From sle-updates at lists.suse.com Mon Sep 3 13:07:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 3 Sep 2018 21:07:58 +0200 (CEST) Subject: SUSE-SU-2018:2593-1: important: Security update for spice-gtk Message-ID: <20180903190758.79D62FD54@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2593-1 Rating: important References: #1101295 #1104448 Cross-References: CVE-2018-10873 CVE-2018-10893 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice-gtk fixes the following issues: Security issues fixed: - CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448) - CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1826=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libspice-client-glib-2_0-8-0.25-5.3.1 libspice-client-glib-2_0-8-debuginfo-0.25-5.3.1 libspice-client-gtk-2_0-4-0.25-5.3.1 libspice-client-gtk-2_0-4-debuginfo-0.25-5.3.1 libspice-client-gtk-3_0-4-0.25-5.3.1 libspice-client-gtk-3_0-4-debuginfo-0.25-5.3.1 libspice-controller0-0.25-5.3.1 libspice-controller0-debuginfo-0.25-5.3.1 spice-gtk-debuginfo-0.25-5.3.1 spice-gtk-debugsource-0.25-5.3.1 typelib-1_0-SpiceClientGlib-2_0-0.25-5.3.1 typelib-1_0-SpiceClientGtk-3_0-0.25-5.3.1 References: https://www.suse.com/security/cve/CVE-2018-10873.html https://www.suse.com/security/cve/CVE-2018-10893.html https://bugzilla.suse.com/1101295 https://bugzilla.suse.com/1104448 From sle-updates at lists.suse.com Mon Sep 3 13:08:38 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 3 Sep 2018 21:08:38 +0200 (CEST) Subject: SUSE-SU-2018:2594-1: important: Security update for spice-gtk Message-ID: <20180903190838.5CA81FD53@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2594-1 Rating: important References: #1101295 #1104448 Cross-References: CVE-2018-10873 CVE-2018-10893 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice-gtk fixes the following issues: Security issues fixed: - CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448) - CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1824=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1824=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1824=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): spice-gtk-debuginfo-0.33-3.6.1 spice-gtk-debugsource-0.33-3.6.1 spice-gtk-devel-0.33-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.33-3.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libspice-client-glib-2_0-8-0.33-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.33-3.6.1 libspice-client-glib-helper-0.33-3.6.1 libspice-client-glib-helper-debuginfo-0.33-3.6.1 libspice-client-gtk-3_0-5-0.33-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.33-3.6.1 libspice-controller0-0.33-3.6.1 libspice-controller0-debuginfo-0.33-3.6.1 spice-gtk-debuginfo-0.33-3.6.1 spice-gtk-debugsource-0.33-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.33-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.33-3.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libspice-client-glib-2_0-8-0.33-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.33-3.6.1 libspice-client-glib-helper-0.33-3.6.1 libspice-client-glib-helper-debuginfo-0.33-3.6.1 libspice-client-gtk-3_0-5-0.33-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.33-3.6.1 libspice-controller0-0.33-3.6.1 libspice-controller0-debuginfo-0.33-3.6.1 spice-gtk-debuginfo-0.33-3.6.1 spice-gtk-debugsource-0.33-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.33-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.33-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-10873.html https://www.suse.com/security/cve/CVE-2018-10893.html https://bugzilla.suse.com/1101295 https://bugzilla.suse.com/1104448 From sle-updates at lists.suse.com Mon Sep 3 13:09:17 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 3 Sep 2018 21:09:17 +0200 (CEST) Subject: SUSE-SU-2018:2595-1: important: Security update for spice Message-ID: <20180903190917.08915FD53@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2595-1 Rating: important References: #1101295 #1104448 Cross-References: CVE-2018-10873 CVE-2018-10893 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice fixes the following issues: Security issues fixed: - CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448) - CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1825=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1825=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1825=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libspice-server-devel-0.12.8-6.1 spice-debugsource-0.12.8-6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libspice-server1-0.12.8-6.1 libspice-server1-debuginfo-0.12.8-6.1 spice-debugsource-0.12.8-6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libspice-server1-0.12.8-6.1 libspice-server1-debuginfo-0.12.8-6.1 spice-debugsource-0.12.8-6.1 References: https://www.suse.com/security/cve/CVE-2018-10873.html https://www.suse.com/security/cve/CVE-2018-10893.html https://bugzilla.suse.com/1101295 https://bugzilla.suse.com/1104448 From sle-updates at lists.suse.com Mon Sep 3 13:09:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 3 Sep 2018 21:09:59 +0200 (CEST) Subject: SUSE-SU-2018:2596-1: important: Security update for the Linux Kernel Message-ID: <20180903190959.66751FD53@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2596-1 Rating: important References: #1012382 #1064232 #1065364 #1068032 #1076110 #1082653 #1082979 #1085042 #1085536 #1086457 #1087081 #1089343 #1090123 #1090435 #1091171 #1091860 #1092001 #1094244 #1095643 #1096254 #1096978 #1097771 #1098253 #1098599 #1099792 #1099811 #1099813 #1099844 #1099845 #1099846 #1099849 #1099858 #1099863 #1099864 #1100132 #1100843 #1100930 #1101296 #1101331 #1101658 #1101789 #1101822 #1101841 #1102188 #1102197 #1102203 #1102205 #1102207 #1102211 #1102214 #1102215 #1102340 #1102394 #1102683 #1102715 #1102797 #1102851 #1103097 #1103119 #1103269 #1103445 #1103580 #1103717 #1103745 #1103884 #1104174 #1104319 #1104365 #1104494 #1104495 #1104897 #1105292 #970506 Cross-References: CVE-2017-18344 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-14734 CVE-2018-3620 CVE-2018-3646 CVE-2018-5390 CVE-2018-5391 CVE-2018-9363 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP3 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has 58 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.147 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 bsc#1103580). - CVE-2018-10876: A flaw was found in the ext4 filesystem code. A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) - CVE-2018-10877: The ext4 filesystem was vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) - CVE-2018-10878: A flaw was found in the ext4 filesystem. A local user could cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813) - CVE-2018-10879: A flaw was found in the ext4 filesystem. A local user could cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844) - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845) - CVE-2018-10881: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099864) - CVE-2018-10882: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849) - CVE-2018-10883: A flaw was found in the ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (bnc#1099863) - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis (bnc#1087081). - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bnc#1089343 bnc#1104365). - CVE-2018-5390: The Linux kernel could be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340). - CVE-2018-5391 aka "FragmentSmack": A flaw in the IP packet reassembly could be used by remote attackers to consume lots of CPU time (bnc#1103097). - CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code (bnc#1105292). The following non-security bugs were fixed: - acpi / pci: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382). - Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978) - ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bnc#1012382). - alsa: emu10k1: add error handling for snd_ctl_add (bnc#1012382). - alsa: emu10k1: Rate-limit error messages about page errors (bnc#1012382). - alsa: fm801: add error handling for snd_ctl_add (bnc#1012382). - alsa: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382). - alsa: rawmidi: Change resized buffers atomically (bnc#1012382). - alsa: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382). - arc: Fix CONFIG_SWAP (bnc#1012382). - arc: mm: allow mprotect to make stack mappings executable (bnc#1012382). - arm64: do not open code page table entry creation (bsc#1102197). - arm64: kpti: Use early_param for kpti= command-line option (bsc#1102188). - arm64: Make sure permission updates happen for pmd/pud (bsc#1102197). - arm: dts: imx6q: Use correct SDMA script for SPI5 core (bnc#1012382). - arm: fix put_user() for gcc-8 (bnc#1012382). - asoc: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382). - asoc: pxa: Fix module autoload for platform drivers (bnc#1012382). - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode (bnc#1012382). - ath: Add regulatory mapping for APL13_WORLD (bnc#1012382). - ath: Add regulatory mapping for APL2_FCCA (bnc#1012382). - ath: Add regulatory mapping for Bahamas (bnc#1012382). - ath: Add regulatory mapping for Bermuda (bnc#1012382). - ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382). - ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382). - ath: Add regulatory mapping for Serbia (bnc#1012382). - ath: Add regulatory mapping for Tanzania (bnc#1012382). - ath: Add regulatory mapping for Uganda (bnc#1012382). - atm: zatm: Fix potential Spectre v1 (bnc#1012382). - audit: allow not equal op for audit by executable (bnc#1012382). - bcache: add backing_request_endio() for bi_end_io (bsc#1064232). - bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232). - bcache: add io_disable to struct cached_dev (bsc#1064232). - bcache: add journal statistic (bsc#1076110). - bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232). - bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232). - bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232). - bcache: Annotate switch fall-through (bsc#1064232). - bcache: closures: move control bits one bit right (bsc#1076110). - bcache: correct flash only vols (check all uuids) (bsc#1064232). - bcache: count backing device I/O error for writeback I/O (bsc#1064232). - bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232). - bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232). - bcache: fix crashes in duplicate cache device register (bsc#1076110). - bcache: fix error return value in memory shrink (bsc#1064232). - bcache: fix high CPU occupancy during journal (bsc#1076110). - bcache: Fix, improve efficiency of closure_sync() (bsc#1076110). - bcache: fix inaccurate io state for detached bcache devices (bsc#1064232). - bcache: fix incorrect sysfs output value of strip size (bsc#1064232). - bcache: Fix indentation (bsc#1064232). - bcache: Fix kernel-doc warnings (bsc#1064232). - bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232). - bcache: fix using of loop variable in memory shrink (bsc#1064232). - bcache: fix writeback target calc on large devices (bsc#1076110). - bcache: fix wrong return value in bch_debug_init() (bsc#1076110). - bcache: mark closure_sync() __sched (bsc#1076110). - bcache: move closure debug file into debug directory (bsc#1064232). - bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232). - bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232). - bcache: Remove an unused variable (bsc#1064232). - bcache: ret IOERR when read meets metadata error (bsc#1076110). - bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232). - bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232). - bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232). - bcache: set error_limit correctly (bsc#1064232). - bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232). - bcache: stop bcache device when backing device is offline (bsc#1064232). - bcache: stop dc->writeback_rate_update properly (bsc#1064232). - bcache: stop writeback thread after detaching (bsc#1076110). - bcache: store disk name in struct cache and struct cached_dev (bsc#1064232). - bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232). - bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232). - bcache: Use PTR_ERR_OR_ZERO() (bsc#1076110). - bcm63xx_enet: correct clock usage (bnc#1012382). - bcm63xx_enet: do not write to random DMA channel on BCM6345 (bnc#1012382). - blkcg: simplify statistic accumulation code (bsc#1082979). - block: copy ioprio in __bio_clone_fast() (bsc#1082653). - block: do not use interruptible wait anywhere (bnc#1012382). - block/swim: Fix array bounds check (bsc#1082979). - bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382). - bluetooth: hci_qca: Fix "Sleep inside atomic section" warning (bnc#1012382). - bpf: fix loading of BPF_MAXINSNS sized programs (bsc#1012382). - bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382). - bpf, x64: fix memleak when not converging after image (bsc#1012382). - brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382). - btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382). - btrfs: Do not remove block group still has pinned down bytes (bsc#1086457). - btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382). - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf (git-fixes). - cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag (bsc#1099858). - cachefiles: Fix refcounting bug in backing-file read monitoring (bsc#1099858). - cachefiles: Wait rather than BUG'ing on "Unexpected object collision" (bsc#1099858). - can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382). - can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382). - can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382). - can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382). - can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382). - can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382). - can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382). - cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123). - cifs: Fix infinite loop when using hard mount option (bnc#1012382). - clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382). - compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled (bnc#1012382). - compiler, clang: properly override 'inline' for clang (bnc#1012382). - compiler, clang: suppress warning for unused static inline functions (bnc#1012382). - compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (bnc#1012382). - cpu/hotplug: Add sysfs state interface (bsc#1089343). - cpu/hotplug: Provide knobs to control SMT (bsc#1089343). - cpu/hotplug: Split do_cpu_down() (bsc#1089343). - crypto: authenc - do not leak pointers to authenc keys (bnc#1012382). - crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382). - crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak (bnc#1012382). - crypto: crypto4xx - remove bad list_del (bnc#1012382). - crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382). - disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382). - dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382). - dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382). - dm thin metadata: remove needless work from __commit_transaction (bsc#1082979). - documentation/spec_ctrl: Do some minor cleanups (bnc#1012382). - drbd: fix access after free (bnc#1012382). - driver core: Partially revert "driver core: correct device's shutdown order" (bnc#1012382). - drm: Add DP PSR2 sink enable bit (bnc#1012382). - drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382). - drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822). - drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382). - drm/msm: Fix possible null dereference on failure of get_pages() (bsc#1102394). - drm/radeon: fix mode_valid's return type (bnc#1012382). - drm: re-enable error handling (bsc#1103884). - esp6: fix memleak on error path in esp6_input (git-fixes). - ext4: add more inode number paranoia checks (bnc#1012382). - ext4: add more mount time checks of the superblock (bnc#1012382). - ext4: always check block group bounds in ext4_init_block_bitmap() (bnc#1012382). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: check superblock mapped prior to committing (bnc#1012382). - ext4: clear i_data in ext4_inode_info when removing inline data (bnc#1012382). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - ext4: include the illegal physical block in the bad map ext4_error msg (bnc#1012382). - ext4: make sure bitmaps and the inode table do not overlap with bg descriptors (bnc#1012382). - ext4: only look at the bg_flags field if it is valid (bnc#1012382). - ext4: verify the depth of extent tree in ext4_find_extent() (bnc#1012382). - f2fs: fix to do not trigger writeback during recovery (bnc#1012382). - fat: fix memory allocation failure handling of match_strdup() (bnc#1012382). - fscache: Allow cancelled operations to be enqueued (bsc#1099858). - fscache: Fix reference overput in fscache_attach_object() error handling (bsc#1099858). - genirq: Make force irq threading setup more robust (bsc#1082979). - hid: debug: check length before copy_to_user() (bnc#1012382). - hid: hiddev: fix potential Spectre v1 (bnc#1012382). - hid: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382). - hid: i2c-hid: check if device is there before really probing (bnc#1012382). - hid: i2c-hid: Fix "incomplete report" noise (bnc#1012382). - hid: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter (bnc#1012382). - hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382). - i2c: imx: Fix reinit_completion() use (bnc#1012382). - i2c: rcar: fix resume by always initializing registers before transfer (bnc#1012382). - ib/isert: fix T10-pi check mask setting (bsc#1082979). - ibmasm: do not write out of bounds in read handler (bnc#1012382). - ibmvnic: Fix error recovery on login failure (bsc#1101789). - ibmvnic: Remove code to request error information (bsc#1104174). - ibmvnic: Revise RX/TX queue error messages (bsc#1101331). - ibmvnic: Update firmware error reporting with cause string (bsc#1104174). - inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506). - input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382). - input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382). - input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382). - ipconfig: Correctly initialise ic_nameservers (bnc#1012382). - ip: hash fragments consistently (bnc#1012382). - ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382). - ipv4: Fix error return value in fib_convert_metrics() (bnc#1012382). - ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382). - ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382). - ipv6: fix useless rol32 call on hash (bnc#1012382). - iw_cxgb4: correctly enforce the max reg_mr depth (bnc#1012382). - iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382). - jbd2: do not mark block as modified if the handle is out of credits (bnc#1012382). - kabi protect includes in include/linux/inet.h (bsc#1095643). - KABI protect net/core/utils.c includes (bsc#1095643). - kABI: protect struct loop_device (kabi). - kABI: reexport tcp_send_ack (kabi). - kABI: reintroduce __static_cpu_has_safe (kabi). - kabi/severities: add 'drivers/md/bcache/* PASS' since no one uses symboles expoted by bcache. - kbuild: fix # escaping in .cmd files for future Make (bnc#1012382). - KEYS: DNS: fix parsing multiple options (bnc#1012382). - kmod: fix wait on recursive loop (bsc#1099792). - kmod: reduce atomic operations on kmod_concurrent and simplify (bsc#1099792). - kmod: throttle kmod thread limit (bsc#1099792). - kprobes/x86: Do not modify singlestep buffer while resuming (bnc#1012382). - kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897). - kvm: arm/arm64: Drop resource size check for GICV window (bsc#1102215). - kvm: arm/arm64: Set dist->spis to NULL after kfree (bsc#1102214). - kvm/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382). - kvm: x86: vmx: fix vpid leak (bnc#1012382). - libata: do not try to pass through NCQ commands to non-NCQ devices (bsc#1082979). - libata: Fix command retry decision (bnc#1012382). - lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382). - loop: add recursion validation to LOOP_CHANGE_FD (bnc#1012382). - loop: remember whether sysfs_create_group() was done (bnc#1012382). - md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382). - media: cx25840: Use subdev host data for PLL override (bnc#1012382). - media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382). - media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382). - media: saa7164: Fix driver name in debug output (bnc#1012382). - media: si470x: fix __be16 annotations (bnc#1012382). - media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382). - media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382). - memory: tegra: Apply interrupts mask per SoC (bnc#1012382). - memory: tegra: Do not handle spurious interrupts (bnc#1012382). - mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382). - microblaze: Fix simpleImage format generation (bnc#1012382). - mmc: dw_mmc: fix card threshold control configuration (bsc#1102203). - mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing (bsc#1097771). - mm: hugetlb: yield when prepping struct pages (bnc#1012382). - mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382). - mm/slub.c: add __printf verification to slab_err() (bnc#1012382). - mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382). - mtd: cfi_cmdset_0002: Change definition naming to retry write operation (bnc#1012382). - mtd: cfi_cmdset_0002: Change erase functions to check chip good only (bnc#1012382). - mtd: cfi_cmdset_0002: Change erase functions to retry for error (bnc#1012382). - mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382). - mtd: rawnand: mxc: set spare area size register explicitly (bnc#1012382). - mtd: ubi: wl: Fix error return code in ubi_wl_init() (git-fixes). - mwifiex: correct histogram data with appropriate index (bnc#1012382). - mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382). - net: cxgb3_main: fix potential Spectre v1 (bnc#1012382). - net: dccp: avoid crash in ccid3_hc_rx_send_feedback() (bnc#1012382). - net: dccp: switch rx_tstamp_last_feedback to monotonic clock (bnc#1012382). - net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382). - net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382). - netfilter: ebtables: reject non-bridge targets (bnc#1012382). - netfilter: ipset: List timing out entries with "timeout 1" instead of zero (bnc#1012382). - netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797). - netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797). - netfilter: nf_log: do not hold nf_log_mutex during user access (bnc#1012382). - netfilter: nf_queue: augment nfqa_cfg_policy (bnc#1012382). - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() (bnc#1012382). - netfilter: x_tables: initialise match/target check parameter struct (bnc#1012382). - net: fix amd-xgbe flow-control issue (bnc#1012382). - net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382). - net: lan78xx: fix rx handling before first packet is send (bnc#1012382). - netlink: Do not shift on 64 for ngroups (bnc#1012382). - netlink: Do not shift with UB on nlk->ngroups (bnc#1012382). - netlink: Do not subscribe to non-existent groups (bnc#1012382). - netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382). - net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382). - net/mlx5: Fix command interface race in polling mode (bnc#1012382). - net/mlx5: Fix incorrect raw command length parsing (bnc#1012382). - net: mvneta: fix the Rx desc DMA address in the Rx path (bsc#1102207). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bnc#1012382). - net: off by one in inet6_pton() (bsc#1095643). - net: phy: fix flag masking in __set_phy_supported (bnc#1012382). - net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1102205). - net_sched: blackhole: tell upper qdisc about dropped packets (bnc#1012382). - net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382). - net: stmmac: align DMA stuff to largest cache line length (bnc#1012382). - net: sungem: fix rx checksum support (bnc#1012382). - net/utils: generic inet_pton_with_scope helper (bsc#1095643). - net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253). - nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382). - nohz: Fix local_timer_softirq_pending() (bnc#1012382). - n_tty: Access echo_* variables carefully (bnc#1012382). - n_tty: Fix stall at n_tty_receive_char_special() (bnc#1012382). - null_blk: use sector_div instead of do_div (bsc#1082979). - nvme-pci: initialize queue memory before interrupts (bnc#1012382). - nvme-rdma: Check remotely invalidated rkey matches our expected rkey (bsc#1092001). - nvme-rdma: default MR page size to 4k (bsc#1092001). - nvme-rdma: do not complete requests before a send work request has completed (bsc#1092001). - nvme-rdma: do not suppress send completions (bsc#1092001). - nvme-rdma: Fix command completion race at error recovery (bsc#1090435). - nvme-rdma: make nvme_rdma_[create|destroy]_queue_ib symmetrical (bsc#1092001). - nvme-rdma: use inet_pton_with_scope helper (bsc#1095643). - nvme-rdma: Use mr pool (bsc#1092001). - nvme-rdma: wait for local invalidation before completing a request (bsc#1092001). - ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (bnc#1012382). - pci: ibmphp: Fix use-before-set in get_max_bus_speed() (bsc#1100132). - pci: pciehp: Request control of native hotplug only if supported (bnc#1012382). - pci: Prevent sysfs disable of device while driver is attached (bnc#1012382). - perf: fix invalid bit in diagnostic entry (bnc#1012382). - perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382). - pinctrl: at91-pio4: add missing of_node_put (bnc#1012382). - pm / hibernate: Fix oops at snapshot_write() (bnc#1012382). - powerpc/32: Add a missing include header (bnc#1012382). - powerpc/64: Initialise thread_info for emergency stacks (bsc#1094244, bsc#1100930, bsc#1102683). - powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382). - powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382). - powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382). - powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382). - powerpc/powermac: Mark variable x as unused (bnc#1012382). - provide special timeout module parameters for EC2 (bsc#1065364). - ptp: fix missing break in switch (bnc#1012382). - qed: Limit msix vectors in kdump kernel to the minimum required count (bnc#1012382). - r8152: napi hangup fix after disconnect (bnc#1012382). - random: mix rdrand with entropy sent in from userspace (bnc#1012382). - rdma/mad: Convert BUG_ONs to error flows (bnc#1012382). - rdma/ocrdma: Fix an error code in ocrdma_alloc_pd() (bsc#1082979). - rdma/ocrdma: Fix error codes in ocrdma_create_srq() (bsc#1082979). - rdma/ucm: Mark UCM interface as BROKEN (bnc#1012382). - rds: avoid unenecessary cong_update in loop transport (bnc#1012382). - regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382). - Remove broken patches for dac9063 watchdog (bsc#1100843) - restore cond_resched() in shrink_dcache_parent() (bsc#1098599). - Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717) - Revert "net: Do not copy pfmemalloc flag in __copy_skb_header()" (kabi). - Revert "sit: reload iphdr in ipip6_rcv" (bnc#1012382). - Revert "skbuff: Unconditionally copy pfmemalloc in __skb_clone()" (kabi). - Revert "x86/cpufeature: Move some of the scattered feature bits to x86_capability" (kabi). - Revert "x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6" (kabi). - Revert "x86/mm: Give each mm TLB flush generation a unique ID" (kabi). - Revert "x86/speculation: Use Indirect Branch Prediction Barrier in context switch" (kabi). - ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382). - rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382). - rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382). - rtlwifi: rtl8821ae: fix firmware is not ready to run (bnc#1012382). - rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382). - s390: Correct register corruption in critical section cleanup (bnc#1012382). - s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382). - s390/qeth: fix error handling in adapter command callbacks (bnc#1103745, LTC#169699). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - sched/smt: Update sched_smt_present at runtime (bsc#1089343). - scsi: 3w-9xxx: fix a missing-check bug (bnc#1012382). - scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382). - scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382). - scsi: megaraid: silence a static checker bug (bnc#1012382). - scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382). - scsi: qla2xxx: Return error when TMF returns (bnc#1012382). - scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' (bsc#1082979). - scsi: scsi_dh: replace too broad "TP9" string with the exact models (bnc#1012382). - scsi: sg: fix minor memory leak in error path (bsc#1082979). - scsi: sg: mitigate read/write abuse (bsc#1101296). - scsi: target: fix crash with iscsi target and dvd (bsc#1082979). - scsi: ufs: fix exception event handling (bnc#1012382). - selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382). - selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382). - skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382). - smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132). - smsc95xx: Configure pause time to 0xffff when tx flow control enabled (bsc#1085536). - squashfs: be more careful about metadata corruption (bnc#1012382). - squashfs: more metadata hardening (bnc#1012382). - squashfs: more metadata hardenings (bnc#1012382). - staging: android: ion: Return an ERR_PTR in ion_map_kernel (bnc#1012382). - staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() (bnc#1012382). - tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382). - tcp: add one more quick ack after after ECN events (bnc#1012382). - tcp: do not aggressively quick ack after ECN events (bnc#1012382). - tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382). - tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382). - tcp: do not force quickack when receiving out-of-order packets (bnc#1012382). - tcp: fix dctcp delayed ACK schedule (bnc#1012382). - tcp: fix Fast Open key endianness (bnc#1012382). - tcp: helpers to send special DCTCP ack (bnc#1012382). - tcp: prevent bogus FRTO undos with non-SACK flows (bnc#1012382). - tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382). - tg3: Add higher cpu clock for 5762 (bnc#1012382). - thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382). - tools build: fix # escaping in .cmd files for future Make (bnc#1012382). - tracing: Fix double free of event_trigger_data (bnc#1012382). - tracing: Fix missing return symbol in function_graph output (bnc#1012382). - tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382). - tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382). - tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382). - tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382). - turn off -Wattribute-alias (bnc#1012382). - ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382). - ubi: fastmap: Correctly handle interrupted erasures in EBA (bnc#1012382). - ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382). - ubi: Fix Fastmap's update_vol() (bnc#1012382). - ubi: Fix races around ubi_refill_pools() (bnc#1012382). - ubi: Introduce vol_ignored() (bnc#1012382). - ubi: Rework Fastmap attach base code (bnc#1012382). - uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() (bnc#1012382). - usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382). - usb: cdc_acm: Add quirk for Uniden UBC125 scanner (bnc#1012382). - usb: core: handle hub C_PORT_OVER_CURRENT condition (bsc#1100132). - usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382). - usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382). - usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382). - usb: quirks: add delay quirks for Corsair Strafe (bnc#1012382). - USB: serial: ch341: fix type promotion bug in ch341_control_in() (bnc#1012382). - USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick (bnc#1012382). - USB: serial: cp210x: add CESINEL device ids (bnc#1012382). - USB: serial: cp210x: add Silicon Labs IDs for Windows Update (bnc#1012382). - USB: serial: keyspan_pda: fix modem-status error handling (bnc#1012382). - USB: serial: mos7840: fix status-register error handling (bnc#1012382). - USB: yurex: fix out-of-bounds uaccess in read handler (bnc#1012382). - vfio: platform: Fix reset module leak in error path (bsc#1102211). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - vhost_net: validate sock before trying to put its fd (bnc#1012382). - virtio_balloon: fix another race between migration and ballooning (bnc#1012382). - vmw_balloon: fix inflation with batching (bnc#1012382). - vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253). - vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253). - vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253). - vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253). - vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253). - vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253). - vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253). - vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253). - vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253). - vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253). - vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253). - vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253). - vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253). - vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253). - vmxnet3: remove unused flag "rxcsum" from struct vmxnet3_adapter (bsc#1091860 bsc#1098253). - vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253). - vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253). - vmxnet3: update to version 3 (bsc#1091860 bsc#1098253). - vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253). - vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253). - wait: add wait_event_killable_timeout() (bsc#1099792). - watchdog: da9063: Fix setting/changing timeout (bsc#1100843). - watchdog: da9063: Fix timeout handling during probe (bsc#1100843). - watchdog: da9063: Fix updating timeout value (bsc#1100843). - wlcore: sdio: check for valid platform device data before suspend (bnc#1012382). - x86/alternatives: Add an auxilary section (bnc#1012382). - x86/alternatives: Discard dynamic check after init (bnc#1012382). - x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382). - x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343). - x86/asm: Add _ASM_ARG* constants for argument registers to (bnc#1012382). - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382). - x86/boot: Simplify kernel load address alignment check (bnc#1012382). - x86/bugs: Respect nospec command line option (bsc#1068032). - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343). - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382). - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files. - x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343). - x86/cpu/common: Provide detect_ht_early() (bsc#1089343). - x86/cpufeature: Add helper macro for mask check macros (bnc#1012382). - x86/cpufeature: Carve out X86_FEATURE_* (bnc#1012382). - x86/cpufeature: Get rid of the non-asm goto variant (bnc#1012382). - x86/cpufeature: Make sure DISABLED/REQUIRED macros are updated (bnc#1012382). - x86/cpufeature: Move some of the scattered feature bits to x86_capability (bnc#1012382). - x86/cpufeature: preserve numbers (kabi). - x86/cpufeature: Replace the old static_cpu_has() with safe variant (bnc#1012382). - x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382). - x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382). - x86/cpufeature: Speed up cpu_feature_enabled() (bnc#1012382). - x86/cpufeature: Update cpufeaure macros (bnc#1012382). - x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382). - x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 (bnc#1012382). - x86/cpu: Provide a config option to disable static_cpu_has (bnc#1012382). - x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382). - x86/cpu: Remove the pointless CPU printout (bsc#1089343). - x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343). - x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382). - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715). - x86/fpu: Add an XSTATE_OP() macro (bnc#1012382). - x86/fpu: Get rid of xstate_fault() (bnc#1012382). - x86/headers: Do not include asm/processor.h in asm/atomic.h (bnc#1012382). - x86/irqflags: Provide a declaration for native_save_fl (git-fixes). - x86/mce: Fix incorrect "Machine check from unknown source" message (bnc#1012382). - x86/MCE: Remove min interval polling limitation (bnc#1012382). - x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382). - x86/mm/pkeys: Fix mismerge of protection keys CPUID bits (bnc#1012382). - x86/mm: Simplify p[g4um]d_page() macros (bnc#1087081). - x86/paravirt: Make native_save_fl() extern inline (bnc#1012382). - x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382). - x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382). - x86/process: Optimize TIF_NOTSC switch (bnc#1012382). - x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343). - x86/smp: Provide topology_is_primary_thread() (bsc#1089343). - x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382). - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382). - x86/speculation: Add dependency (bnc#1012382). - x86/speculation: Clean up various Spectre related details (bnc#1012382). - x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382). - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382). - x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382). - x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382). - x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382). - x86/topology: Add topology_max_smt_threads() (bsc#1089343). - x86/topology: Provide topology_smt_supported() (bsc#1089343). - x86/vdso: Use static_cpu_has() (bnc#1012382). - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382). - xen/grant-table: log the lack of grants (bnc#1085042). - xen-netfront: Fix mismatched rtnl_unlock (bnc#1101658). - xen-netfront: Update features after registering netdev (bnc#1101658). - xen-netfront: wait xenbus state change when load module manually (bnc#1012382). - xen: set cpu capabilities from xen_start_kernel() (bnc#1012382). - xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382). - xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bnc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP3: zypper in -t patch SUSE-SLE-RT-12-SP3-2018-1827=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP3 (noarch): kernel-devel-rt-4.4.147-3.20.1 kernel-source-rt-4.4.147-3.20.1 - SUSE Linux Enterprise Real Time Extension 12-SP3 (x86_64): cluster-md-kmp-rt-4.4.147-3.20.1 cluster-md-kmp-rt-debuginfo-4.4.147-3.20.1 dlm-kmp-rt-4.4.147-3.20.1 dlm-kmp-rt-debuginfo-4.4.147-3.20.1 gfs2-kmp-rt-4.4.147-3.20.1 gfs2-kmp-rt-debuginfo-4.4.147-3.20.1 kernel-rt-4.4.147-3.20.1 kernel-rt-base-4.4.147-3.20.1 kernel-rt-base-debuginfo-4.4.147-3.20.1 kernel-rt-debuginfo-4.4.147-3.20.1 kernel-rt-debugsource-4.4.147-3.20.1 kernel-rt-devel-4.4.147-3.20.1 kernel-rt_debug-debuginfo-4.4.147-3.20.1 kernel-rt_debug-debugsource-4.4.147-3.20.1 kernel-rt_debug-devel-4.4.147-3.20.1 kernel-rt_debug-devel-debuginfo-4.4.147-3.20.1 kernel-syms-rt-4.4.147-3.20.1 ocfs2-kmp-rt-4.4.147-3.20.1 ocfs2-kmp-rt-debuginfo-4.4.147-3.20.1 References: https://www.suse.com/security/cve/CVE-2017-18344.html https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-14734.html https://www.suse.com/security/cve/CVE-2018-3620.html https://www.suse.com/security/cve/CVE-2018-3646.html https://www.suse.com/security/cve/CVE-2018-5390.html https://www.suse.com/security/cve/CVE-2018-5391.html https://www.suse.com/security/cve/CVE-2018-9363.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065364 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1076110 https://bugzilla.suse.com/1082653 https://bugzilla.suse.com/1082979 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1085536 https://bugzilla.suse.com/1086457 https://bugzilla.suse.com/1087081 https://bugzilla.suse.com/1089343 https://bugzilla.suse.com/1090123 https://bugzilla.suse.com/1090435 https://bugzilla.suse.com/1091171 https://bugzilla.suse.com/1091860 https://bugzilla.suse.com/1092001 https://bugzilla.suse.com/1094244 https://bugzilla.suse.com/1095643 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1096978 https://bugzilla.suse.com/1097771 https://bugzilla.suse.com/1098253 https://bugzilla.suse.com/1098599 https://bugzilla.suse.com/1099792 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099858 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1100843 https://bugzilla.suse.com/1100930 https://bugzilla.suse.com/1101296 https://bugzilla.suse.com/1101331 https://bugzilla.suse.com/1101658 https://bugzilla.suse.com/1101789 https://bugzilla.suse.com/1101822 https://bugzilla.suse.com/1101841 https://bugzilla.suse.com/1102188 https://bugzilla.suse.com/1102197 https://bugzilla.suse.com/1102203 https://bugzilla.suse.com/1102205 https://bugzilla.suse.com/1102207 https://bugzilla.suse.com/1102211 https://bugzilla.suse.com/1102214 https://bugzilla.suse.com/1102215 https://bugzilla.suse.com/1102340 https://bugzilla.suse.com/1102394 https://bugzilla.suse.com/1102683 https://bugzilla.suse.com/1102715 https://bugzilla.suse.com/1102797 https://bugzilla.suse.com/1102851 https://bugzilla.suse.com/1103097 https://bugzilla.suse.com/1103119 https://bugzilla.suse.com/1103269 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1103580 https://bugzilla.suse.com/1103717 https://bugzilla.suse.com/1103745 https://bugzilla.suse.com/1103884 https://bugzilla.suse.com/1104174 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104365 https://bugzilla.suse.com/1104494 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104897 https://bugzilla.suse.com/1105292 https://bugzilla.suse.com/970506 From sle-updates at lists.suse.com Tue Sep 4 07:08:51 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 15:08:51 +0200 (CEST) Subject: SUSE-SU-2018:2603-1: moderate: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui Message-ID: <20180904130851.8738AFD54@maintenance.suse.de> SUSE Security Update: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2603-1 Rating: moderate References: #1005886 #1073703 #1081518 #1083093 #1093898 #1096759 #1098369 #1103383 Cross-References: CVE-2016-8611 CVE-2018-3760 Affected Products: SUSE OpenStack Cloud 7 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves two vulnerabilities and has 6 fixes is now available. Description: This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues: This security issues was fixed: - CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak. Specially crafted requests could have been be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production (bsc#1098369). - CVE-2016-861: Add rate limiting for glance api (bsc#1005886) These non-security issues were fixed for crowbar: - upgrade: Lock crowbar-ui before admin upgrade - upgrade: Make sure schemas are properly migrated after the upgrade These non-security issues were fixed for crowbar-core: - upgrade: Add the upgrade menu entry - upgrade: Fix upgrade link - apache: copytruncate apache logs bsc#1083093 - Fix exception handling in get_log_lines - upgrade: Raise the default timeouts for most time consuming actions - upgrade: Do not allow manila-share on compute nodes - control_lib: fix host allocation check - upgrade: Check input is a valid node for nodes - upgrade: Provide better information after the failure - upgrade: Report missing scripts - upgrade: Improve error messages with lists - upgrade: Do not allow cinder-volume on compute nodes - upgrade: Fix file layout for rails' autoloading (bsc#1096759) - upgrade: Added API calls for postponing/resuming compute nodes upgrade - upgrade: Unlock crowbar-ui after completed upgrade - upgrade: Do not check if ceph roles are present on compute nodes - upgrade: Fix labels for SOC8 repositories - upgrade: Finish only controllers step These non-security issues were fixed for crowbar-ha: - haproxy: increased SSL stick table to 100k - DRBD: Fix DRBD resources setup on reinstall node - pacemaker: allow multiple meta parameters (bsc#1093898) These non-security issues were fixed for crowbar-openstack: - nova: reload nova-placement-api (bsc#1103383) - Synchronize SSL in the cluster (bsc#1081518) - neutron: add force_metadata attribute - copytruncate apache logs instead of creating - rabbitmq: set client timout to default value - Revert "database: Split database-server role into backend specific roles" - Revert "database: Allow parallel deployments of postgresql and mysql" - Revert "database: Allow parallel HA deployment of PostgreSQL and MariaDB" - Revert "database: Fix "Attributes" UI after role renaming" - Revert "monasca: Fix check for mysql after it got moved to a separate role" - Revert "Restore caching of db_settings" - Revert "database: Migration fixes for separate DB roles" - database: Migration fixes for separate DB roles - Restore caching of db_settings - monasca: Fix check for mysql after it got moved to a separate role - database: Fix "Attributes" UI after role renaming - database: Allow parallel HA deployment of PostgreSQL and MariaDB - database: Allow parallel deployments of postgresql and mysql - database: Split database-server role into backend specific roles - Do not automatically put manila-share roles to compute nodes - rabbitmq: check for rabbit readiness - rabbitmq: Make sure rabbit is running on cluster - monasca: various monasca-installer improvements - manila: Correct field name for cluster name - mariadb: Add prefix to configs - mariadb: Remove redundant config values - aodh: Add config for alarm_history_ttl (bsc#1073703) These non-security issues were fixed for crowbar-ui: - upgrade: Dummy backend for status testing - upgrade: Refactor postpone nodes upgrade - upgrade: Allow interruption of status wait loop - upgrade: Added ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - Add ability to postpone upgrade - upgrade: Remove openstack precheck - upgrade: Fixed error key for ha_configured - upgrade: Remove CEPH related code - Remove the non-essential database-configuration controller - remove ui typo test - Remove