certain requests and/or to give them a time bonus or penalty to refine control of the traffic and be able to engage on SLAs. - internally the architecture was significantly redesigned to allow to further improve performance and make it easier to implement protocols that span over multiple layers (such as QUIC). This work started in 1.9 and will continue with 2.1. - the I/O, applets and tasks now share the same multi-threaded scheduler, giving a much better responsiveness and fairness between all tasks as is visible with the CLI which always responds instantly even under extreme loads (started in 1.9) - the internal buffers were redesigned to ease zero-copy operations, so that it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/from HTTP/2 (already in 1.9) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2019-3001=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): haproxy-2.0.5+git0.d905f49a-8.3.5 haproxy-debuginfo-2.0.5+git0.d905f49a-8.3.5 haproxy-debugsource-2.0.5+git0.d905f49a-8.3.5 References: https://www.suse.com/security/cve/CVE-2019-14241.html https://bugzilla.suse.com/1142529 From sle-security-updates at lists.suse.com Mon Nov 18 13:12:03 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Nov 2019 21:12:03 +0100 (CET) Subject: SUSE-SU-2019:3002-1: moderate: Security update for haproxy Message-ID: <20191118201203.7CBF9F79E@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3002-1 Rating: moderate References: #1142529 Cross-References: CVE-2019-14241 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for haproxy to version 2.0.5+git0.d905f49a fixes the following issues: Security issue fixed: - CVE-2019-14241: Fixed a cookie memory corruption problem. (bsc#1142529) The update to 2.0.5 brings lots of features and bugfixes: - new internal native HTTP representation called HTX, was already in 1.9 and is now enabled by default in 2.0 - end-to-end HTTP/2 support including trailers and continuation frames, as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2 preface; - server connection pooling and more advanced reuse, with ALPN protocol negotiation (already in 1.9) - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as well as on the frontend - much more scalable multi-threading, which is even enabled by default on platforms where it was successfully tested ; by default, as many threads are started as the number of CPUs haproxy is allowed to run on. This removes a lot of configuration burden in VMs and containers - automatic maxconn setting for the process and the frontends, directly based on the number of available FDs (easier configuration in containers and with systemd) - logging to stdout for use in containers and systemd (already in 1.9). Logs can now provide micro-second resolution for some events - peers now support SSL, declaration of multiple stick-tables directly in the peers section, and synchronization of server names, not just IDs - In master-worker mode, the master process now exposes its own CLI and can communicate with all other processes (including the stopping ones), even allowing to connect to their CLI and check their state. It is also possible to start some sidecar programs and monitor them from the master, and the master can automatically kill old processes that survived too many reloads - the incoming connections are load-balanced between all threads depending on their load to minimize the processing time and maximize the capacity (already in 1.9) - the SPOE connection load-balancing was significantly improved in order to reduce high percentiles of SPOA response time (already in 1.9) - the "random" load balancing algorithm and a power-of-two-choices variant were introduced - statistics improvements with per-thread counters for certain things, and a prometheus exporter for all our statistics; - lots of debugging help, it's easier to produce a core dump, there are new commands on the CLI to control various things, there is a watchdog to fail cleanly when a thread deadlock or a spinning task are detected, so overall it should provide a better experience in field and less round trips between users and developers (hence less stress during an incident). - all 3 device detection engines are now compatible with multi-threading and can be build-tested without any external dependencies - "do-resolve" http-request action to perform a DNS resolution on any, sample, and resolvers now support relying on /etc/resolv.conf to match the local resolver - log sampling and balancing : it's now possible to send 1 log every 10 to a server, or to spread the logging load over multiple log servers; - a new SPOA agent (spoa_server) allows to interface haproxy with Python and Lua programs - support for Solaris' event ports (equivalent of kqueue or epoll) which will significantly improve the performance there when dealing with numerous connections - some warnings are now reported for some deprecated options that will be removed in 2.1. Since 2.0 is long term supported, there's no emergency to convert them, however if you see these warnings, you need to understand that you're among their extremely rare users and just because of this you may be taking risks by keeping them - A new SOCKS4 server-side layer was provided ; it allows outgoing connections to be forwarded through a SOCKS4 proxy (such as ssh -D). - priority- and latency- aware server queues : it is possible now to assign priorities to certain requests and/or to give them a time bonus or penalty to refine control of the traffic and be able to engage on SLAs. - internally the architecture was significantly redesigned to allow to further improve performance and make it easier to implement protocols that span over multiple layers (such as QUIC). This work started in 1.9 and will continue with 2.1. - the I/O, applets and tasks now share the same multi-threaded scheduler, giving a much better responsiveness and fairness between all tasks as is visible with the CLI which always responds instantly even under extreme loads (started in 1.9) - the internal buffers were redesigned to ease zero-copy operations, so that it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/from HTTP/2 (already in 1.9) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2019-3002=1 Package List: - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): haproxy-2.0.5+git0.d905f49a-3.12.6 haproxy-debuginfo-2.0.5+git0.d905f49a-3.12.6 haproxy-debugsource-2.0.5+git0.d905f49a-3.12.6 References: https://www.suse.com/security/cve/CVE-2019-14241.html https://bugzilla.suse.com/1142529 From sle-security-updates at lists.suse.com Mon Nov 18 13:15:02 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Nov 2019 21:15:02 +0100 (CET) Subject: SUSE-SU-2019:2997-1: moderate: Security update for ncurses Message-ID: <20191118201502.D7F69F79E@maintenance.suse.de> SUSE Security Update: Security update for ncurses ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2997-1 Rating: moderate References: #1103320 #1154036 #1154037 Cross-References: CVE-2019-17594 CVE-2019-17595 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2997=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2019-2997=1 - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2019-2997=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2997=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2997=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2997=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2997=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ncurses-debugsource-6.1-5.6.2 ncurses5-devel-32bit-6.1-5.6.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): libncurses5-6.1-5.6.2 libncurses5-debuginfo-6.1-5.6.2 ncurses-debugsource-6.1-5.6.2 ncurses5-devel-6.1-5.6.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (x86_64): libncurses5-32bit-6.1-5.6.2 libncurses5-32bit-debuginfo-6.1-5.6.2 - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): libncurses5-6.1-5.6.2 libncurses5-debuginfo-6.1-5.6.2 ncurses-debugsource-6.1-5.6.2 ncurses5-devel-6.1-5.6.2 - SUSE Linux Enterprise Module for Legacy Software 15 (x86_64): libncurses5-32bit-6.1-5.6.2 libncurses5-32bit-debuginfo-6.1-5.6.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): ncurses-debugsource-6.1-5.6.2 ncurses-devel-32bit-6.1-5.6.2 ncurses-devel-32bit-debuginfo-6.1-5.6.2 - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): ncurses-debugsource-6.1-5.6.2 ncurses-devel-32bit-6.1-5.6.2 ncurses-devel-32bit-debuginfo-6.1-5.6.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libncurses6-6.1-5.6.2 libncurses6-debuginfo-6.1-5.6.2 ncurses-debugsource-6.1-5.6.2 ncurses-devel-6.1-5.6.2 ncurses-devel-debuginfo-6.1-5.6.2 ncurses-utils-6.1-5.6.2 ncurses-utils-debuginfo-6.1-5.6.2 tack-6.1-5.6.2 tack-debuginfo-6.1-5.6.2 terminfo-6.1-5.6.2 terminfo-base-6.1-5.6.2 terminfo-iterm-6.1-5.6.2 terminfo-screen-6.1-5.6.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libncurses6-32bit-6.1-5.6.2 libncurses6-32bit-debuginfo-6.1-5.6.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libncurses6-6.1-5.6.2 libncurses6-debuginfo-6.1-5.6.2 ncurses-debugsource-6.1-5.6.2 ncurses-devel-6.1-5.6.2 ncurses-devel-debuginfo-6.1-5.6.2 ncurses-utils-6.1-5.6.2 ncurses-utils-debuginfo-6.1-5.6.2 tack-6.1-5.6.2 tack-debuginfo-6.1-5.6.2 terminfo-6.1-5.6.2 terminfo-base-6.1-5.6.2 terminfo-iterm-6.1-5.6.2 terminfo-screen-6.1-5.6.2 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libncurses6-32bit-6.1-5.6.2 libncurses6-32bit-debuginfo-6.1-5.6.2 References: https://www.suse.com/security/cve/CVE-2019-17594.html https://www.suse.com/security/cve/CVE-2019-17595.html https://bugzilla.suse.com/1103320 https://bugzilla.suse.com/1154036 https://bugzilla.suse.com/1154037 From sle-security-updates at lists.suse.com Mon Nov 18 13:16:03 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Nov 2019 21:16:03 +0100 (CET) Subject: SUSE-SU-2019:2998-1: important: Security update for java-11-openjdk Message-ID: <20191118201603.E652AF79E@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2998-1 Rating: important References: #1152856 #1154212 Cross-References: CVE-2019-2894 CVE-2019-2933 CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2977: Improve String index handling - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2998=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2998=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2998=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2998=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-accessibility-11.0.5.0-3.36.1 java-11-openjdk-accessibility-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debugsource-11.0.5.0-3.36.1 java-11-openjdk-jmods-11.0.5.0-3.36.1 java-11-openjdk-src-11.0.5.0-3.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): java-11-openjdk-javadoc-11.0.5.0-3.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.5.0-3.36.1 java-11-openjdk-accessibility-11.0.5.0-3.36.1 java-11-openjdk-accessibility-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debugsource-11.0.5.0-3.36.1 java-11-openjdk-demo-11.0.5.0-3.36.1 java-11-openjdk-devel-11.0.5.0-3.36.1 java-11-openjdk-headless-11.0.5.0-3.36.1 java-11-openjdk-jmods-11.0.5.0-3.36.1 java-11-openjdk-src-11.0.5.0-3.36.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): java-11-openjdk-javadoc-11.0.5.0-3.36.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.5.0-3.36.1 java-11-openjdk-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debugsource-11.0.5.0-3.36.1 java-11-openjdk-demo-11.0.5.0-3.36.1 java-11-openjdk-devel-11.0.5.0-3.36.1 java-11-openjdk-headless-11.0.5.0-3.36.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.5.0-3.36.1 java-11-openjdk-debuginfo-11.0.5.0-3.36.1 java-11-openjdk-debugsource-11.0.5.0-3.36.1 java-11-openjdk-demo-11.0.5.0-3.36.1 java-11-openjdk-devel-11.0.5.0-3.36.1 java-11-openjdk-headless-11.0.5.0-3.36.1 References: https://www.suse.com/security/cve/CVE-2019-2894.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2975.html https://www.suse.com/security/cve/CVE-2019-2977.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2987.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1152856 https://bugzilla.suse.com/1154212 From sle-security-updates at lists.suse.com Wed Nov 20 10:14:46 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Nov 2019 18:14:46 +0100 (CET) Subject: SUSE-SU-2019:3019-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP4) Message-ID: <20191120171446.E444BF79E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3019-1 Rating: important References: #1153108 Cross-References: CVE-2019-10220 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-95_37 fixes one issue. The following security issue was fixed: - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space (bsc#1153108). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2019-3019=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_37-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2019-10220.html https://bugzilla.suse.com/1153108 From sle-security-updates at lists.suse.com Thu Nov 21 07:13:40 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Nov 2019 15:13:40 +0100 (CET) Subject: SUSE-SU-2019:3024-1: moderate: Security update for python-ecdsa Message-ID: <20191121141340.874C4F79E@maintenance.suse.de> SUSE Security Update: Security update for python-ecdsa ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3024-1 Rating: moderate References: #1153165 #1154217 Cross-References: CVE-2019-14853 CVE-2019-14859 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Manager Server 3.2 SUSE Linux Enterprise Module for Public Cloud 12 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3024=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3024=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3024=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3024=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3024=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-3024=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2019-3024=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3024=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 9 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 8 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 7 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE Manager Server 3.2 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-ecdsa-0.13.3-5.10.1 python3-ecdsa-0.13.3-5.10.1 - SUSE CaaS Platform 3.0 (noarch): python-ecdsa-0.13.3-5.10.1 - HPE Helion Openstack 8 (noarch): python-ecdsa-0.13.3-5.10.1 References: https://www.suse.com/security/cve/CVE-2019-14853.html https://www.suse.com/security/cve/CVE-2019-14859.html https://bugzilla.suse.com/1153165 https://bugzilla.suse.com/1154217 From sle-security-updates at lists.suse.com Thu Nov 21 19:11:48 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Nov 2019 03:11:48 +0100 (CET) Subject: SUSE-SU-2019:3030-1: important: Security update for cups Message-ID: <20191122021148.3118CF798@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3030-1 Rating: important References: #1146358 #1146359 Cross-References: CVE-2019-8675 CVE-2019-8696 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for cups fixes the following issues: - CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). - CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3030=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-3030=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-3030=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-3030=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3030=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3030=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): cups-debugsource-2.2.7-3.14.1 cups-devel-32bit-2.2.7-3.14.1 libcupscgi1-32bit-2.2.7-3.14.1 libcupscgi1-32bit-debuginfo-2.2.7-3.14.1 libcupsimage2-32bit-2.2.7-3.14.1 libcupsimage2-32bit-debuginfo-2.2.7-3.14.1 libcupsmime1-32bit-2.2.7-3.14.1 libcupsmime1-32bit-debuginfo-2.2.7-3.14.1 libcupsppdc1-32bit-2.2.7-3.14.1 libcupsppdc1-32bit-debuginfo-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.14.1 cups-ddk-debuginfo-2.2.7-3.14.1 cups-debuginfo-2.2.7-3.14.1 cups-debugsource-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.14.1 cups-ddk-debuginfo-2.2.7-3.14.1 cups-debuginfo-2.2.7-3.14.1 cups-debugsource-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64): cups-debugsource-2.2.7-3.14.1 libcups2-32bit-2.2.7-3.14.1 libcups2-32bit-debuginfo-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.14.1 cups-client-2.2.7-3.14.1 cups-client-debuginfo-2.2.7-3.14.1 cups-config-2.2.7-3.14.1 cups-debuginfo-2.2.7-3.14.1 cups-debugsource-2.2.7-3.14.1 cups-devel-2.2.7-3.14.1 libcups2-2.2.7-3.14.1 libcups2-debuginfo-2.2.7-3.14.1 libcupscgi1-2.2.7-3.14.1 libcupscgi1-debuginfo-2.2.7-3.14.1 libcupsimage2-2.2.7-3.14.1 libcupsimage2-debuginfo-2.2.7-3.14.1 libcupsmime1-2.2.7-3.14.1 libcupsmime1-debuginfo-2.2.7-3.14.1 libcupsppdc1-2.2.7-3.14.1 libcupsppdc1-debuginfo-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libcups2-32bit-2.2.7-3.14.1 libcups2-32bit-debuginfo-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.14.1 cups-client-2.2.7-3.14.1 cups-client-debuginfo-2.2.7-3.14.1 cups-config-2.2.7-3.14.1 cups-debuginfo-2.2.7-3.14.1 cups-debugsource-2.2.7-3.14.1 cups-devel-2.2.7-3.14.1 libcups2-2.2.7-3.14.1 libcups2-debuginfo-2.2.7-3.14.1 libcupscgi1-2.2.7-3.14.1 libcupscgi1-debuginfo-2.2.7-3.14.1 libcupsimage2-2.2.7-3.14.1 libcupsimage2-debuginfo-2.2.7-3.14.1 libcupsmime1-2.2.7-3.14.1 libcupsmime1-debuginfo-2.2.7-3.14.1 libcupsppdc1-2.2.7-3.14.1 libcupsppdc1-debuginfo-2.2.7-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libcups2-32bit-2.2.7-3.14.1 libcups2-32bit-debuginfo-2.2.7-3.14.1 References: https://www.suse.com/security/cve/CVE-2019-8675.html https://www.suse.com/security/cve/CVE-2019-8696.html https://bugzilla.suse.com/1146358 https://bugzilla.suse.com/1146359 From sle-security-updates at lists.suse.com Thu Nov 21 19:12:39 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Nov 2019 03:12:39 +0100 (CET) Subject: SUSE-SU-2019:3034-1: moderate: Security update for aspell Message-ID: <20191122021239.AFEABF798@maintenance.suse.de> SUSE Security Update: Security update for aspell ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3034-1 Rating: moderate References: #1153892 Cross-References: CVE-2019-17544 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for aspell fixes the following issues: - CVE-2019-17544: Fixed a stack-based buffer over-read in acommon:unescape in common/getdata.cpp via an isolated backslash (bsc#1153892). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3034=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3034=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3034=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3034=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3034=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): aspell-debuginfo-0.60.6.1-18.3.1 aspell-debugsource-0.60.6.1-18.3.1 aspell-devel-0.60.6.1-18.3.1 libpspell15-0.60.6.1-18.3.1 libpspell15-debuginfo-0.60.6.1-18.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): aspell-debuginfo-0.60.6.1-18.3.1 aspell-debugsource-0.60.6.1-18.3.1 aspell-devel-0.60.6.1-18.3.1 libpspell15-0.60.6.1-18.3.1 libpspell15-debuginfo-0.60.6.1-18.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): aspell-0.60.6.1-18.3.1 aspell-debuginfo-0.60.6.1-18.3.1 aspell-debugsource-0.60.6.1-18.3.1 aspell-ispell-0.60.6.1-18.3.1 libaspell15-0.60.6.1-18.3.1 libaspell15-debuginfo-0.60.6.1-18.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libaspell15-32bit-0.60.6.1-18.3.1 libaspell15-debuginfo-32bit-0.60.6.1-18.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): aspell-0.60.6.1-18.3.1 aspell-debuginfo-0.60.6.1-18.3.1 aspell-debugsource-0.60.6.1-18.3.1 aspell-ispell-0.60.6.1-18.3.1 libaspell15-0.60.6.1-18.3.1 libaspell15-debuginfo-0.60.6.1-18.3.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libaspell15-32bit-0.60.6.1-18.3.1 libaspell15-debuginfo-32bit-0.60.6.1-18.3.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): aspell-0.60.6.1-18.3.1 aspell-debuginfo-0.60.6.1-18.3.1 aspell-debugsource-0.60.6.1-18.3.1 libaspell15-0.60.6.1-18.3.1 libaspell15-32bit-0.60.6.1-18.3.1 libaspell15-debuginfo-0.60.6.1-18.3.1 libaspell15-debuginfo-32bit-0.60.6.1-18.3.1 References: https://www.suse.com/security/cve/CVE-2019-17544.html https://bugzilla.suse.com/1153892 From sle-security-updates at lists.suse.com Thu Nov 21 19:13:25 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Nov 2019 03:13:25 +0100 (CET) Subject: SUSE-SU-2019:3033-1: moderate: Security update for djvulibre Message-ID: <20191122021325.DDCB3F798@maintenance.suse.de> SUSE Security Update: Security update for djvulibre ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3033-1 Rating: moderate References: #1154401 #1156188 Cross-References: CVE-2019-18804 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for djvulibre fixes the following issues: Security issue fixed: - CVE-2019-18804: Fixed a null pointer dereference (bsc#1156188). Other issue addressed: - Fixed a crash when mmx was enabled (bsc#1154401) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-3033=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3033=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3033=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-3033=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-3033=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): djvulibre-3.5.27-3.8.1 djvulibre-debuginfo-3.5.27-3.8.1 djvulibre-debugsource-3.5.27-3.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): djvulibre-3.5.27-3.8.1 djvulibre-debuginfo-3.5.27-3.8.1 djvulibre-debugsource-3.5.27-3.8.1 djvulibre-doc-3.5.27-3.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): djvulibre-3.5.27-3.8.1 djvulibre-debuginfo-3.5.27-3.8.1 djvulibre-debugsource-3.5.27-3.8.1 djvulibre-doc-3.5.27-3.8.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-3.8.1 djvulibre-debugsource-3.5.27-3.8.1 libdjvulibre-devel-3.5.27-3.8.1 libdjvulibre21-3.5.27-3.8.1 libdjvulibre21-debuginfo-3.5.27-3.8.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-3.8.1 djvulibre-debugsource-3.5.27-3.8.1 libdjvulibre-devel-3.5.27-3.8.1 libdjvulibre21-3.5.27-3.8.1 libdjvulibre21-debuginfo-3.5.27-3.8.1 References: https://www.suse.com/security/cve/CVE-2019-18804.html https://bugzilla.suse.com/1154401 https://bugzilla.suse.com/1156188 From sle-security-updates at lists.suse.com Thu Nov 21 19:14:16 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Nov 2019 03:14:16 +0100 (CET) Subject: SUSE-SU-2019:3032-1: moderate: Security update for dpdk Message-ID: <20191122021416.B3562F798@maintenance.suse.de> SUSE Security Update: Security update for dpdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3032-1 Rating: moderate References: #1156146 Cross-References: CVE-2019-14818 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dpdk to version 17.11.7 fixes the following issues: - CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3032=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3032=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le x86_64): dpdk-debuginfo-17.11.7-5.3.2 dpdk-debugsource-17.11.7-5.3.2 dpdk-devel-17.11.7-5.3.2 dpdk-devel-debuginfo-17.11.7-5.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64): dpdk-thunderx-debuginfo-17.11.7-5.3.2 dpdk-thunderx-debugsource-17.11.7-5.3.2 dpdk-thunderx-devel-17.11.7-5.3.2 dpdk-thunderx-devel-debuginfo-17.11.7-5.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le x86_64): dpdk-17.11.7-5.3.2 dpdk-debuginfo-17.11.7-5.3.2 dpdk-debugsource-17.11.7-5.3.2 dpdk-tools-17.11.7-5.3.2 dpdk-tools-debuginfo-17.11.7-5.3.2 libdpdk-17_11-17.11.7-5.3.2 libdpdk-17_11-debuginfo-17.11.7-5.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64): dpdk-thunderx-17.11.7-5.3.2 dpdk-thunderx-debuginfo-17.11.7-5.3.2 dpdk-thunderx-debugsource-17.11.7-5.3.2 dpdk-thunderx-kmp-default-17.11.7_k4.12.14_95.37-5.3.2 dpdk-thunderx-kmp-default-debuginfo-17.11.7_k4.12.14_95.37-5.3.2 - SUSE Linux Enterprise Server 12-SP4 (x86_64): dpdk-kmp-default-17.11.7_k4.12.14_95.37-5.3.2 dpdk-kmp-default-debuginfo-17.11.7_k4.12.14_95.37-5.3.2 References: https://www.suse.com/security/cve/CVE-2019-14818.html https://bugzilla.suse.com/1156146 From sle-security-updates at lists.suse.com Mon Nov 25 10:15:12 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 18:15:12 +0100 (CET) Subject: SUSE-SU-2019:3044-1: important: Security update for webkit2gtk3 Message-ID: <20191125171512.26C40F79E@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3044-1 Rating: important References: #1155321 #1156318 Cross-References: CVE-2019-8551 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 CVE-2019-8625 CVE-2019-8674 CVE-2019-8681 CVE-2019-8684 CVE-2019-8686 CVE-2019-8687 CVE-2019-8688 CVE-2019-8689 CVE-2019-8690 CVE-2019-8707 CVE-2019-8710 CVE-2019-8719 CVE-2019-8720 CVE-2019-8726 CVE-2019-8733 CVE-2019-8735 CVE-2019-8743 CVE-2019-8763 CVE-2019-8764 CVE-2019-8765 CVE-2019-8766 CVE-2019-8768 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8821 CVE-2019-8822 CVE-2019-8823 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 42 vulnerabilities is now available. Description: This update for webkit2gtk3 to version 2.26.2 fixes the following issues: Webkit2gtk3 was updated to version 2.26.2 (WSA-2019-0005 and WSA-2019-0006, bsc#1155321 bsc#1156318) Security issues addressed: - CVE-2019-8625: Fixed a logic issue where by processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8674: Fixed a logic issue where by processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8707: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8719: Fixed a logic issue where by processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8720: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8726: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8733: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8735: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8763: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8768: Fixed an issue where a user may be unable to delete browsing history items. - CVE-2019-8769: Fixed an issue where a maliciously crafted website may reveal browsing history. - CVE-2019-8771: Fixed an issue where a maliciously crafted web content may violate iframe sandboxing policy. - CVE-2019-8710: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8743: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8764: Fixed a logic issue where by processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8765: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8766: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8782: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8783: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8808: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8811: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8812: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8813: Fixed a logic issue where by processing maliciously crafted web content may lead to universal cross site scripting. - CVE-2019-8814: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8815: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8816: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8819: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8820: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8821: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8822: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. - CVE-2019-8823: Fixed multiple memory corruption issues where by processing maliciously crafted web content may lead to arbitrary code execution. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3044=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3044=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-3044=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-3044=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3044=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3044=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): webkit-jsc-4-2.26.2-3.34.3 webkit-jsc-4-debuginfo-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 webkit2gtk3-minibrowser-2.26.2-3.34.3 webkit2gtk3-minibrowser-debuginfo-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libjavascriptcoregtk-4_0-18-32bit-2.26.2-3.34.3 libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.26.2-3.34.3 libwebkit2gtk-4_0-37-32bit-2.26.2-3.34.3 libwebkit2gtk-4_0-37-32bit-debuginfo-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): webkit-jsc-4-2.26.2-3.34.3 webkit-jsc-4-debuginfo-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.26.2-3.34.3 typelib-1_0-WebKit2-4_0-2.26.2-3.34.3 typelib-1_0-WebKit2WebExtension-4_0-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 webkit2gtk3-devel-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.26.2-3.34.3 typelib-1_0-WebKit2-4_0-2.26.2-3.34.3 typelib-1_0-WebKit2WebExtension-4_0-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 webkit2gtk3-devel-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.26.2-3.34.3 libjavascriptcoregtk-4_0-18-debuginfo-2.26.2-3.34.3 libwebkit2gtk-4_0-37-2.26.2-3.34.3 libwebkit2gtk-4_0-37-debuginfo-2.26.2-3.34.3 webkit2gtk-4_0-injected-bundles-2.26.2-3.34.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libwebkit2gtk3-lang-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.26.2-3.34.3 libjavascriptcoregtk-4_0-18-debuginfo-2.26.2-3.34.3 libwebkit2gtk-4_0-37-2.26.2-3.34.3 libwebkit2gtk-4_0-37-debuginfo-2.26.2-3.34.3 webkit2gtk-4_0-injected-bundles-2.26.2-3.34.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.26.2-3.34.3 webkit2gtk3-debugsource-2.26.2-3.34.3 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libwebkit2gtk3-lang-2.26.2-3.34.3 References: https://www.suse.com/security/cve/CVE-2019-8551.html https://www.suse.com/security/cve/CVE-2019-8558.html https://www.suse.com/security/cve/CVE-2019-8559.html https://www.suse.com/security/cve/CVE-2019-8563.html https://www.suse.com/security/cve/CVE-2019-8625.html https://www.suse.com/security/cve/CVE-2019-8674.html https://www.suse.com/security/cve/CVE-2019-8681.html https://www.suse.com/security/cve/CVE-2019-8684.html https://www.suse.com/security/cve/CVE-2019-8686.html https://www.suse.com/security/cve/CVE-2019-8687.html https://www.suse.com/security/cve/CVE-2019-8688.html https://www.suse.com/security/cve/CVE-2019-8689.html https://www.suse.com/security/cve/CVE-2019-8690.html https://www.suse.com/security/cve/CVE-2019-8707.html https://www.suse.com/security/cve/CVE-2019-8710.html https://www.suse.com/security/cve/CVE-2019-8719.html https://www.suse.com/security/cve/CVE-2019-8720.html https://www.suse.com/security/cve/CVE-2019-8726.html https://www.suse.com/security/cve/CVE-2019-8733.html https://www.suse.com/security/cve/CVE-2019-8735.html https://www.suse.com/security/cve/CVE-2019-8743.html https://www.suse.com/security/cve/CVE-2019-8763.html https://www.suse.com/security/cve/CVE-2019-8764.html https://www.suse.com/security/cve/CVE-2019-8765.html https://www.suse.com/security/cve/CVE-2019-8766.html https://www.suse.com/security/cve/CVE-2019-8768.html https://www.suse.com/security/cve/CVE-2019-8769.html https://www.suse.com/security/cve/CVE-2019-8771.html https://www.suse.com/security/cve/CVE-2019-8782.html https://www.suse.com/security/cve/CVE-2019-8783.html https://www.suse.com/security/cve/CVE-2019-8808.html https://www.suse.com/security/cve/CVE-2019-8811.html https://www.suse.com/security/cve/CVE-2019-8812.html https://www.suse.com/security/cve/CVE-2019-8813.html https://www.suse.com/security/cve/CVE-2019-8814.html https://www.suse.com/security/cve/CVE-2019-8815.html https://www.suse.com/security/cve/CVE-2019-8816.html https://www.suse.com/security/cve/CVE-2019-8819.html https://www.suse.com/security/cve/CVE-2019-8820.html https://www.suse.com/security/cve/CVE-2019-8821.html https://www.suse.com/security/cve/CVE-2019-8822.html https://www.suse.com/security/cve/CVE-2019-8823.html https://bugzilla.suse.com/1155321 https://bugzilla.suse.com/1156318 From sle-security-updates at lists.suse.com Mon Nov 25 10:16:09 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 18:16:09 +0100 (CET) Subject: SUSE-SU-2019:3046-1: moderate: Security update for bluez Message-ID: <20191125171609.1B77BF79E@maintenance.suse.de> SUSE Security Update: Security update for bluez ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3046-1 Rating: moderate References: #1013712 Cross-References: CVE-2016-9798 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bluez fixes the following issues: - CVE-2016-9798: Fixed a use-after-free in conf_opt() (bsc#1013712). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-3046=1 - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-3046=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3046=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3046=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-3046=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-3046=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3046=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3046=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): bluez-cups-5.48-5.19.1 bluez-cups-debuginfo-5.48-5.19.1 bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 - SUSE Linux Enterprise Workstation Extension 15 (x86_64): bluez-cups-5.48-5.19.1 bluez-cups-debuginfo-5.48-5.19.1 bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 bluez-test-5.48-5.19.1 bluez-test-debuginfo-5.48-5.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): bluez-devel-32bit-5.48-5.19.1 libbluetooth3-32bit-5.48-5.19.1 libbluetooth3-32bit-debuginfo-5.48-5.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): bluez-auto-enable-devices-5.48-5.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 bluez-test-5.48-5.19.1 bluez-test-debuginfo-5.48-5.19.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): bluez-auto-enable-devices-5.48-5.19.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-5.48-5.19.1 bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 bluez-devel-5.48-5.19.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): bluez-5.48-5.19.1 bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 bluez-devel-5.48-5.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 libbluetooth3-5.48-5.19.1 libbluetooth3-debuginfo-5.48-5.19.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.19.1 bluez-debugsource-5.48-5.19.1 libbluetooth3-5.48-5.19.1 libbluetooth3-debuginfo-5.48-5.19.1 References: https://www.suse.com/security/cve/CVE-2016-9798.html https://bugzilla.suse.com/1013712 From sle-security-updates at lists.suse.com Mon Nov 25 10:12:04 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 18:12:04 +0100 (CET) Subject: SUSE-SU-2019:14226-1: moderate: Security update for libssh2_org Message-ID: <20191125171204.3C406F79E@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14226-1 Rating: moderate References: #1154862 Cross-References: CVE-2019-17498 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-libssh2_org-14226=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libssh2_org-14226=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libssh2-1-1.2.9-4.2.12.18.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): libssh2_org-debuginfo-1.2.9-4.2.12.18.1 libssh2_org-debugsource-1.2.9-4.2.12.18.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://bugzilla.suse.com/1154862 From sle-security-updates at lists.suse.com Mon Nov 25 13:14:00 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:14:00 +0100 (CET) Subject: SUSE-SU-2019:14227-1: important: Security update for sqlite3 Message-ID: <20191125201400.56276F79E@maintenance.suse.de> SUSE Security Update: Security update for sqlite3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14227-1 Rating: important References: #1155787 Cross-References: CVE-2017-2518 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sqlite3 fixes the following issues: - CVE-2017-2518: Fixed a use-after-free vulnerability which could have led to buffer overflow via a crafted SQL statement (bsc#1155787). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-sqlite3-14227=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-sqlite3-14227=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-sqlite3-14227=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libsqlite3-0-3.7.6.3-1.4.7.12.1 sqlite3-3.7.6.3-1.4.7.12.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libsqlite3-0-32bit-3.7.6.3-1.4.7.12.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libsqlite3-0-3.7.6.3-1.4.7.12.1 sqlite3-3.7.6.3-1.4.7.12.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): sqlite3-debuginfo-3.7.6.3-1.4.7.12.1 References: https://www.suse.com/security/cve/CVE-2017-2518.html https://bugzilla.suse.com/1155787 From sle-security-updates at lists.suse.com Mon Nov 25 13:14:46 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:14:46 +0100 (CET) Subject: SUSE-SU-2019:3050-1: important: Security update for sqlite3 Message-ID: <20191125201446.C948CF79E@maintenance.suse.de> SUSE Security Update: Security update for sqlite3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3050-1 Rating: important References: #1155787 Cross-References: CVE-2017-2518 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sqlite3 fixes the following issues: - CVE-2017-2518: Fixed a use-after-free vulnerability which could have led to buffer overflow via a crafted SQL statement (bsc#1155787). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3050=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3050=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3050=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3050=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3050=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3050=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-3050=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-3050=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3050=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3050=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-3050=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-3050=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-3050=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-3050=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-3050=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3050=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3050=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3050=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE OpenStack Cloud 8 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 sqlite3-devel-3.8.10.2-9.15.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 sqlite3-devel-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - SUSE Enterprise Storage 5 (x86_64): libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 - SUSE CaaS Platform 3.0 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 - HPE Helion Openstack 8 (x86_64): libsqlite3-0-3.8.10.2-9.15.1 libsqlite3-0-32bit-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-3.8.10.2-9.15.1 libsqlite3-0-debuginfo-32bit-3.8.10.2-9.15.1 sqlite3-3.8.10.2-9.15.1 sqlite3-debuginfo-3.8.10.2-9.15.1 sqlite3-debugsource-3.8.10.2-9.15.1 References: https://www.suse.com/security/cve/CVE-2017-2518.html https://bugzilla.suse.com/1155787 From sle-security-updates at lists.suse.com Mon Nov 25 13:13:18 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:13:18 +0100 (CET) Subject: SUSE-SU-2019:14230-1: important: Security update for mailman Message-ID: <20191125201318.C665BF79E@maintenance.suse.de> SUSE Security Update: Security update for mailman ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14230-1 Rating: important References: #1154328 Cross-References: CVE-2019-3693 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mailman fixes the following issues: - CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-mailman-14230=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mailman-14230=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mailman-14230=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mailman-14230=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): mailman-2.1.15-9.6.15.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): mailman-2.1.15-9.6.15.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): mailman-debuginfo-2.1.15-9.6.15.1 mailman-debugsource-2.1.15-9.6.15.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): mailman-debuginfo-2.1.15-9.6.15.1 mailman-debugsource-2.1.15-9.6.15.1 References: https://www.suse.com/security/cve/CVE-2019-3693.html https://bugzilla.suse.com/1154328 From sle-security-updates at lists.suse.com Mon Nov 25 13:15:34 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:15:34 +0100 (CET) Subject: SUSE-SU-2019:3053-1: moderate: Security update for clamav Message-ID: <20191125201534.7DAF8F79E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3053-1 Rating: moderate References: #1144504 #1149458 #1151839 Cross-References: CVE-2019-12625 CVE-2019-12900 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: Security issue fixed: - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504). - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458). Non-security issues fixed: - Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504). - Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3053=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3053=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): clamav-0.100.3-3.14.1 clamav-debuginfo-0.100.3-3.14.1 clamav-debugsource-0.100.3-3.14.1 clamav-devel-0.100.3-3.14.1 libclamav7-0.100.3-3.14.1 libclamav7-debuginfo-0.100.3-3.14.1 libclammspack0-0.100.3-3.14.1 libclammspack0-debuginfo-0.100.3-3.14.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): clamav-0.100.3-3.14.1 clamav-debuginfo-0.100.3-3.14.1 clamav-debugsource-0.100.3-3.14.1 clamav-devel-0.100.3-3.14.1 libclamav7-0.100.3-3.14.1 libclamav7-debuginfo-0.100.3-3.14.1 libclammspack0-0.100.3-3.14.1 libclammspack0-debuginfo-0.100.3-3.14.1 References: https://www.suse.com/security/cve/CVE-2019-12625.html https://www.suse.com/security/cve/CVE-2019-12900.html https://bugzilla.suse.com/1144504 https://bugzilla.suse.com/1149458 https://bugzilla.suse.com/1151839 From sle-security-updates at lists.suse.com Mon Nov 25 13:18:10 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:18:10 +0100 (CET) Subject: SUSE-SU-2019:3057-1: important: Security update for cups Message-ID: <20191125201810.85F9AF79E@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3057-1 Rating: important References: #1146358 #1146359 Cross-References: CVE-2019-8675 CVE-2019-8696 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for cups fixes the following issues: - CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). - CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3057=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3057=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3057=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3057=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3057=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3057=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-3057=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-3057=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3057=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3057=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-3057=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-3057=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-3057=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-3057=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-3057=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3057=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3057=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3057=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE OpenStack Cloud 8 (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE OpenStack Cloud 7 (s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.26.1 cups-ddk-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-devel-1.7.5-20.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.26.1 cups-ddk-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-devel-1.7.5-20.26.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 - SUSE Enterprise Storage 5 (x86_64): cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 - HPE Helion Openstack 8 (x86_64): cups-1.7.5-20.26.1 cups-client-1.7.5-20.26.1 cups-client-debuginfo-1.7.5-20.26.1 cups-debuginfo-1.7.5-20.26.1 cups-debugsource-1.7.5-20.26.1 cups-libs-1.7.5-20.26.1 cups-libs-32bit-1.7.5-20.26.1 cups-libs-debuginfo-1.7.5-20.26.1 cups-libs-debuginfo-32bit-1.7.5-20.26.1 References: https://www.suse.com/security/cve/CVE-2019-8675.html https://www.suse.com/security/cve/CVE-2019-8696.html https://bugzilla.suse.com/1146358 https://bugzilla.suse.com/1146359 From sle-security-updates at lists.suse.com Mon Nov 25 13:16:31 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:16:31 +0100 (CET) Subject: SUSE-SU-2019:3060-1: moderate: Security update for libpng16 Message-ID: <20191125201631.7197CF79E@maintenance.suse.de> SUSE Security Update: Security update for libpng16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3060-1 Rating: moderate References: #1124211 #1141493 Cross-References: CVE-2017-12652 CVE-2019-7317 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3060=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3060=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3060=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3060=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3060=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3060=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libpng16-compat-devel-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 libpng16-devel-1.6.8-15.5.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libpng16-compat-devel-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 libpng16-devel-1.6.8-15.5.