database configuration option - upgrade: Update SUSE-OpenStack-Cloud-8 label - upgrade: Update admin and nodes repo names - enable and document docker development environment Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1828=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1828=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1 crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1 - SUSE OpenStack Cloud 7 (noarch): crowbar-4.0+git.1528801103.f5708341-7.20.1 crowbar-devel-4.0+git.1528801103.f5708341-7.20.1 crowbar-ha-4.0+git.1533750802.5768e73-4.34.1 crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1 crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1 - SUSE Enterprise Storage 4 (aarch64 x86_64): crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1 - SUSE Enterprise Storage 4 (noarch): crowbar-4.0+git.1528801103.f5708341-7.20.1 References: https://www.suse.com/security/cve/CVE-2016-8611.html https://www.suse.com/security/cve/CVE-2018-3760.html https://bugzilla.suse.com/1005886 https://bugzilla.suse.com/1073703 https://bugzilla.suse.com/1081518 https://bugzilla.suse.com/1083093 https://bugzilla.suse.com/1093898 https://bugzilla.suse.com/1096759 https://bugzilla.suse.com/1098369 https://bugzilla.suse.com/1103383 From sle-updates at lists.suse.com Tue Sep 4 10:07:55 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 18:07:55 +0200 (CEST) Subject: SUSE-RU-2018:2604-1: moderate: Recommended update for vhostmd Message-ID: <20180904160755.AAD67FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for vhostmd ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2604-1 Rating: moderate References: #1090769 #1098804 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for vhostmd provides the following fixes: - Reconnect to libvirtd in case of a SIGPIPE is raised (bsc#1098804) - vhostmd.service: Fix a typo and move the Documentation from the [Service] to the [Unit] section. (bsc#1090769) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1830=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1830=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libmetrics-devel-0.4-27.6.1 libmetrics0-0.4-27.6.1 libmetrics0-debuginfo-0.4-27.6.1 vhostmd-debuginfo-0.4-27.6.1 vhostmd-debugsource-0.4-27.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): vhostmd-0.4-27.6.1 vhostmd-debuginfo-0.4-27.6.1 vhostmd-debugsource-0.4-27.6.1 vm-dump-metrics-0.4-27.6.1 vm-dump-metrics-debuginfo-0.4-27.6.1 References: https://bugzilla.suse.com/1090769 https://bugzilla.suse.com/1098804 From sle-updates at lists.suse.com Tue Sep 4 10:08:39 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 18:08:39 +0200 (CEST) Subject: SUSE-RU-2018:2605-1: moderate: Recommended update for vhostmd Message-ID: <20180904160839.04E8BFD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for vhostmd ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2605-1 Rating: moderate References: #1090769 #1098804 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for vhostmd fixes the following issues: - Reconnect to libvirtd in case of a SIGPIPE is raised (bsc#1098804) - vhostmd.service: Fix typo and move Documentation from [Service] to [Unit] section (bsc#1090769) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1829=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): vhostmd-0.4-3.4.1 vhostmd-debuginfo-0.4-3.4.1 vhostmd-debugsource-0.4-3.4.1 vm-dump-metrics-0.4-3.4.1 vm-dump-metrics-debuginfo-0.4-3.4.1 References: https://bugzilla.suse.com/1090769 https://bugzilla.suse.com/1098804 From sle-updates at lists.suse.com Tue Sep 4 13:08:12 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 21:08:12 +0200 (CEST) Subject: SUSE-RU-2018:2607-1: moderate: Recommended update for SUSE Manager Proxy 3.1 Message-ID: <20180904190812.59E91FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Proxy 3.1 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2607-1 Rating: moderate References: #1083295 #1094705 #1097697 Affected Products: SUSE Manager Proxy 3.1 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update includes the following new features: - Feat: Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) This update fixes the following issues: spacewalk-certs-tools: - Feat: Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) spacewalk-proxy: - Increase max open files for salt-broker service. (bsc#1094705) spacewalk-web: - Fix css issues on minion-state pages. (bsc#1083295) - Disable child channel selection only if channel is actually assigned. (bsc#1097697) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Proxy 3.1: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2018-1831=1 Package List: - SUSE Manager Proxy 3.1 (noarch): spacewalk-base-minimal-2.7.1.18-2.26.1 spacewalk-base-minimal-config-2.7.1.18-2.26.1 spacewalk-certs-tools-2.7.0.11-2.15.1 References: https://bugzilla.suse.com/1083295 https://bugzilla.suse.com/1094705 https://bugzilla.suse.com/1097697 From sle-updates at lists.suse.com Tue Sep 4 13:09:12 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 21:09:12 +0200 (CEST) Subject: SUSE-SU-2018:2608-1: important: Security update for cobbler Message-ID: <20180904190912.6A632FD53@maintenance.suse.de> SUSE Security Update: Security update for cobbler ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2608-1 Rating: important References: #1101670 #1104189 #1104190 #1104287 #1105440 #1105442 Cross-References: CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931 Affected Products: SUSE Manager Server 3.1 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for cobbler fixes the following issues: Security issues fixed: - Forbid exposure of private methods in the API (CVE-2018-10931, CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442) - Check access token when calling 'modify_setting' API endpoint (bsc#1104190, bsc#1105440, CVE-2018-1000226) Other bugs fixed: - Fix kernel options when generating bootiso (bsc#1101670) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1832=1 Package List: - SUSE Manager Server 3.1 (noarch): cobbler-2.6.6-5.17.1 References: https://www.suse.com/security/cve/CVE-2018-1000225.html https://www.suse.com/security/cve/CVE-2018-1000226.html https://www.suse.com/security/cve/CVE-2018-10931.html https://bugzilla.suse.com/1101670 https://bugzilla.suse.com/1104189 https://bugzilla.suse.com/1104190 https://bugzilla.suse.com/1104287 https://bugzilla.suse.com/1105440 https://bugzilla.suse.com/1105442 From sle-updates at lists.suse.com Tue Sep 4 13:10:43 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 4 Sep 2018 21:10:43 +0200 (CEST) Subject: SUSE-RU-2018:2609-1: moderate: Recommended update for SUSE Manager Server 3.1 Message-ID: <20180904191043.CC336FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Server 3.1 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2609-1 Rating: moderate References: #1057635 #1083295 #1089526 #1089662 #1093458 #1096264 #1096514 #1097250 #1097697 #1098388 #1098394 #1098815 #1098993 #1099583 #1099638 #1099781 #1100131 #1100731 #1102009 #1103044 #1103090 #1103218 #1104025 #1104503 Affected Products: SUSE Manager Server 3.1 ______________________________________________________________________________ An update that has 24 recommended fixes can now be installed. Description: This update includes the following new features: - Feat: Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) This update fixes the following issues: py26-compat-salt: - Handle packages with multiple version properly with zypper. (bsc#1096514) - Fix file.get_diff regression in 2018.3. (bsc#1098394) - Fix file.managed binary file utf8 error. (bsc#1098394) - Add custom SUSE capabilities as Grains. (bsc#1089526) - State file.line warning. (bsc#1093458) - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) spacecmd: - Suggest not to use password option for spacecmd. (bsc#1103090) spacewalk-branding: - Disable child channel selection only if channel is actually assigned. (bsc#1097697) spacewalk-certs-tools: - Feat: check for Dynamic CA-Trust Updates while bootstrapping on RES. (FATE #325588) spacewalk-java: - Fix 'Compare Config Files' task hanging. (bsc#1103218) - Hide "Auto Patch Update" for salt systems. - Avoid an NPE on expired tokens. (bsc#1104503) - Fix behavior when canceling actions. (bsc#1098993) - Speedup listing systems of a group. (bsc#1102009) - Disallow '.' in config channel names. (bsc#1100731) - Fix missing acl to toggle notifications in user prefs in salt clients. (bsc#1100131) - Fix race condition when applying patches to systems. (bsc#1097250) - Fix errata id should be unique. (bsc#1089662) - Drop removed network interfaces on hardware profile update. (bsc#1099781) - Valid optional channel must be added before reposync starts. (bsc#1099583) - XML-RPC API call system.scheduleChangeChannels() fails when no children are given. (bsc#1098815) - Fix tabs and links in the SSM "Misc" section. (bsc#1098388) - Ignore inactive containers in Kubernetes clusters. - Handle binary files appropriately. (bsc#1096264) spacewalk-search: - Fix the search when server is missing primary interface. (bsc#1099638, 1103044) spacewalk-web: - Fix css issues on minion-state pages. (bsc#1083295) - Disable child channel selection only if channel is actually assigned. (bsc#1097697) susemanager-schema: - Enable system preferences for Salt minions. (bsc#1098388) susemanager-sync-data: - Add product