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-32bit-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-16-debuginfo-32bit-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 - SUSE CaaS Platform 3.0 (x86_64): libpng16-16-1.6.8-15.5.2 libpng16-16-debuginfo-1.6.8-15.5.2 libpng16-debugsource-1.6.8-15.5.2 References: https://www.suse.com/security/cve/CVE-2017-12652.html https://www.suse.com/security/cve/CVE-2019-7317.html https://bugzilla.suse.com/1124211 https://bugzilla.suse.com/1141493 From sle-security-updates at lists.suse.com Mon Nov 25 13:19:46 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:19:46 +0100 (CET) Subject: SUSE-SU-2019:3061-1: moderate: Security update for gcc9 Message-ID: <20191125201946.B8C44F79E@maintenance.suse.de> SUSE Security Update: Security update for gcc9 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3061-1 Rating: moderate References: #1114592 #1135254 #1141897 #1142649 #1142654 #1148517 #1149145 Cross-References: CVE-2019-14250 CVE-2019-15847 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has 5 fixes is now available. Description: This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install "gcc9" or "gcc9-c++" or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3061=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3061=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-3061=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-3061=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3061=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3061=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gcc9-debuginfo-9.2.1+r275327-1.3.7 gcc9-debugsource-9.2.1+r275327-1.3.7 gcc9-go-9.2.1+r275327-1.3.7 gcc9-go-debuginfo-9.2.1+r275327-1.3.7 libgo14-9.2.1+r275327-1.3.7 libgo14-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x x86_64): gcc9-fortran-32bit-9.2.1+r275327-1.3.7 gcc9-go-32bit-9.2.1+r275327-1.3.7 libgo14-32bit-9.2.1+r275327-1.3.7 libgo14-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): gcc9-ada-32bit-9.2.1+r275327-1.3.7 libada9-32bit-9.2.1+r275327-1.3.7 libada9-32bit-debuginfo-9.2.1+r275327-1.3.7 libgfortran5-32bit-9.2.1+r275327-1.3.7 libgfortran5-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (s390x): libatomic1-32bit-9.2.1+r275327-1.3.7 libgcc_s1-32bit-9.2.1+r275327-1.3.7 libgomp1-32bit-9.2.1+r275327-1.3.7 libitm1-32bit-9.2.1+r275327-1.3.7 libstdc++6-32bit-9.2.1+r275327-1.3.7 libstdc++6-devel-gcc9-32bit-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cpp9-9.2.1+r275327-1.3.7 cpp9-debuginfo-9.2.1+r275327-1.3.7 gcc9-9.2.1+r275327-1.3.7 gcc9-ada-9.2.1+r275327-1.3.7 gcc9-ada-debuginfo-9.2.1+r275327-1.3.7 gcc9-c++-9.2.1+r275327-1.3.7 gcc9-c++-debuginfo-9.2.1+r275327-1.3.7 gcc9-debuginfo-9.2.1+r275327-1.3.7 gcc9-debugsource-9.2.1+r275327-1.3.7 gcc9-fortran-9.2.1+r275327-1.3.7 gcc9-fortran-debuginfo-9.2.1+r275327-1.3.7 gcc9-go-9.2.1+r275327-1.3.7 gcc9-go-debuginfo-9.2.1+r275327-1.3.7 gcc9-locale-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le x86_64): libada9-9.2.1+r275327-1.3.7 libada9-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x): libstdc++6-devel-gcc9-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (s390x x86_64): gcc9-32bit-9.2.1+r275327-1.3.7 gcc9-ada-32bit-9.2.1+r275327-1.3.7 gcc9-c++-32bit-9.2.1+r275327-1.3.7 gcc9-fortran-32bit-9.2.1+r275327-1.3.7 gcc9-go-32bit-9.2.1+r275327-1.3.7 libstdc++6-devel-gcc9-32bit-9.2.1+r275327-1.3.7 libstdc++6-pp-gcc9-32bit-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): gcc9-info-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): libada9-32bit-9.2.1+r275327-1.3.7 libada9-32bit-debuginfo-9.2.1+r275327-1.3.7 libatomic1-32bit-9.2.1+r275327-1.3.7 libatomic1-32bit-debuginfo-9.2.1+r275327-1.3.7 libubsan1-32bit-9.2.1+r275327-1.3.7 libubsan1-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (s390x): libstdc++6-pp-gcc9-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): cpp9-9.2.1+r275327-1.3.7 cpp9-debuginfo-9.2.1+r275327-1.3.7 gcc9-9.2.1+r275327-1.3.7 gcc9-ada-9.2.1+r275327-1.3.7 gcc9-ada-debuginfo-9.2.1+r275327-1.3.7 gcc9-c++-9.2.1+r275327-1.3.7 gcc9-c++-debuginfo-9.2.1+r275327-1.3.7 gcc9-debuginfo-9.2.1+r275327-1.3.7 gcc9-debugsource-9.2.1+r275327-1.3.7 gcc9-fortran-9.2.1+r275327-1.3.7 gcc9-fortran-debuginfo-9.2.1+r275327-1.3.7 gcc9-go-9.2.1+r275327-1.3.7 gcc9-go-debuginfo-9.2.1+r275327-1.3.7 gcc9-locale-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le x86_64): libada9-9.2.1+r275327-1.3.7 libada9-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (s390x x86_64): gcc9-32bit-9.2.1+r275327-1.3.7 gcc9-ada-32bit-9.2.1+r275327-1.3.7 gcc9-c++-32bit-9.2.1+r275327-1.3.7 gcc9-fortran-32bit-9.2.1+r275327-1.3.7 gcc9-go-32bit-9.2.1+r275327-1.3.7 libstdc++6-devel-gcc9-32bit-9.2.1+r275327-1.3.7 libstdc++6-pp-gcc9-32bit-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (noarch): gcc9-info-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): libada9-32bit-9.2.1+r275327-1.3.7 libada9-32bit-debuginfo-9.2.1+r275327-1.3.7 libatomic1-32bit-9.2.1+r275327-1.3.7 libatomic1-32bit-debuginfo-9.2.1+r275327-1.3.7 libubsan1-32bit-9.2.1+r275327-1.3.7 libubsan1-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Development Tools 15 (s390x): libstdc++6-devel-gcc9-9.2.1+r275327-1.3.7 libstdc++6-pp-gcc9-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gcc9-debuginfo-9.2.1+r275327-1.3.7 gcc9-debugsource-9.2.1+r275327-1.3.7 libada9-9.2.1+r275327-1.3.7 libada9-debuginfo-9.2.1+r275327-1.3.7 libasan5-9.2.1+r275327-1.3.7 libasan5-debuginfo-9.2.1+r275327-1.3.7 libatomic1-9.2.1+r275327-1.3.7 libatomic1-debuginfo-9.2.1+r275327-1.3.7 libgcc_s1-9.2.1+r275327-1.3.7 libgcc_s1-debuginfo-9.2.1+r275327-1.3.7 libgfortran5-9.2.1+r275327-1.3.7 libgfortran5-debuginfo-9.2.1+r275327-1.3.7 libgo14-9.2.1+r275327-1.3.7 libgo14-debuginfo-9.2.1+r275327-1.3.7 libgomp1-9.2.1+r275327-1.3.7 libgomp1-debuginfo-9.2.1+r275327-1.3.7 libitm1-9.2.1+r275327-1.3.7 libitm1-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-9.2.1+r275327-1.3.7 libstdc++6-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-devel-gcc9-9.2.1+r275327-1.3.7 libstdc++6-locale-9.2.1+r275327-1.3.7 libstdc++6-pp-gcc9-9.2.1+r275327-1.3.7 libubsan1-9.2.1+r275327-1.3.7 libubsan1-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le x86_64): liblsan0-9.2.1+r275327-1.3.7 liblsan0-debuginfo-9.2.1+r275327-1.3.7 libtsan0-9.2.1+r275327-1.3.7 libtsan0-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (ppc64le x86_64): libquadmath0-9.2.1+r275327-1.3.7 libquadmath0-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x x86_64): libada9-32bit-9.2.1+r275327-1.3.7 libada9-32bit-debuginfo-9.2.1+r275327-1.3.7 libasan5-32bit-9.2.1+r275327-1.3.7 libasan5-32bit-debuginfo-9.2.1+r275327-1.3.7 libatomic1-32bit-9.2.1+r275327-1.3.7 libatomic1-32bit-debuginfo-9.2.1+r275327-1.3.7 libgcc_s1-32bit-9.2.1+r275327-1.3.7 libgcc_s1-32bit-debuginfo-9.2.1+r275327-1.3.7 libgfortran5-32bit-9.2.1+r275327-1.3.7 libgfortran5-32bit-debuginfo-9.2.1+r275327-1.3.7 libgo14-32bit-9.2.1+r275327-1.3.7 libgo14-32bit-debuginfo-9.2.1+r275327-1.3.7 libgomp1-32bit-9.2.1+r275327-1.3.7 libgomp1-32bit-debuginfo-9.2.1+r275327-1.3.7 libitm1-32bit-9.2.1+r275327-1.3.7 libitm1-32bit-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-32bit-9.2.1+r275327-1.3.7 libstdc++6-32bit-debuginfo-9.2.1+r275327-1.3.7 libubsan1-32bit-9.2.1+r275327-1.3.7 libubsan1-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libquadmath0-32bit-9.2.1+r275327-1.3.7 libquadmath0-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): gcc9-debuginfo-9.2.1+r275327-1.3.7 gcc9-debugsource-9.2.1+r275327-1.3.7 libada9-9.2.1+r275327-1.3.7 libada9-debuginfo-9.2.1+r275327-1.3.7 libasan5-9.2.1+r275327-1.3.7 libasan5-debuginfo-9.2.1+r275327-1.3.7 libatomic1-9.2.1+r275327-1.3.7 libatomic1-debuginfo-9.2.1+r275327-1.3.7 libgcc_s1-9.2.1+r275327-1.3.7 libgcc_s1-debuginfo-9.2.1+r275327-1.3.7 libgfortran5-9.2.1+r275327-1.3.7 libgfortran5-debuginfo-9.2.1+r275327-1.3.7 libgo14-9.2.1+r275327-1.3.7 libgo14-debuginfo-9.2.1+r275327-1.3.7 libgomp1-9.2.1+r275327-1.3.7 libgomp1-debuginfo-9.2.1+r275327-1.3.7 libitm1-9.2.1+r275327-1.3.7 libitm1-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-9.2.1+r275327-1.3.7 libstdc++6-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-devel-gcc9-9.2.1+r275327-1.3.7 libstdc++6-locale-9.2.1+r275327-1.3.7 libstdc++6-pp-gcc9-9.2.1+r275327-1.3.7 libubsan1-9.2.1+r275327-1.3.7 libubsan1-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le x86_64): liblsan0-9.2.1+r275327-1.3.7 liblsan0-debuginfo-9.2.1+r275327-1.3.7 libtsan0-9.2.1+r275327-1.3.7 libtsan0-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15 (ppc64le x86_64): libquadmath0-9.2.1+r275327-1.3.7 libquadmath0-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15 (s390x x86_64): libada9-32bit-9.2.1+r275327-1.3.7 libada9-32bit-debuginfo-9.2.1+r275327-1.3.7 libasan5-32bit-9.2.1+r275327-1.3.7 libasan5-32bit-debuginfo-9.2.1+r275327-1.3.7 libatomic1-32bit-9.2.1+r275327-1.3.7 libatomic1-32bit-debuginfo-9.2.1+r275327-1.3.7 libgcc_s1-32bit-9.2.1+r275327-1.3.7 libgcc_s1-32bit-debuginfo-9.2.1+r275327-1.3.7 libgfortran5-32bit-9.2.1+r275327-1.3.7 libgfortran5-32bit-debuginfo-9.2.1+r275327-1.3.7 libgo14-32bit-9.2.1+r275327-1.3.7 libgo14-32bit-debuginfo-9.2.1+r275327-1.3.7 libgomp1-32bit-9.2.1+r275327-1.3.7 libgomp1-32bit-debuginfo-9.2.1+r275327-1.3.7 libitm1-32bit-9.2.1+r275327-1.3.7 libitm1-32bit-debuginfo-9.2.1+r275327-1.3.7 libstdc++6-32bit-9.2.1+r275327-1.3.7 libstdc++6-32bit-debuginfo-9.2.1+r275327-1.3.7 libubsan1-32bit-9.2.1+r275327-1.3.7 libubsan1-32bit-debuginfo-9.2.1+r275327-1.3.7 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libquadmath0-32bit-9.2.1+r275327-1.3.7 libquadmath0-32bit-debuginfo-9.2.1+r275327-1.3.7 References: https://www.suse.com/security/cve/CVE-2019-14250.html https://www.suse.com/security/cve/CVE-2019-15847.html https://bugzilla.suse.com/1114592 https://bugzilla.suse.com/1135254 https://bugzilla.suse.com/1141897 https://bugzilla.suse.com/1142649 https://bugzilla.suse.com/1142654 https://bugzilla.suse.com/1148517 https://bugzilla.suse.com/1149145 From sle-security-updates at lists.suse.com Mon Nov 25 13:21:17 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:21:17 +0100 (CET) Subject: SUSE-SU-2019:3056-1: important: Security update for strongswan Message-ID: <20191125202117.9D913F79E@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3056-1 Rating: important References: #1093536 #1094462 #1107874 #1109845 Cross-References: CVE-2018-10811 CVE-2018-16151 CVE-2018-16152 CVE-2018-17540 CVE-2018-5388 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for strongswan fixes the following issues: Security issues fixed: - CVE-2018-5388: Fixed a buffer underflow which may allow to a remote attacker with local user credentials to resource exhaustion and denial of service while reading from the socket (bsc#1094462). - CVE-2018-10811: Fixed a denial of service during the IKEv2 key derivation if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF (bsc#1093536). - CVE-2018-16151,CVE-2018-16152: Fixed multiple flaws in the gmp plugin which might lead to authorization bypass (bsc#1107874). - CVE-2018-17540: Fixed an improper input validation in gmp plugin (bsc#1109845). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-3056=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3056=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3056=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3056=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3056=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.6.0-4.3.2 strongswan-debugsource-5.6.0-4.3.2 strongswan-nm-5.6.0-4.3.2 strongswan-nm-debuginfo-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.6.0-4.3.2 strongswan-debugsource-5.6.0-4.3.2 strongswan-mysql-5.6.0-4.3.2 strongswan-mysql-debuginfo-5.6.0-4.3.2 strongswan-nm-5.6.0-4.3.2 strongswan-nm-debuginfo-5.6.0-4.3.2 strongswan-sqlite-5.6.0-4.3.2 strongswan-sqlite-debuginfo-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.6.0-4.3.2 strongswan-debugsource-5.6.0-4.3.2 strongswan-mysql-5.6.0-4.3.2 strongswan-mysql-debuginfo-5.6.0-4.3.2 strongswan-nm-5.6.0-4.3.2 strongswan-nm-debuginfo-5.6.0-4.3.2 strongswan-sqlite-5.6.0-4.3.2 strongswan-sqlite-debuginfo-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): strongswan-5.6.0-4.3.2 strongswan-debuginfo-5.6.0-4.3.2 strongswan-debugsource-5.6.0-4.3.2 strongswan-hmac-5.6.0-4.3.2 strongswan-ipsec-5.6.0-4.3.2 strongswan-ipsec-debuginfo-5.6.0-4.3.2 strongswan-libs0-5.6.0-4.3.2 strongswan-libs0-debuginfo-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): strongswan-doc-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): strongswan-5.6.0-4.3.2 strongswan-debuginfo-5.6.0-4.3.2 strongswan-debugsource-5.6.0-4.3.2 strongswan-hmac-5.6.0-4.3.2 strongswan-ipsec-5.6.0-4.3.2 strongswan-ipsec-debuginfo-5.6.0-4.3.2 strongswan-libs0-5.6.0-4.3.2 strongswan-libs0-debuginfo-5.6.0-4.3.2 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): strongswan-doc-5.6.0-4.3.2 References: https://www.suse.com/security/cve/CVE-2018-10811.html https://www.suse.com/security/cve/CVE-2018-16151.html https://www.suse.com/security/cve/CVE-2018-16152.html https://www.suse.com/security/cve/CVE-2018-17540.html https://www.suse.com/security/cve/CVE-2018-5388.html https://bugzilla.suse.com/1093536 https://bugzilla.suse.com/1094462 https://bugzilla.suse.com/1107874 https://bugzilla.suse.com/1109845 From sle-security-updates at lists.suse.com Mon Nov 25 13:22:25 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:22:25 +0100 (CET) Subject: SUSE-SU-2019:3059-1: moderate: Security update for cpio Message-ID: <20191125202225.88CF8F79E@maintenance.suse.de> SUSE Security Update: Security update for cpio ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3059-1 Rating: moderate References: #1155199 Cross-References: CVE-2019-14866 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3059=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3059=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): cpio-2.12-3.3.1 cpio-debuginfo-2.12-3.3.1 cpio-debugsource-2.12-3.3.1 cpio-mt-2.12-3.3.1 cpio-mt-debuginfo-2.12-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): cpio-lang-2.12-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): cpio-2.12-3.3.1 cpio-debuginfo-2.12-3.3.1 cpio-debugsource-2.12-3.3.1 cpio-mt-2.12-3.3.1 cpio-mt-debuginfo-2.12-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): cpio-lang-2.12-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-14866.html https://bugzilla.suse.com/1155199 From sle-security-updates at lists.suse.com Mon Nov 25 13:24:28 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:24:28 +0100 (CET) Subject: SUSE-SU-2019:14229-1: important: Security update for cups Message-ID: <20191125202428.1211BF79E@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14229-1 Rating: important References: #1146358 #1146359 #959478 Cross-References: CVE-2019-8675 CVE-2019-8696 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for cups fixes the following issues: - CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). - CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359). - Fixed a double free which was triggered by Java application (bsc#959478). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-cups-14229=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-cups-14229=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-cups-14229=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-cups-14229=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): cups-1.3.9-8.46.56.8.1 cups-client-1.3.9-8.46.56.8.1 cups-libs-1.3.9-8.46.56.8.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): cups-libs-32bit-1.3.9-8.46.56.8.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): cups-1.3.9-8.46.56.8.1 cups-client-1.3.9-8.46.56.8.1 cups-libs-1.3.9-8.46.56.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.8.1 cups-debugsource-1.3.9-8.46.56.8.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.8.1 cups-debugsource-1.3.9-8.46.56.8.1 References: https://www.suse.com/security/cve/CVE-2019-8675.html https://www.suse.com/security/cve/CVE-2019-8696.html https://bugzilla.suse.com/1146358 https://bugzilla.suse.com/1146359 https://bugzilla.suse.com/959478 From sle-security-updates at lists.suse.com Mon Nov 25 13:23:39 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:23:39 +0100 (CET) Subject: SUSE-SU-2019:14228-1: important: Security update for sqlite3 Message-ID: <20191125202339.E1CDAF79E@maintenance.suse.de> SUSE Security Update: Security update for sqlite3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14228-1 Rating: important References: #1085790 #1155787 Cross-References: CVE-2017-2518 CVE-2018-8740 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for sqlite3 fixes the following issues: - CVE-2017-2518: Fixed a use-after-free vulnerability which could have led to buffer overflow via a crafted SQL statement (bsc#1155787). - CVE-2018-8740: Fixed a null pointer dereference caused when CREATE TABLE AS statement is used (bsc#1085790). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-sqlite3-14228=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): sqlite3-debugsource-3.6.4-4.8.1 References: https://www.suse.com/security/cve/CVE-2017-2518.html https://www.suse.com/security/cve/CVE-2018-8740.html https://bugzilla.suse.com/1085790 https://bugzilla.suse.com/1155787 From sle-security-updates at lists.suse.com Mon Nov 25 13:27:57 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Nov 2019 21:27:57 +0100 (CET) Subject: SUSE-SU-2019:3058-1: moderate: Security update for tiff Message-ID: <20191125202757.40D8DF79E@maintenance.suse.de> SUSE Security Update: Security update for tiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3058-1 Rating: moderate References: #1108606 #1121626 #1125113 #1146608 #983268 Cross-References: CVE-2016-5102 CVE-2018-17000 CVE-2019-14973 CVE-2019-6128 CVE-2019-7663 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2019-14973: Fixed an improper check which was depended on the compiler which could have led to integer overflow (bsc#1146608). - CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268) - CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). - CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3058=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3058=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3058=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3058=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3058=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libtiff-devel-4.0.9-44.42.1 tiff-debuginfo-4.0.9-44.42.1 tiff-debugsource-4.0.9-44.42.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libtiff-devel-4.0.9-44.42.1 tiff-debuginfo-4.0.9-44.42.1 tiff-debugsource-4.0.9-44.42.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libtiff5-4.0.9-44.42.1 libtiff5-debuginfo-4.0.9-44.42.1 tiff-4.0.9-44.42.1 tiff-debuginfo-4.0.9-44.42.1 tiff-debugsource-4.0.9-44.42.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libtiff5-32bit-4.0.9-44.42.1 libtiff5-debuginfo-32bit-4.0.9-44.42.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libtiff5-4.0.9-44.42.1 libtiff5-debuginfo-4.0.9-44.42.1 tiff-4.0.9-44.42.1 tiff-debuginfo-4.0.9-44.42.1 tiff-debugsource-4.0.9-44.42.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libtiff5-32bit-4.0.9-44.42.1 libtiff5-debuginfo-32bit-4.0.9-44.42.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libtiff5-32bit-4.0.9-44.42.1 libtiff5-4.0.9-44.42.1 libtiff5-debuginfo-32bit-4.0.9-44.42.1 libtiff5-debuginfo-4.0.9-44.42.1 tiff-debuginfo-4.0.9-44.42.1 tiff-debugsource-4.0.9-44.42.1 References: https://www.suse.com/security/cve/CVE-2016-5102.html https://www.suse.com/security/cve/CVE-2018-17000.html https://www.suse.com/security/cve/CVE-2019-14973.html https://www.suse.com/security/cve/CVE-2019-6128.html https://www.suse.com/security/cve/CVE-2019-7663.html https://bugzilla.suse.com/1108606 https://bugzilla.suse.com/1121626 https://bugzilla.suse.com/1125113 https://bugzilla.suse.com/1146608 https://bugzilla.suse.com/983268 From sle-security-updates at lists.suse.com Mon Nov 25 16:11:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 00:11:21 +0100 (CET) Subject: SUSE-SU-2019:3064-1: moderate: Security update for cpio Message-ID: <20191125231121.43CEEF79E@maintenance.suse.de> SUSE Security Update: Security update for cpio ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3064-1 Rating: moderate References: #1155199 Cross-References: CVE-2019-14866 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3064=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3064=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3064=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cpio-2.11-36.6.1 cpio-debuginfo-2.11-36.6.1 cpio-debugsource-2.11-36.6.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): cpio-lang-2.11-36.6.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): cpio-2.11-36.6.1 cpio-debuginfo-2.11-36.6.1 cpio-debugsource-2.11-36.6.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): cpio-lang-2.11-36.6.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): cpio-2.11-36.6.1 cpio-debuginfo-2.11-36.6.1 cpio-debugsource-2.11-36.6.1 - SUSE Linux Enterprise Desktop 12-SP4 (noarch): cpio-lang-2.11-36.6.1 - SUSE CaaS Platform 3.0 (x86_64): cpio-2.11-36.6.1 cpio-debuginfo-2.11-36.6.1 cpio-debugsource-2.11-36.6.1 References: https://www.suse.com/security/cve/CVE-2019-14866.html https://bugzilla.suse.com/1155199 From sle-security-updates at lists.suse.com Tue Nov 26 07:13:06 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 15:13:06 +0100 (CET) Subject: SUSE-SU-2019:3067-1: important: Security update for squid Message-ID: <20191126141306.031E2F79E@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3067-1 Rating: important References: #1140738 #1156323 #1156324 #1156326 #1156328 #1156329 Cross-References: CVE-2019-12523 CVE-2019-12526 CVE-2019-13345 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for squid to version 4.9 fixes the following issues: Security issues fixed: - CVE-2019-13345: Fixed multiple cross-site scripting vulnerabilities in cachemgr.cgi (bsc#1140738). - CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326). - CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329). - CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328). - CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323). - CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324). Other issues addressesd: * Fixed DNS failures when peer name was configured with any upper case characters * Fixed several rock cache_dir corruption issues Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3067=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): squid-4.9-4.3.2 squid-debuginfo-4.9-4.3.2 squid-debugsource-4.9-4.3.2 References: https://www.suse.com/security/cve/CVE-2019-12523.html https://www.suse.com/security/cve/CVE-2019-12526.html https://www.suse.com/security/cve/CVE-2019-13345.html https://www.suse.com/security/cve/CVE-2019-18676.html https://www.suse.com/security/cve/CVE-2019-18677.html https://www.suse.com/security/cve/CVE-2019-18678.html https://www.suse.com/security/cve/CVE-2019-18679.html https://bugzilla.suse.com/1140738 https://bugzilla.suse.com/1156323 https://bugzilla.suse.com/1156324 https://bugzilla.suse.com/1156326 https://bugzilla.suse.com/1156328 https://bugzilla.suse.com/1156329 From sle-security-updates at lists.suse.com Tue Nov 26 07:11:13 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 15:11:13 +0100 (CET) Subject: SUSE-SU-2019:3066-1: moderate: Security update for clamav Message-ID: <20191126141113.E38C1F79E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3066-1 Rating: moderate References: #1144504 #1149458 #1151839 Cross-References: CVE-2019-12625 CVE-2019-12900 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for clamav fixes the following issues: Security issue fixed: - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504). - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458). Non-security issues fixed: - Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504). - Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3066=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3066=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3066=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3066=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-3066=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-3066=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3066=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-3066=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-3066=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-3066=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-3066=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-3066=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3066=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3066=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3066=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE OpenStack Cloud 8 (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE OpenStack Cloud 7 (s390x x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 - HPE Helion Openstack 8 (x86_64): clamav-0.100.3-33.26.1 clamav-debuginfo-0.100.3-33.26.1 clamav-debugsource-0.100.3-33.26.1 References: https://www.suse.com/security/cve/CVE-2019-12625.html https://www.suse.com/security/cve/CVE-2019-12900.html https://bugzilla.suse.com/1144504 https://bugzilla.suse.com/1149458 https://bugzilla.suse.com/1151839 From sle-security-updates at lists.suse.com Tue Nov 26 07:12:18 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 15:12:18 +0100 (CET) Subject: SUSE-SU-2019:14231-1: moderate: Security update for clamav Message-ID: <20191126141218.9DE15F79E@maintenance.suse.de> SUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14231-1 Rating: moderate References: #1144504 #1149458 Cross-References: CVE-2019-12625 CVE-2019-12900 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for clamav fixes the following issues: Security issues fixed: - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504). - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458). Non-security issue fixed: - Added the --max-scantime clamscan option and MaxScanTime clamd configuration option. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-clamav-14231=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-clamav-14231=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-clamav-14231=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-clamav-14231=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): clamav-0.100.3-0.20.26.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): clamav-0.100.3-0.20.26.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): clamav-debuginfo-0.100.3-0.20.26.1 clamav-debugsource-0.100.3-0.20.26.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): clamav-debuginfo-0.100.3-0.20.26.1 clamav-debugsource-0.100.3-0.20.26.1 References: https://www.suse.com/security/cve/CVE-2019-12625.html https://www.suse.com/security/cve/CVE-2019-12900.html https://bugzilla.suse.com/1144504 https://bugzilla.suse.com/1149458 From sle-security-updates at lists.suse.com Tue Nov 26 10:11:23 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 18:11:23 +0100 (CET) Subject: SUSE-SU-2019:3068-1: moderate: Security update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud Message-ID: <20191126171123.23704F79E@maintenance.suse.de> SUSE Security Update: Security update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3068-1 Rating: moderate References: #1153304 #1155942 #1156525 Cross-References: CVE-2019-17134 CVE-2019-18874 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud fixes the following issues: Security fix for openstack-octavia: - CVE-2019-17134: Fixed an issue where Octavia Amphora-Agent not requiring Client-Certificate (bsc#1153304). Security fix for python-psutil: - CVE-2019-18874: Fixed a double-free vulnerability occured during converting system data into a Python object (bsc#1155089). - Update to version 9.0+git.1572311426.a6dc2fd: * Align Crowbar and Ardana MariaDB configs (SOC-10094) - Update to version 9.0+git.1573069087.15ffd1c: * enable debug and insecure_debug on demand (SOC-10934) - Update to version 9.0+git.1572019823.6650494: * Correctly setup ardana_notify_... fact (SOC-10902) - Update to version 9.0+git.1572618171.4460843: * Update gerrit FQDN in .gitreview (SOC-9140) - Update to version 6.0+git.1573825081.b1caf60f1: * Update the testsuite for new upgrade method (SOC-10761) * upgrade: cold start nova before live migration (SOC-10761) - Update to version 6.0+git.1573131992.3c660b413: * [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942) - Update to version 6.0+git.1573051151.3495e0e94: * Allow enabling bpdu-forwarding on OVS bridges (SOC-9172) - Update to version 6.0+git.1573754820.dd036ef77: * neutron: use octavia-api admin VIP URI for lbaasv2 (SOC-10906) * octavia: handle certificate ownership in barclamp (SOC-10906) * octavia: add SSL support to octavia-api (SOC-10906) - Update to version 6.0+git.1573174019.9965ae9b8: * designate: change default configuration (SOC-10899) - Update to version 6.0+git.1572855359.8efafea01: * Make sure the input file with ssh key exists (SOC-10133) - Update to version 6.0+git.1572636244.e12406629: * Change order of Octavia to 102 (SOC-10289) - Update to version 6.0+git.1572470261.49c0affe1: * designate: move keystone resource lookup to convergence (SOC-10887) - Update to version 1.3.0+git.1572871359.50fc6087: * Add title for XEN compute nodes precheck (SOC-10495) - Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration Patch - Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration Patch - remove 0001-Fix-duplicate-paths-in-secret-hrefs.patch as it had landed upstream - Replace openstack.org git:// URLs with https:// - Update to version keystone-14.1.1.dev28: * Allows to use application credentials through group membership - Update to version keystone-14.1.1.dev28: * Allows to use application credentials through group membership - Update to version neutron-13.0.6.dev8: * Retry creating iptables managers and adding metering rules - Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for dnsmasq enablement - Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction creation - Update to version neutron-13.0.6.dev8: * Retry creating iptables managers and adding metering rules - Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for dnsmasq enablement - Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction creation - Update to version group-based-policy-5.0.1.dev476: * Provide a control knob to use the internal EP interface * Send port notifications when host\_route is getting updated - Update to version group-based-policy-5.0.1.dev473: * Fix pep8 failures seen on submitted patches - Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule" Parameter Passing Error - Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule" Parameter Passing Error - Update to version nova-18.2.4.dev22: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\_state race - Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions during post\_live\_migration - Update to version nova-18.2.4.dev22: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\_state race - Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions during post\_live\_migration - Update to version octavia-3.2.1.dev3: * Improve the error message for bad pkcs12 bundles - Update to version octavia-3.2.1.dev2: * ipvsadm '--exact' arg to ensure outputs are ints - Update to version sahara-9.0.2.dev14: * Fixing image creation * Check MariaDB installation - Update to version sahara-9.0.2.dev14: * Fixing image creation * Check MariaDB installation - Update to version 9.20191025: * support OpenID Connect (SOC-10510) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3068=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3068=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1 crowbar-core-branding-upstream-6.0+git.1573825081.b1caf60f1-3.16.1 python-psutil-5.4.6-3.3.1 python-psutil-debuginfo-5.4.6-3.3.1 python-psutil-debugsource-5.4.6-3.3.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1 crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1 openstack-barbican-7.0.1~dev21-3.3.1 openstack-barbican-api-7.0.1~dev21-3.3.1 openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1 openstack-barbican-retry-7.0.1~dev21-3.3.1 openstack-barbican-worker-7.0.1~dev21-3.3.1 openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1 openstack-keystone-14.1.1~dev28-3.16.1 openstack-neutron-13.0.6~dev8-3.16.2 openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2 openstack-neutron-gbp-5.0.1~dev476-3.13.1 openstack-neutron-ha-tool-13.0.6~dev8-3.16.2 openstack-neutron-l3-agent-13.0.6~dev8-3.16.2 openstack-neutron-lbaas-13.0.1~dev16-3.13.1 openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1 openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2 openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2 openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2 openstack-neutron-metering-agent-13.0.6~dev8-3.16.2 openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2 openstack-neutron-server-13.0.6~dev8-3.16.2 openstack-nova-18.2.4~dev22-3.16.2 openstack-nova-api-18.2.4~dev22-3.16.2 openstack-nova-cells-18.2.4~dev22-3.16.2 openstack-nova-compute-18.2.4~dev22-3.16.2 openstack-nova-conductor-18.2.4~dev22-3.16.2 openstack-nova-console-18.2.4~dev22-3.16.2 openstack-nova-novncproxy-18.2.4~dev22-3.16.2 openstack-nova-placement-api-18.2.4~dev22-3.16.2 openstack-nova-scheduler-18.2.4~dev22-3.16.2 openstack-nova-serialproxy-18.2.4~dev22-3.16.2 openstack-nova-vncproxy-18.2.4~dev22-3.16.2 openstack-octavia-3.2.1~dev3-3.16.1 openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1 openstack-octavia-api-3.2.1~dev3-3.16.1 openstack-octavia-health-manager-3.2.1~dev3-3.16.1 openstack-octavia-housekeeping-3.2.1~dev3-3.16.1 openstack-octavia-worker-3.2.1~dev3-3.16.1 openstack-sahara-9.0.2~dev14-3.6.1 openstack-sahara-api-9.0.2~dev14-3.6.1 openstack-sahara-engine-9.0.2~dev14-3.6.1 python-barbican-7.0.1~dev21-3.3.1 python-keystone-14.1.1~dev28-3.16.1 python-neutron-13.0.6~dev8-3.16.2 python-neutron-gbp-5.0.1~dev476-3.13.1 python-neutron-lbaas-13.0.1~dev16-3.13.1 python-nova-18.2.4~dev22-3.16.2 python-octavia-3.2.1~dev3-3.16.1 python-sahara-9.0.2~dev14-3.6.1 release-notes-suse-openstack-cloud-9.20191025-3.15.1 - SUSE OpenStack Cloud 9 (x86_64): python-psutil-5.4.6-3.3.1 python-psutil-debuginfo-5.4.6-3.3.1 python-psutil-debugsource-5.4.6-3.3.1 - SUSE OpenStack Cloud 9 (noarch): ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1 ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1 ardana-neutron-9.0+git.1572019823.6650494-3.16.1 ardana-nova-9.0+git.1572618171.4460843-3.13.1 openstack-barbican-7.0.1~dev21-3.3.1 openstack-barbican-api-7.0.1~dev21-3.3.1 openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1 openstack-barbican-retry-7.0.1~dev21-3.3.1 openstack-barbican-worker-7.0.1~dev21-3.3.1 openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1 openstack-keystone-14.1.1~dev28-3.16.1 openstack-neutron-13.0.6~dev8-3.16.2 openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2 openstack-neutron-gbp-5.0.1~dev476-3.13.1 openstack-neutron-ha-tool-13.0.6~dev8-3.16.2 openstack-neutron-l3-agent-13.0.6~dev8-3.16.2 openstack-neutron-lbaas-13.0.1~dev16-3.13.1 openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1 openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2 openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2 openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2 openstack-neutron-metering-agent-13.0.6~dev8-3.16.2 openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2 openstack-neutron-server-13.0.6~dev8-3.16.2 openstack-nova-18.2.4~dev22-3.16.2 openstack-nova-api-18.2.4~dev22-3.16.2 openstack-nova-cells-18.2.4~dev22-3.16.2 openstack-nova-compute-18.2.4~dev22-3.16.2 openstack-nova-conductor-18.2.4~dev22-3.16.2 openstack-nova-console-18.2.4~dev22-3.16.2 openstack-nova-novncproxy-18.2.4~dev22-3.16.2 openstack-nova-placement-api-18.2.4~dev22-3.16.2 openstack-nova-scheduler-18.2.4~dev22-3.16.2 openstack-nova-serialproxy-18.2.4~dev22-3.16.2 openstack-nova-vncproxy-18.2.4~dev22-3.16.2 openstack-octavia-3.2.1~dev3-3.16.1 openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1 openstack-octavia-api-3.2.1~dev3-3.16.1 openstack-octavia-health-manager-3.2.1~dev3-3.16.1 openstack-octavia-housekeeping-3.2.1~dev3-3.16.1 openstack-octavia-worker-3.2.1~dev3-3.16.1 openstack-sahara-9.0.2~dev14-3.6.1 openstack-sahara-api-9.0.2~dev14-3.6.1 openstack-sahara-engine-9.0.2~dev14-3.6.1 python-barbican-7.0.1~dev21-3.3.1 python-keystone-14.1.1~dev28-3.16.1 python-neutron-13.0.6~dev8-3.16.2 python-neutron-gbp-5.0.1~dev476-3.13.1 python-neutron-lbaas-13.0.1~dev16-3.13.1 python-nova-18.2.4~dev22-3.16.2 python-octavia-3.2.1~dev3-3.16.1 python-sahara-9.0.2~dev14-3.6.1 release-notes-suse-openstack-cloud-9.20191025-3.15.1 venv-openstack-barbican-x86_64-7.0.1~dev21-3.13.1 venv-openstack-cinder-x86_64-13.0.8~dev8-3.13.1 venv-openstack-designate-x86_64-7.0.1~dev22-3.13.1 venv-openstack-heat-x86_64-11.0.3~dev23-3.13.1 venv-openstack-keystone-x86_64-14.1.1~dev28-3.13.1 venv-openstack-magnum-x86_64-7.1.1~dev28-4.13.1 venv-openstack-manila-x86_64-7.3.1~dev15-3.13.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.13.1 venv-openstack-neutron-x86_64-13.0.6~dev8-6.13.1 venv-openstack-nova-x86_64-18.2.4~dev22-3.13.1 venv-openstack-octavia-x86_64-3.2.1~dev3-4.13.1 venv-openstack-sahara-x86_64-9.0.2~dev14-3.13.1 References: https://www.suse.com/security/cve/CVE-2019-17134.html https://www.suse.com/security/cve/CVE-2019-18874.html https://bugzilla.suse.com/1153304 https://bugzilla.suse.com/1155942 https://bugzilla.suse.com/1156525 From sle-security-updates at lists.suse.com Tue Nov 26 13:11:53 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 21:11:53 +0100 (CET) Subject: SUSE-SU-2019:3077-1: moderate: Security update for freerdp Message-ID: <20191126201153.278B5F79E@maintenance.suse.de> SUSE Security Update: Security update for freerdp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3077-1 Rating: moderate References: #1153163 #1153164 Cross-References: CVE-2019-17177 CVE-2019-17178 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for freerdp fixes the following issues: - CVE-2019-17177: Fixed multiple memory leaks in libfreerdp/codec/region.c (bsc#1153163). - CVE-2019-17178: Fixed a memory leak in HuffmanTree_makeFromFrequencies (bsc#1153164). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-3077=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2019-3077=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3077=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3077=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3077=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): freerdp-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): freerdp-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-devel-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-devel-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): freerdp-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 freerdp-debugsource-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-2.0.0~git.1463131968.4e66df7-12.11.1 libfreerdp2-debuginfo-2.0.0~git.1463131968.4e66df7-12.11.1 References: https://www.suse.com/security/cve/CVE-2019-17177.html https://www.suse.com/security/cve/CVE-2019-17178.html https://bugzilla.suse.com/1153163 https://bugzilla.suse.com/1153164 From sle-security-updates at lists.suse.com Tue Nov 26 13:13:34 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 21:13:34 +0100 (CET) Subject: SUSE-SU-2019:3080-1: moderate: Security update for slurm Message-ID: <20191126201334.07CDCF79E@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3080-1 Rating: moderate References: #1123304 #1140709 Cross-References: CVE-2019-12838 CVE-2019-6438 Affected Products: SUSE Linux Enterprise Module for HPC 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for slurm fixes the following issues: Security issue fixed: - CVE-2019-6438: Fixed a heap overflow on 32-bit systems in xmalloc (bsc#1123304). - CVE-2019-12838: Fixed an SQL injection (bsc#1140709). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 12: zypper in -t patch SUSE-SLE-Module-HPC-12-2019-3080=1 Package List: - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64): libpmi0-17.02.11-6.33.1 libpmi0-debuginfo-17.02.11-6.33.1 libslurm31-17.02.11-6.33.1 libslurm31-debuginfo-17.02.11-6.33.1 perl-slurm-17.02.11-6.33.1 perl-slurm-debuginfo-17.02.11-6.33.1 slurm-17.02.11-6.33.1 slurm-auth-none-17.02.11-6.33.1 slurm-auth-none-debuginfo-17.02.11-6.33.1 slurm-config-17.02.11-6.33.1 slurm-debuginfo-17.02.11-6.33.1 slurm-debugsource-17.02.11-6.33.1 slurm-devel-17.02.11-6.33.1 slurm-doc-17.02.11-6.33.1 slurm-lua-17.02.11-6.33.1 slurm-lua-debuginfo-17.02.11-6.33.1 slurm-munge-17.02.11-6.33.1 slurm-munge-debuginfo-17.02.11-6.33.1 slurm-pam_slurm-17.02.11-6.33.1 slurm-pam_slurm-debuginfo-17.02.11-6.33.1 slurm-plugins-17.02.11-6.33.1 slurm-plugins-debuginfo-17.02.11-6.33.1 slurm-sched-wiki-17.02.11-6.33.1 slurm-slurmdb-direct-17.02.11-6.33.1 slurm-slurmdbd-17.02.11-6.33.1 slurm-slurmdbd-debuginfo-17.02.11-6.33.1 slurm-sql-17.02.11-6.33.1 slurm-sql-debuginfo-17.02.11-6.33.1 slurm-torque-17.02.11-6.33.1 slurm-torque-debuginfo-17.02.11-6.33.1 References: https://www.suse.com/security/cve/CVE-2019-12838.html https://www.suse.com/security/cve/CVE-2019-6438.html https://bugzilla.suse.com/1123304 https://bugzilla.suse.com/1140709 From sle-security-updates at lists.suse.com Tue Nov 26 13:12:44 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 21:12:44 +0100 (CET) Subject: SUSE-SU-2019:3078-1: moderate: Security update for freerdp Message-ID: <20191126201244.096A9F79E@maintenance.suse.de> SUSE Security Update: Security update for freerdp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3078-1 Rating: moderate References: #1153163 #1153164 Cross-References: CVE-2019-17177 CVE-2019-17178 Affected Products: SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for freerdp fixes the following issues: - CVE-2019-17177: Fixed multiple memory leaks in libfreerdp/codec/region.c (bsc#1153163). - CVE-2019-17178: Fixed a memory leak in HuffmanTree_makeFromFrequencies (bsc#1153164). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-3078=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3078=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): freerdp-2.0.0~rc4-3.10.1 freerdp-debuginfo-2.0.0~rc4-3.10.1 freerdp-debugsource-2.0.0~rc4-3.10.1 freerdp-devel-2.0.0~rc4-3.10.1 libfreerdp2-2.0.0~rc4-3.10.1 libfreerdp2-debuginfo-2.0.0~rc4-3.10.1 libwinpr2-2.0.0~rc4-3.10.1 libwinpr2-debuginfo-2.0.0~rc4-3.10.1 winpr2-devel-2.0.0~rc4-3.10.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): freerdp-debuginfo-2.0.0~rc4-3.10.1 freerdp-debugsource-2.0.0~rc4-3.10.1 freerdp-server-2.0.0~rc4-3.10.1 freerdp-server-debuginfo-2.0.0~rc4-3.10.1 freerdp-wayland-2.0.0~rc4-3.10.1 freerdp-wayland-debuginfo-2.0.0~rc4-3.10.1 libuwac0-0-2.0.0~rc4-3.10.1 libuwac0-0-debuginfo-2.0.0~rc4-3.10.1 uwac0-0-devel-2.0.0~rc4-3.10.1 References: https://www.suse.com/security/cve/CVE-2019-17177.html https://www.suse.com/security/cve/CVE-2019-17178.html https://bugzilla.suse.com/1153163 https://bugzilla.suse.com/1153164 From sle-security-updates at lists.suse.com Tue Nov 26 13:14:30 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 21:14:30 +0100 (CET) Subject: SUSE-SU-2019:3076-1: important: Security update for mailman Message-ID: <20191126201430.420CBF79E@maintenance.suse.de> SUSE Security Update: Security update for mailman ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3076-1 Rating: important References: #1154328 Cross-References: CVE-2019-3693 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mailman fixes the following issues: - CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3076=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3076=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3076=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3076=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-3076=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-3076=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3076=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3076=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-3076=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-3076=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-3076=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-3076=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-3076=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3076=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3076=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE OpenStack Cloud 8 (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE OpenStack Cloud 7 (s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - SUSE Enterprise Storage 5 (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 - HPE Helion Openstack 8 (x86_64): mailman-2.1.17-3.11.1 mailman-debuginfo-2.1.17-3.11.1 mailman-debugsource-2.1.17-3.11.1 References: https://www.suse.com/security/cve/CVE-2019-3693.html https://bugzilla.suse.com/1154328 From sle-security-updates at lists.suse.com Tue Nov 26 13:19:21 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Nov 2019 21:19:21 +0100 (CET) Subject: SUSE-SU-2019:3079-1: moderate: Security update for freerdp Message-ID: <20191126201921.C8C92F79E@maintenance.suse.de> SUSE Security Update: Security update for freerdp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3079-1 Rating: moderate References: #1153163 #1153164 Cross-References: CVE-2019-17177 CVE-2019-17178 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for freerdp fixes the following issues: - CVE-2019-17177: Fixed multiple memory leaks in libfreerdp/codec/region.c (bsc#1153163). - CVE-2019-17178: Fixed a memory leak in HuffmanTree_makeFromFrequencies (bsc#1153164). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-3079=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3079=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): freerdp-2.0.0~rc4-10.4.1 freerdp-debuginfo-2.0.0~rc4-10.4.1 freerdp-debugsource-2.0.0~rc4-10.4.1 freerdp-devel-2.0.0~rc4-10.4.1 libfreerdp2-2.0.0~rc4-10.4.1 libfreerdp2-debuginfo-2.0.0~rc4-10.4.1 libwinpr2-2.0.0~rc4-10.4.1 libwinpr2-debuginfo-2.0.0~rc4-10.4.1 winpr2-devel-2.0.0~rc4-10.4.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): freerdp-debuginfo-2.0.0~rc4-10.4.1 freerdp-debugsource-2.0.0~rc4-10.4.1 freerdp-server-2.0.0~rc4-10.4.1 freerdp-server-debuginfo-2.0.0~rc4-10.4.1 freerdp-wayland-2.0.0~rc4-10.4.1 freerdp-wayland-debuginfo-2.0.0~rc4-10.4.1 libuwac0-0-2.0.0~rc4-10.4.1 libuwac0-0-debuginfo-2.0.0~rc4-10.4.1 uwac0-0-devel-2.0.0~rc4-10.4.1 References: https://www.suse.com/security/cve/CVE-2019-17177.html https://www.suse.com/security/cve/CVE-2019-17178.html https://bugzilla.suse.com/1153163 https://bugzilla.suse.com/1153164 From sle-security-updates at lists.suse.com Wed Nov 27 10:11:29 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Nov 2019 18:11:29 +0100 (CET) Subject: SUSE-SU-2019:3084-1: important: Security update for java-1_7_0-openjdk Message-ID: <20191127171129.C04FBF79E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3084-1 Rating: important References: #1152856 #1154212 Cross-References: CVE-2019-2894 CVE-2019-2933 CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP4 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2978: Improved handling of jar files - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3084=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3084=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3084=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-3084=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-3084=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-3084=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3084=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3084=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-3084=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-3084=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-3084=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-3084=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-3084=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3084=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3084=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3084=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 - HPE Helion Openstack 8 (x86_64): java-1_7_0-openjdk-1.7.0.241-43.30.1 java-1_7_0-openjdk-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-debugsource-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-1.7.0.241-43.30.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-1.7.0.241-43.30.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-1.7.0.241-43.30.1 java-1_7_0-openjdk-headless-debuginfo-1.7.0.241-43.30.1 References: https://www.suse.com/security/cve/CVE-2019-2894.