class for Live Patching on PPC. (bsc#1104025) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1831=1 Package List: - SUSE Manager Server 3.1 (ppc64le s390x x86_64): spacewalk-branding-2.7.2.14-2.22.1 - SUSE Manager Server 3.1 (noarch): py26-compat-salt-2016.11.4-1.10.1 spacecmd-2.7.8.12-2.23.1 spacewalk-base-2.7.1.18-2.26.1 spacewalk-base-minimal-2.7.1.18-2.26.1 spacewalk-base-minimal-config-2.7.1.18-2.26.1 spacewalk-certs-tools-2.7.0.11-2.15.1 spacewalk-html-2.7.1.18-2.26.1 spacewalk-java-2.7.46.16-2.32.3 spacewalk-java-config-2.7.46.16-2.32.3 spacewalk-java-lib-2.7.46.16-2.32.3 spacewalk-java-oracle-2.7.46.16-2.32.3 spacewalk-java-postgresql-2.7.46.16-2.32.3 spacewalk-search-2.7.3.5-2.13.1 spacewalk-taskomatic-2.7.46.16-2.32.3 susemanager-schema-3.1.19-2.30.1 susemanager-sync-data-3.1.15-2.26.1 References: https://bugzilla.suse.com/1057635 https://bugzilla.suse.com/1083295 https://bugzilla.suse.com/1089526 https://bugzilla.suse.com/1089662 https://bugzilla.suse.com/1093458 https://bugzilla.suse.com/1096264 https://bugzilla.suse.com/1096514 https://bugzilla.suse.com/1097250 https://bugzilla.suse.com/1097697 https://bugzilla.suse.com/1098388 https://bugzilla.suse.com/1098394 https://bugzilla.suse.com/1098815 https://bugzilla.suse.com/1098993 https://bugzilla.suse.com/1099583 https://bugzilla.suse.com/1099638 https://bugzilla.suse.com/1099781 https://bugzilla.suse.com/1100131 https://bugzilla.suse.com/1100731 https://bugzilla.suse.com/1102009 https://bugzilla.suse.com/1103044 https://bugzilla.suse.com/1103090 https://bugzilla.suse.com/1103218 https://bugzilla.suse.com/1104025 https://bugzilla.suse.com/1104503 From sle-updates at lists.suse.com Tue Sep 4 16:09:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 00:09:59 +0200 (CEST) Subject: SUSE-SU-2018:2615-1: moderate: Security update for kvm Message-ID: <20180904220959.73AE2FD53@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2615-1 Rating: moderate References: #1092885 #1096223 #1098735 Cross-References: CVE-2018-11806 CVE-2018-12617 CVE-2018-3639 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for kvm fixes the following security issues: - CVE-2018-12617: qmp_guest_file_read had an integer overflow that could have been exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket causing DoS (bsc#1098735) - CVE-2018-11806: Prevent heap-based buffer overflow via incoming fragmented datagrams (bsc#1096223) With this release the mitigations for Spectre v4 are moved the the patches from upstream (CVE-2018-3639, bsc#1092885). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kvm-13767=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kvm-13767=1 Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kvm-1.4.2-53.23.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kvm-1.4.2-53.23.2 References: https://www.suse.com/security/cve/CVE-2018-11806.html https://www.suse.com/security/cve/CVE-2018-12617.html https://www.suse.com/security/cve/CVE-2018-3639.html https://bugzilla.suse.com/1092885 https://bugzilla.suse.com/1096223 https://bugzilla.suse.com/1098735 From sle-updates at lists.suse.com Wed Sep 5 07:08:49 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 15:08:49 +0200 (CEST) Subject: SUSE-RU-2018:2620-1: moderate: Recommended update for systemd Message-ID: <20180905130849.1E5E2FD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for systemd ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2620-1 Rating: moderate References: #1089761 #1090944 #1101040 #1103910 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform 3.0 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for systemd fixes the following issues: - cryptsetup: Add support for sector-size= option. (fate#325634) - resolved: Apply epoch to system time from PID 1. (bsc#1103910) - core/service: Rework the hold-off time over message. - core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1834=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1834=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1834=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1834=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1834=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1834=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1834=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1834=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libsystemd0-228-150.46.1 libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE OpenStack Cloud 7 (noarch): systemd-bash-completion-228-150.46.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libudev-devel-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-devel-228-150.46.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libsystemd0-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libudev1-228-150.46.1 libudev1-debuginfo-228-150.46.1 systemd-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): systemd-bash-completion-228-150.46.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libsystemd0-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libudev1-228-150.46.1 libudev1-debuginfo-228-150.46.1 systemd-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): systemd-bash-completion-228-150.46.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libsystemd0-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libudev1-228-150.46.1 libudev1-debuginfo-228-150.46.1 systemd-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): systemd-bash-completion-228-150.46.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): systemd-bash-completion-228-150.46.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libsystemd0-228-150.46.1 libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE Enterprise Storage 4 (x86_64): libsystemd0-228-150.46.1 libsystemd0-32bit-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libsystemd0-debuginfo-32bit-228-150.46.1 libudev1-228-150.46.1 libudev1-32bit-228-150.46.1 libudev1-debuginfo-228-150.46.1 libudev1-debuginfo-32bit-228-150.46.1 systemd-228-150.46.1 systemd-32bit-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debuginfo-32bit-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - SUSE Enterprise Storage 4 (noarch): systemd-bash-completion-228-150.46.1 - SUSE CaaS Platform 3.0 (x86_64): libsystemd0-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libudev1-228-150.46.1 libudev1-debuginfo-228-150.46.1 systemd-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): libsystemd0-228-150.46.1 libsystemd0-debuginfo-228-150.46.1 libudev1-228-150.46.1 libudev1-debuginfo-228-150.46.1 systemd-228-150.46.1 systemd-debuginfo-228-150.46.1 systemd-debugsource-228-150.46.1 systemd-sysvinit-228-150.46.1 udev-228-150.46.1 udev-debuginfo-228-150.46.1 References: https://bugzilla.suse.com/1089761 https://bugzilla.suse.com/1090944 https://bugzilla.suse.com/1101040 https://bugzilla.suse.com/1103910 From sle-updates at lists.suse.com Wed Sep 5 07:10:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 15:10:08 +0200 (CEST) Subject: SUSE-RU-2018:2621-1: moderate: Recommended update for python-botocore Message-ID: <20180905131008.37652FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-botocore ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2621-1 Rating: moderate References: #1066528 #1075263 #1088310 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Public Cloud 12 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for python-botocore provides version 1.10.57 and brings various fixes and improvements. It provides support for new APIs and fixes an issue with missing regions when calling get_available_regions(). For a detailed description of all changes please refer to the changelog. Additionally, the following packages have been updated: aws-cli from 1.11.104 to 1.15.40 python-boto3 from 1.4.4 to 1.7.42 python-s3transfer from 0.1.10 to 0.1.13 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1836=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1836=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1836=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-1836=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1836=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): aws-cli-1.15.40-20.6.1 python-botocore-1.10.57-26.10.1 python-s3transfer-0.1.13-6.6.1 - SUSE OpenStack Cloud 8 (noarch): aws-cli-1.15.40-20.6.1 python-botocore-1.10.57-26.10.1 python-s3transfer-0.1.13-6.6.1 - SUSE OpenStack Cloud 7 (noarch): python-botocore-1.10.57-26.10.