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2987.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1152856 https://bugzilla.suse.com/1154212 From sle-security-updates at lists.suse.com Wed Nov 27 10:14:33 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Nov 2019 18:14:33 +0100 (CET) Subject: SUSE-SU-2019:3083-1: important: Security update for java-11-openjdk Message-ID: <20191127171433.89D00F79E@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3083-1 Rating: important References: #1152856 #1154212 Cross-References: CVE-2019-2894 CVE-2019-2933 CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 18 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Security issues fixed (October 2019 CPU bsc#1154212): - CVE-2019-2933: Windows file handling redux - CVE-2019-2945: Better socket support - CVE-2019-2949: Better Kerberos ccache handling - CVE-2019-2958: Build Better Processes - CVE-2019-2964: Better support for patterns - CVE-2019-2962: Better Glyph Images - CVE-2019-2973: Better pattern compilation - CVE-2019-2975: Unexpected exception in jjs - CVE-2019-2978: Improved handling of jar files - CVE-2019-2977: Improve String index handling - CVE-2019-2981: Better Path supports - CVE-2019-2983: Better serial attributes - CVE-2019-2987: Better rendering of native glyphs - CVE-2019-2988: Better Graphics2D drawing - CVE-2019-2989: Improve TLS connection support - CVE-2019-2992: Enhance font glyph mapping - CVE-2019-2999: Commentary on Javadoc comments - CVE-2019-2894: Enhance ECDSA operations (bsc#1152856). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3083=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.5.0-3.3.3 java-11-openjdk-debuginfo-11.0.5.0-3.3.3 java-11-openjdk-debugsource-11.0.5.0-3.3.3 java-11-openjdk-demo-11.0.5.0-3.3.3 java-11-openjdk-devel-11.0.5.0-3.3.3 java-11-openjdk-headless-11.0.5.0-3.3.3 References: https://www.suse.com/security/cve/CVE-2019-2894.html https://www.suse.com/security/cve/CVE-2019-2933.html https://www.suse.com/security/cve/CVE-2019-2945.html https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2019-2958.html https://www.suse.com/security/cve/CVE-2019-2962.html https://www.suse.com/security/cve/CVE-2019-2964.html https://www.suse.com/security/cve/CVE-2019-2973.html https://www.suse.com/security/cve/CVE-2019-2975.html https://www.suse.com/security/cve/CVE-2019-2977.html https://www.suse.com/security/cve/CVE-2019-2978.html https://www.suse.com/security/cve/CVE-2019-2981.html https://www.suse.com/security/cve/CVE-2019-2983.html https://www.suse.com/security/cve/CVE-2019-2987.html https://www.suse.com/security/cve/CVE-2019-2988.html https://www.suse.com/security/cve/CVE-2019-2989.html https://www.suse.com/security/cve/CVE-2019-2992.html https://www.suse.com/security/cve/CVE-2019-2999.html https://bugzilla.suse.com/1152856 https://bugzilla.suse.com/1154212 From sle-security-updates at lists.suse.com Wed Nov 27 10:17:23 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Nov 2019 18:17:23 +0100 (CET) Subject: SUSE-SU-2019:14233-1: moderate: Security update for bsdtar Message-ID: <20191127171723.2C19CF79E@maintenance.suse.de> SUSE Security Update: Security update for bsdtar ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14233-1 Rating: moderate References: #1005070 #1059139 #985601 #985706 Cross-References: CVE-2015-8915 CVE-2015-8925 CVE-2016-8687 CVE-2017-14503 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for bsdtar fixes the following issues: - CVE-2015-8915: Fixed an invalid read which could have allowed remote attackers to cause a denial of service (bsc#985601). - CVE-2015-8925: Fixed an invalid read which could have allowed remote attackers to cause a denial of service (bsc#985706). - CVE-2017-14503: Fixed an out of bounds read within lha_read_data_none() in archive_read_support_format_lha.c (bsc#1059139). - CVE-2016-8687: Fixed a buffer overflow when printing a filename (bsc#1005070). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-bsdtar-14233=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): bsdtar-debuginfo-2.5.5-10.8.1 bsdtar-debugsource-2.5.5-10.8.1 References: https://www.suse.com/security/cve/CVE-2015-8915.html https://www.suse.com/security/cve/CVE-2015-8925.html https://www.suse.com/security/cve/CVE-2016-8687.html https://www.suse.com/security/cve/CVE-2017-14503.html https://bugzilla.suse.com/1005070 https://bugzilla.suse.com/1059139 https://bugzilla.suse.com/985601 https://bugzilla.suse.com/985706 From sle-security-updates at lists.suse.com Thu Nov 28 07:11:31 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 15:11:31 +0100 (CET) Subject: SUSE-SU-2019:3087-1: Security update for libxml2 Message-ID: <20191128141131.7E277F7BE@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3087-1 Rating: low References: #1123919 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2019-3087=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3087=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3087=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3087=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3087=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-libxml2-python-debugsource-2.9.7-3.12.1 python2-libxml2-python-2.9.7-3.12.1 python2-libxml2-python-debuginfo-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): libxml2-doc-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libxml2-debugsource-2.9.7-3.12.1 libxml2-devel-32bit-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): libxml2-doc-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.12.1 libxml2-2-debuginfo-2.9.7-3.12.1 libxml2-debugsource-2.9.7-3.12.1 libxml2-devel-2.9.7-3.12.1 libxml2-tools-2.9.7-3.12.1 libxml2-tools-debuginfo-2.9.7-3.12.1 python-libxml2-python-debugsource-2.9.7-3.12.1 python3-libxml2-python-2.9.7-3.12.1 python3-libxml2-python-debuginfo-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libxml2-2-32bit-2.9.7-3.12.1 libxml2-2-32bit-debuginfo-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.12.1 libxml2-2-debuginfo-2.9.7-3.12.1 libxml2-debugsource-2.9.7-3.12.1 libxml2-devel-2.9.7-3.12.1 libxml2-tools-2.9.7-3.12.1 libxml2-tools-debuginfo-2.9.7-3.12.1 python-libxml2-python-debugsource-2.9.7-3.12.1 python2-libxml2-python-2.9.7-3.12.1 python2-libxml2-python-debuginfo-2.9.7-3.12.1 python3-libxml2-python-2.9.7-3.12.1 python3-libxml2-python-debuginfo-2.9.7-3.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libxml2-2-32bit-2.9.7-3.12.1 libxml2-2-32bit-debuginfo-2.9.7-3.12.1 References: https://bugzilla.suse.com/1123919 From sle-security-updates at lists.suse.com Thu Nov 28 07:12:24 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 15:12:24 +0100 (CET) Subject: SUSE-SU-2019:3085-1: Security update for libxml2 Message-ID: <20191128141224.BA7D0F7BE@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3085-1 Rating: low References: #1123919 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3085=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3085=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3085=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3085=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3085=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libxml2-debugsource-2.9.4-46.23.2 libxml2-devel-2.9.4-46.23.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libxml2-debugsource-2.9.4-46.23.2 libxml2-devel-2.9.4-46.23.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.4-46.23.2 libxml2-2-debuginfo-2.9.4-46.23.2 libxml2-debugsource-2.9.4-46.23.2 libxml2-tools-2.9.4-46.23.2 libxml2-tools-debuginfo-2.9.4-46.23.2 python-libxml2-2.9.4-46.23.3 python-libxml2-debuginfo-2.9.4-46.23.3 python-libxml2-debugsource-2.9.4-46.23.3 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libxml2-2-32bit-2.9.4-46.23.2 libxml2-2-debuginfo-32bit-2.9.4-46.23.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): libxml2-doc-2.9.4-46.23.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.4-46.23.2 libxml2-2-debuginfo-2.9.4-46.23.2 libxml2-debugsource-2.9.4-46.23.2 libxml2-tools-2.9.4-46.23.2 libxml2-tools-debuginfo-2.9.4-46.23.2 python-libxml2-2.9.4-46.23.3 python-libxml2-debuginfo-2.9.4-46.23.3 python-libxml2-debugsource-2.9.4-46.23.3 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libxml2-2-32bit-2.9.4-46.23.2 libxml2-2-debuginfo-32bit-2.9.4-46.23.2 - SUSE Linux Enterprise Server 12-SP4 (noarch): libxml2-doc-2.9.4-46.23.2 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libxml2-2-2.9.4-46.23.2 libxml2-2-32bit-2.9.4-46.23.2 libxml2-2-debuginfo-2.9.4-46.23.2 libxml2-2-debuginfo-32bit-2.9.4-46.23.2 libxml2-debugsource-2.9.4-46.23.2 libxml2-tools-2.9.4-46.23.2 libxml2-tools-debuginfo-2.9.4-46.23.2 python-libxml2-2.9.4-46.23.3 python-libxml2-debuginfo-2.9.4-46.23.3 python-libxml2-debugsource-2.9.4-46.23.3 - SUSE CaaS Platform 3.0 (x86_64): libxml2-2-2.9.4-46.23.2 libxml2-2-debuginfo-2.9.4-46.23.2 libxml2-debugsource-2.9.4-46.23.2 libxml2-tools-2.9.4-46.23.2 libxml2-tools-debuginfo-2.9.4-46.23.2 References: https://bugzilla.suse.com/1123919 From sle-security-updates at lists.suse.com Thu Nov 28 07:13:14 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 15:13:14 +0100 (CET) Subject: SUSE-SU-2019:3086-1: moderate: Security update for libidn2 Message-ID: <20191128141314.BD6FAF7BE@maintenance.suse.de> SUSE Security Update: Security update for libidn2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3086-1 Rating: moderate References: #1154884 #1154887 Cross-References: CVE-2019-12290 CVE-2019-18224 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3086=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3086=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3086=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3086=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libidn2-debugsource-2.2.0-3.3.1 libidn2-tools-2.2.0-3.3.1 libidn2-tools-debuginfo-2.2.0-3.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): libidn2-debugsource-2.2.0-3.3.1 libidn2-tools-2.2.0-3.3.1 libidn2-tools-debuginfo-2.2.0-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libidn2-0-2.2.0-3.3.1 libidn2-0-debuginfo-2.2.0-3.3.1 libidn2-debugsource-2.2.0-3.3.1 libidn2-devel-2.2.0-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libidn2-0-32bit-2.2.0-3.3.1 libidn2-0-32bit-debuginfo-2.2.0-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libidn2-0-2.2.0-3.3.1 libidn2-0-debuginfo-2.2.0-3.3.1 libidn2-debugsource-2.2.0-3.3.1 libidn2-devel-2.2.0-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libidn2-0-32bit-2.2.0-3.3.1 libidn2-0-32bit-debuginfo-2.2.0-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-12290.html https://www.suse.com/security/cve/CVE-2019-18224.html https://bugzilla.suse.com/1154884 https://bugzilla.suse.com/1154887 From sle-security-updates at lists.suse.com Thu Nov 28 13:11:18 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:11:18 +0100 (CET) Subject: SUSE-SU-2019:3089-1: important: Security update for ucode-intel Message-ID: <20191128201118.A4D33F79E@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3089-1 Rating: important References: #1157004 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ucode-intel fixes the following issues: - Updated to 20191115 security release (bsc#1157004) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3089=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20191115-3.16.1 References: https://bugzilla.suse.com/1157004 From sle-security-updates at lists.suse.com Thu Nov 28 13:13:34 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:13:34 +0100 (CET) Subject: SUSE-SU-2019:3091-1: important: Security update for ucode-intel Message-ID: <20191128201334.636B5F79E@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3091-1 Rating: important References: #1139073 #1141035 #1155988 #1157004 Cross-References: CVE-2019-11135 CVE-2019-11139 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for ucode-intel to version fixes the following issues: - Updated to 20191115 official security release (bsc#1157004 and bsc#1155988) - Includes security fixes for: - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3091=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20191115-3.3.1 ucode-intel-debuginfo-20191115-3.3.1 ucode-intel-debugsource-20191115-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-11135.html https://www.suse.com/security/cve/CVE-2019-11139.html https://bugzilla.suse.com/1139073 https://bugzilla.suse.com/1141035 https://bugzilla.suse.com/1155988 https://bugzilla.suse.com/1157004 From sle-security-updates at lists.suse.com Thu Nov 28 13:14:42 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:14:42 +0100 (CET) Subject: SUSE-SU-2019:3093-1: moderate: Security update for libarchive Message-ID: <20191128201442.331DDF79E@maintenance.suse.de> SUSE Security Update: Security update for libarchive ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3093-1 Rating: moderate References: #1120653 #1120654 #1124341 #1124342 #1155079 Cross-References: CVE-2018-1000877 CVE-2018-1000878 CVE-2019-1000019 CVE-2019-1000020 CVE-2019-18408 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for libarchive fixes the following issues: Security issues fixed: - CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653). - CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654). - CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341). - CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342). - CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3093=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-3093=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-3093=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-3093=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3093=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libarchive-debugsource-3.3.2-3.11.1 libarchive13-32bit-3.3.2-3.11.1 libarchive13-32bit-debuginfo-3.3.2-3.11.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): bsdtar-3.3.2-3.11.1 bsdtar-debuginfo-3.3.2-3.11.1 libarchive-debugsource-3.3.2-3.11.1 - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): bsdtar-3.3.2-3.11.1 bsdtar-debuginfo-3.3.2-3.11.1 libarchive-debugsource-3.3.2-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.3.2-3.11.1 libarchive-devel-3.3.2-3.11.1 libarchive13-3.3.2-3.11.1 libarchive13-debuginfo-3.3.2-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.3.2-3.11.1 libarchive-devel-3.3.2-3.11.1 libarchive13-3.3.2-3.11.1 libarchive13-debuginfo-3.3.2-3.11.1 References: https://www.suse.com/security/cve/CVE-2018-1000877.html https://www.suse.com/security/cve/CVE-2018-1000878.html https://www.suse.com/security/cve/CVE-2019-1000019.html https://www.suse.com/security/cve/CVE-2019-1000020.html https://www.suse.com/security/cve/CVE-2019-18408.html https://bugzilla.suse.com/1120653 https://bugzilla.suse.com/1120654 https://bugzilla.suse.com/1124341 https://bugzilla.suse.com/1124342 https://bugzilla.suse.com/1155079 From sle-security-updates at lists.suse.com Thu Nov 28 13:15:58 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:15:58 +0100 (CET) Subject: SUSE-SU-2019:3090-1: important: Security update for ucode-intel Message-ID: <20191128201558.231C0F79E@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3090-1 Rating: important References: #1157004 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ucode-intel fixes the following issues: - Updated to 20191115 official security release (bsc#1157004) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-3090=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): ucode-intel-20191115-3.34.1 References: https://bugzilla.suse.com/1157004 From sle-security-updates at lists.suse.com Thu Nov 28 13:18:43 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:18:43 +0100 (CET) Subject: SUSE-SU-2019:3096-1: moderate: Security update for cloud-init Message-ID: <20191128201843.D5195F798@maintenance.suse.de> SUSE Security Update: Security update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3096-1 Rating: moderate References: #1099358 #1129124 #1136440 #1142988 #1144363 #1151488 #1154092 Cross-References: CVE-2019-0816 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for cloud-init to version 19.2 fixes the following issues: Security issue fixed: - CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124). Non-security issues fixed: - Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988). - If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2019-3096=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3096=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-19.2-8.11.1 cloud-init-config-suse-19.2-8.11.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.2-8.11.1 References: https://www.suse.com/security/cve/CVE-2019-0816.html https://bugzilla.suse.com/1099358 https://bugzilla.suse.com/1129124 https://bugzilla.suse.com/1136440 https://bugzilla.suse.com/1142988 https://bugzilla.suse.com/1144363 https://bugzilla.suse.com/1151488 https://bugzilla.suse.com/1154092 From sle-security-updates at lists.suse.com Thu Nov 28 13:16:49 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:16:49 +0100 (CET) Subject: SUSE-SU-2019:3094-1: moderate: Security update for ncurses Message-ID: <20191128201649.01D74F79E@maintenance.suse.de> SUSE Security Update: Security update for ncurses ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3094-1 Rating: moderate References: #1131830 #1134550 #1154036 #1154037 Cross-References: CVE-2018-10754 CVE-2019-17594 CVE-2019-17595 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3094=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3094=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3094=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3094=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3094=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ncurses-debugsource-5.9-69.1 ncurses-devel-5.9-69.1 ncurses-devel-debuginfo-5.9-69.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ncurses-debugsource-5.9-69.1 ncurses-devel-5.9-69.1 ncurses-devel-debuginfo-5.9-69.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libncurses5-5.9-69.1 libncurses5-debuginfo-5.9-69.1 libncurses6-5.9-69.1 libncurses6-debuginfo-5.9-69.1 ncurses-debugsource-5.9-69.1 ncurses-devel-5.9-69.1 ncurses-devel-debuginfo-5.9-69.1 ncurses-utils-5.9-69.1 ncurses-utils-debuginfo-5.9-69.1 tack-5.9-69.1 tack-debuginfo-5.9-69.1 terminfo-5.9-69.1 terminfo-base-5.9-69.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libncurses5-32bit-5.9-69.1 libncurses5-debuginfo-32bit-5.9-69.1 libncurses6-32bit-5.9-69.1 libncurses6-debuginfo-32bit-5.9-69.1 ncurses-devel-32bit-5.9-69.1 ncurses-devel-debuginfo-32bit-5.9-69.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libncurses5-5.9-69.1 libncurses5-debuginfo-5.9-69.1 libncurses6-5.9-69.1 libncurses6-debuginfo-5.9-69.1 ncurses-debugsource-5.9-69.1 ncurses-devel-5.9-69.1 ncurses-devel-debuginfo-5.9-69.1 ncurses-utils-5.9-69.1 ncurses-utils-debuginfo-5.9-69.1 tack-5.9-69.1 tack-debuginfo-5.9-69.1 terminfo-5.9-69.1 terminfo-base-5.9-69.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libncurses5-32bit-5.9-69.1 libncurses5-debuginfo-32bit-5.9-69.1 libncurses6-32bit-5.9-69.1 libncurses6-debuginfo-32bit-5.9-69.1 ncurses-devel-32bit-5.9-69.1 ncurses-devel-debuginfo-32bit-5.9-69.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libncurses5-32bit-5.9-69.1 libncurses5-5.9-69.1 libncurses5-debuginfo-32bit-5.9-69.1 libncurses5-debuginfo-5.9-69.1 libncurses6-32bit-5.9-69.1 libncurses6-5.9-69.1 libncurses6-debuginfo-32bit-5.9-69.1 libncurses6-debuginfo-5.9-69.1 ncurses-debugsource-5.9-69.1 ncurses-devel-5.9-69.1 ncurses-devel-debuginfo-5.9-69.1 ncurses-utils-5.9-69.1 ncurses-utils-debuginfo-5.9-69.1 tack-5.9-69.1 tack-debuginfo-5.9-69.1 terminfo-5.9-69.1 terminfo-base-5.9-69.1 - SUSE CaaS Platform 3.0 (x86_64): libncurses5-5.9-69.1 libncurses5-debuginfo-5.9-69.1 libncurses6-5.9-69.1 libncurses6-debuginfo-5.9-69.1 ncurses-debugsource-5.9-69.1 ncurses-utils-5.9-69.1 ncurses-utils-debuginfo-5.9-69.1 terminfo-5.9-69.1 terminfo-base-5.9-69.1 References: https://www.suse.com/security/cve/CVE-2018-10754.html https://www.suse.com/security/cve/CVE-2019-17594.html https://www.suse.com/security/cve/CVE-2019-17595.html https://bugzilla.suse.com/1131830 https://bugzilla.suse.com/1134550 https://bugzilla.suse.com/1154036 https://bugzilla.suse.com/1154037 From sle-security-updates at lists.suse.com Thu Nov 28 13:20:08 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:20:08 +0100 (CET) Subject: SUSE-SU-2019:3095-1: moderate: Security update for libtomcrypt Message-ID: <20191128202008.F19DCF798@maintenance.suse.de> SUSE Security Update: Security update for libtomcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3095-1 Rating: moderate References: #1153433 Cross-References: CVE-2019-17362 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libtomcrypt fixes the following issues: - CVE-2019-17362: Fixed an improper detection of invalid UTF-8 sequences that could have led to DoS or information disclosure via crafted DER-encoded data (bsc#1153433). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2019-3095=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2019-3095=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3095=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libtomcrypt-debugsource-1.17-3.3.1 libtomcrypt0-1.17-3.3.1 libtomcrypt0-debuginfo-1.17-3.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libtomcrypt-debugsource-1.17-3.3.1 libtomcrypt0-1.17-3.3.1 libtomcrypt0-debuginfo-1.17-3.3.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libtomcrypt-debugsource-1.17-3.3.1 libtomcrypt0-1.17-3.3.1 libtomcrypt0-debuginfo-1.17-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-17362.html https://bugzilla.suse.com/1153433 From sle-security-updates at lists.suse.com Thu Nov 28 13:20:53 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:20:53 +0100 (CET) Subject: SUSE-SU-2019:3092-1: moderate: Security update for libarchive Message-ID: <20191128202053.3AAD2F798@maintenance.suse.de> SUSE Security Update: Security update for libarchive ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3092-1 Rating: moderate References: #1032089 #1037008 #1037009 #1059134 #1059139 #1120653 #1120654 #1124341 #1124342 #1155079 Cross-References: CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14501 CVE-2017-14502 CVE-2018-1000877 CVE-2018-1000878 CVE-2019-1000019 CVE-2019-1000020 CVE-2019-18408 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Desktop 12-SP4 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for libarchive fixes the following issues: Security issues fixed: - CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653). - CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654). - CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341). - CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342). - CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-3092=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-3092=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3092=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-3092=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-3092=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.1.2-26.6.1 libarchive-devel-3.1.2-26.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.1.2-26.6.1 libarchive-devel-3.1.2-26.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.1.2-26.6.1 libarchive13-3.1.2-26.6.1 libarchive13-debuginfo-3.1.2-26.6.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libarchive-debugsource-3.1.2-26.6.1 libarchive13-3.1.2-26.6.1 libarchive13-debuginfo-3.1.2-26.6.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): libarchive-debugsource-3.1.2-26.6.1 libarchive13-3.1.2-26.6.1 libarchive13-debuginfo-3.1.2-26.6.1 References: https://www.suse.com/security/cve/CVE-2016-10209.html https://www.suse.com/security/cve/CVE-2016-10349.html https://www.suse.com/security/cve/CVE-2016-10350.html https://www.suse.com/security/cve/CVE-2017-14501.html https://www.suse.com/security/cve/CVE-2017-14502.html https://www.suse.com/security/cve/CVE-2018-1000877.html https://www.suse.com/security/cve/CVE-2018-1000878.html https://www.suse.com/security/cve/CVE-2019-1000019.html https://www.suse.com/security/cve/CVE-2019-1000020.html https://www.suse.com/security/cve/CVE-2019-18408.html https://bugzilla.suse.com/1032089 https://bugzilla.suse.com/1037008 https://bugzilla.suse.com/1037009 https://bugzilla.suse.com/1059134 https://bugzilla.suse.com/1059139 https://bugzilla.suse.com/1120653 https://bugzilla.suse.com/1120654 https://bugzilla.suse.com/1124341 https://bugzilla.suse.com/1124342 https://bugzilla.suse.com/1155079 From sle-security-updates at lists.suse.com Thu Nov 28 13:12:03 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Nov 2019 21:12:03 +0100 (CET) Subject: SUSE-SU-2019:3097-1: moderate: Security update for cloud-init Message-ID: <20191128201203.9DD5BF79E@maintenance.suse.de> SUSE Security Update: Security update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3097-1 Rating: moderate References: #1099358 #1129124 #1136440 #1142988 #1144363 #1151488 #1154092 Cross-References: CVE-2019-0816 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for cloud-init to version 19.2 fixes the following issues: Security issue fixed: - CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124). Non-security issues fixed: - Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988). - If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2019-3097=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-3097=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (aarch64 ppc64le s390x x86_64): cloud-init-19.2-5.18.1 cloud-init-config-suse-19.2-5.18.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): cloud-init-doc-19.2-5.18.1 References: https://www.suse.com/security/cve/CVE-2019-0816.html https://bugzilla.suse.com/1099358 https://bugzilla.suse.com/1129124 https://bugzilla.suse.com/1136440 https://bugzilla.suse.com/1142988 https://bugzilla.suse.com/1144363 https://bugzilla.suse.com/1151488 https://bugzilla.suse.com/1154092 From sle-security-updates at lists.suse.com Fri Nov 29 10:15:42 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Nov 2019 18:15:42 +0100 (CET) Subject: SUSE-SU-2019:14235-1: important: Security update for tightvnc Message-ID: <20191129171542.CDC40F79E@maintenance.suse.de> SUSE Security Update: Security update for tightvnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14235-1 Rating: important References: #1155442 #1155452 #1155472 #1155476 Cross-References: CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-8287 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for tightvnc fixes the following issues: - CVE-2019-15679: Fixed a heap buffer overflow in InitialiseRFBConnection which might lead to code execution (bsc#1155476). - CVE-2019-8287: Fixed a global buffer overflow in HandleCoRREBBPmay which might lead to code execution (bsc#1155472). - CVE-2019-15680: Fixed a null pointer dereference in HandleZlibBPP which could have led to denial of service (bsc#1155452). - CVE-2019-15678: Fixed a heap buffer overflow in rfbServerCutText handler (bsc#1155442). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-tightvnc-14235=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-tightvnc-14235=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-tightvnc-14235=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-tightvnc-14235=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): tightvnc-1.3.9-81.15.3.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): tightvnc-1.3.9-81.15.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): tightvnc-debuginfo-1.3.9-81.15.3.1 tightvnc-debugsource-1.3.9-81.15.3.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): tightvnc-debuginfo-1.3.9-81.15.3.1 tightvnc-debugsource-1.3.9-81.15.3.1 References: https://www.suse.com/security/cve/CVE-2019-15678.html https://www.suse.com/security/cve/CVE-2019-15679.html https://www.suse.com/security/cve/CVE-2019-15680.html https://www.suse.com/security/cve/CVE-2019-8287.html https://bugzilla.suse.com/1155442 https://bugzilla.suse.com/1155452 https://bugzilla.suse.com/1155472 https://bugzilla.suse.com/1155476 From sle-security-updates at lists.suse.com Fri Nov 29 13:11:02 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Nov 2019 21:11:02 +0100 (CET) Subject: SUSE-SU-2019:3127-1: moderate: Security update for python-Django Message-ID: <20191129201102.066A9FCA6@maintenance.suse.de> SUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3127-1 Rating: moderate References: #1120932 #1139945 Cross-References: CVE-2019-12781 CVE-2019-3498 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-Django fixes the following issues: - CVE-2019-12781: Added incorrect HTTP detection with reverse-proxy connecting via HTTPS (bsc#1139945). - CVE-2019-3498: Fixed a content spoofing via crafted URL in the default 404 page (bsc#1120932). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2019-3127=1 Package List: - SUSE Enterprise Storage 5 (noarch): python-Django-1.6.11-6.10.1 References: https://www.suse.com/security/cve/CVE-2019-12781.html https://www.suse.com/security/cve/CVE-2019-3498.html https://bugzilla.suse.com/1120932 https://bugzilla.suse.com/1139945 From sle-security-updates at lists.suse.com Fri Nov 29 13:11:56 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Nov 2019 21:11:56 +0100 (CET) Subject: SUSE-SU-2019:3126-1: important: Security update for haproxy Message-ID: <20191129201156.4B7DEF79E@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3126-1 Rating: important References: #1082318 #1154980 #1157712 #1157714 Cross-References: CVE-2019-18277 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for haproxy to version 2.0.10 fixes the following issues: HAProxy was updated to 2.0.10 Security issues fixed: - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the "chunked" (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed: - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d aae20954b3053ce87e Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2019-3126=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): haproxy-2.0.10+git0.ac198b92-8.8.1 haproxy-debuginfo-2.0.10+git0.ac198b92-8.8.1 haproxy-debugsource-2.0.10+git0.ac198b92-8.8.1 References: https://www.suse.com/security/cve/CVE-2019-18277.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1154980 https://bugzilla.suse.com/1157712 https://bugzilla.suse.com/1157714 From sle-security-updates at lists.suse.com Fri Nov 29 13:13:05 2019 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Nov 2019 21:13:05 +0100 (CET) Subject: SUSE-SU-2019:3125-1: important: Security update for haproxy Message-ID: <20191129201305.09E3BF79E@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3125-1 Rating: important References: #1082318 #1154980 #1157712 #1157714 Cross-References: CVE-2019-18277 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for haproxy to version 2.0.10 fixes the following issues: HAProxy was updated to 2.0.10 Security issues fixed: - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the "chunked" (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed: - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95d aae20954b3053ce87e Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2019-3125=1 Package List: - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): haproxy-2.0.10+git0.ac198b92-3.15.1 haproxy-debuginfo-2.0.10+git0.ac198b92-3.15.1 haproxy-debugsource-2.0.10+git0.ac198b92-3.15.1 References: https://www.suse.com/security/cve/CVE-2019-18277.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1154980 https://bugzilla.suse.com/1157712 https://bugzilla.suse.com/1157714