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): aws-cli-1.15.40-20.6.1 python-boto3-1.7.42-12.6.1 python-botocore-1.10.57-26.10.1 python-s3transfer-0.1.13-6.6.1 - HPE Helion Openstack 8 (noarch): aws-cli-1.15.40-20.6.1 python-botocore-1.10.57-26.10.1 python-s3transfer-0.1.13-6.6.1 References: https://bugzilla.suse.com/1066528 https://bugzilla.suse.com/1075263 https://bugzilla.suse.com/1088310 From sle-updates at lists.suse.com Wed Sep 5 07:11:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 15:11:02 +0200 (CEST) Subject: SUSE-RU-2018:2622-1: Recommended update for patterns-sap Message-ID: <20180905131102.E008DFD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for patterns-sap ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2622-1 Rating: low References: #1045516 #1046729 #1047969 #1091043 #1104119 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for patterns-sap provides the following fixes: - Fix the dependencies of software pattern for SAP BusinessOne and add support for the release 9.3 (bsc#1047969, FATE#322387) - Fix installing on ppc64le. (bsc#1046729, bsc#1091043) - Add a dependency on packages required by HDB Life Cycle Manager. (bnc#1045516) - Remove the requirement of some unused packages that were causing conflicts: wxWidgets-lang and wxWidgets-compat-lib-config. (bsc#1045516) - Do not require libstdc++33 on ppc64. (bsc#1104119) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1835=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): patterns-sap-b1-12.2-14.9.1 patterns-sap-hana-12.2-14.9.1 patterns-sap-nw-12.2-14.9.1 References: https://bugzilla.suse.com/1045516 https://bugzilla.suse.com/1046729 https://bugzilla.suse.com/1047969 https://bugzilla.suse.com/1091043 https://bugzilla.suse.com/1104119 From sle-updates at lists.suse.com Wed Sep 5 07:12:43 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 15:12:43 +0200 (CEST) Subject: SUSE-RU-2018:2624-1: moderate: Recommended update for perl-Bootloader Message-ID: <20180905131243.5D2E3FD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for perl-Bootloader ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2624-1 Rating: moderate References: #1033776 #1050349 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for perl-Bootloader fixes the following issues: - Add --get-option to pbl. (bsc#1033776, bsc#1050349) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1837=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1837=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): perl-Bootloader-YAML-0.921-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): perl-Bootloader-0.921-4.3.1 References: https://bugzilla.suse.com/1033776 https://bugzilla.suse.com/1050349 From sle-updates at lists.suse.com Wed Sep 5 10:08:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 18:08:09 +0200 (CEST) Subject: SUSE-RU-2018:2625-1: moderate: Recommended update for openssl-certs Message-ID: <20180905160809.C2A16FD58@maintenance.suse.de> SUSE Recommended Update: Recommended update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2625-1 Rating: moderate References: #1100415 #1104780 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for openssl-certs fixes the following issues: Updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth rights from: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - Added new CA - GlobalSign Updated to 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Removed CAs: - S-TRUST_Universal_Root_CA:2.16.96.86.197.75.35.64.91.100.212.237.37.218.217 .214.30.30.crt - TC_TrustCenter_Class_3_CA_II:2.14.74.71.0.1.0.2.229.160.93.214.63.0.81.191. crt - TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5:2.7.0.142.23.254.36.3 2.129.crt Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-openssl-certs-13768=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-openssl-certs-13768=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openssl-certs-13768=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (noarch): openssl-certs-2.26-0.7.6.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (noarch): openssl-certs-2.26-0.7.6.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): openssl-certs-2.26-0.7.6.1 References: https://bugzilla.suse.com/1100415 https://bugzilla.suse.com/1104780 From sle-updates at lists.suse.com Wed Sep 5 10:08:51 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 18:08:51 +0200 (CEST) Subject: SUSE-RU-2018:2626-1: moderate: Recommended update for permissions Message-ID: <20180905160851.07436FD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for permissions ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2626-1 Rating: moderate References: #1101420 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for permissions fixes the following issues: - add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1839=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): permissions-20180125-3.3.1 permissions-debuginfo-20180125-3.3.1 permissions-debugsource-20180125-3.3.1 References: https://bugzilla.suse.com/1101420 From sle-updates at lists.suse.com Wed Sep 5 13:07:46 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 5 Sep 2018 21:07:46 +0200 (CEST) Subject: SUSE-SU-2018:2629-1: moderate: Security update for curl Message-ID: <20180905190746.95CA9FD54@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2629-1 Rating: moderate References: #1084521 #1101811 #1106019 Cross-References: CVE-2018-1000120 CVE-2018-14618 Affected Products: SUSE Studio Onsite 1.3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for curl fixes the following security issues: - CVE-2018-1000120: Prevent buffer overflow in the FTP URL handling that allowed an attacker to cause a denial of service (bsc#1084521). - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Studio Onsite 1.3: zypper in -t patch slestso13-curl-13769=1 Package List: - SUSE Studio Onsite 1.3 (x86_64): libcurl-devel-7.19.7-1.20.53.16.1 References: https://www.suse.com/security/cve/CVE-2018-1000120.html https://www.suse.com/security/cve/CVE-2018-14618.html https://bugzilla.suse.com/1084521 https://bugzilla.suse.com/1101811 https://bugzilla.suse.com/1106019 From sle-updates at lists.suse.com Thu Sep 6 04:11:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 12:11:41 +0200 (CEST) Subject: SUSE-SU-2018:2630-1: moderate: Security update for apache-pdfbox Message-ID: <20180906101141.82F1BFD59@maintenance.suse.de> SUSE Security Update: Security update for apache-pdfbox ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2630-1 Rating: moderate References: #1099721 Cross-References: CVE-2018-8036 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache-pdfbox fixes the following issues: Security issue fixed: - CVE-2018-8036: Fix infinite loop while parsing files that leads to an out of memory issue (bsc#1099721). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1842=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (noarch): apache-pdfbox-1.8.12-5.3.13 References: https://www.suse.com/security/cve/CVE-2018-8036.html https://bugzilla.suse.com/1099721 From sle-updates at lists.suse.com Thu Sep 6 04:12:19 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 12:12:19 +0200 (CEST) Subject: SUSE-SU-2018:2631-1: moderate: Security update for libvirt Message-ID: <20180906101219.9802AFD58@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2631-1 Rating: moderate References: #1079869 #1091427 #1094325 #1094725 #1100112 #959329 Cross-References: CVE-2017-5715 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for libvirt fixes the following issues: This new feature was added: - bsc#1094325, bsc#1094725: libxl: Enable virsh blockresize for XEN guests This security issue was fixed: - CVE-2017-5715: Additional fixes for the Spectre patches (bsc#1079869) These non-security issues were fixed: - bsc#1100112: schema: allow any strings in smbios entry qemu: escape smbios entry strings - bsc#1091427: libxl: fix segfault in libxlReconnectDomain - bsc#959329: libxl: don't set hasManagedSave when performing save Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1843=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1843=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1843=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1843=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libvirt-2.0.0-27.45.1 libvirt-client-2.0.0-27.45.1 libvirt-client-debuginfo-2.0.0-27.45.1 libvirt-daemon-2.0.0-27.45.1 libvirt-daemon-config-network-2.0.0-27.45.1 libvirt-daemon-config-nwfilter-2.0.0-27.45.1 libvirt-daemon-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-interface-2.0.0-27.45.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-lxc-2.0.0-27.45.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-network-2.0.0-27.45.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-qemu-2.0.0-27.45.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-secret-2.0.0-27.45.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-storage-2.0.0-27.45.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.45.1 libvirt-daemon-hooks-2.0.0-27.45.1 libvirt-daemon-lxc-2.0.0-27.45.1 libvirt-daemon-qemu-2.0.0-27.45.1 libvirt-debugsource-2.0.0-27.45.1 libvirt-doc-2.0.0-27.45.1 libvirt-lock-sanlock-2.0.0-27.45.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.45.1 libvirt-nss-2.0.0-27.45.1 libvirt-nss-debuginfo-2.0.0-27.45.1 - SUSE OpenStack Cloud 7 (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.45.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.45.1 libvirt-daemon-xen-2.0.0-27.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libvirt-2.0.0-27.45.1 libvirt-client-2.0.0-27.45.1 libvirt-client-debuginfo-2.0.0-27.45.1 libvirt-daemon-2.0.0-27.45.1 libvirt-daemon-config-network-2.0.0-27.45.1 libvirt-daemon-config-nwfilter-2.0.0-27.45.1 libvirt-daemon-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-interface-2.0.0-27.45.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-lxc-2.0.0-27.45.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-network-2.0.0-27.45.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-qemu-2.0.0-27.45.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-secret-2.0.0-27.45.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-storage-2.0.0-27.45.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.45.1 libvirt-daemon-hooks-2.0.0-27.45.1 libvirt-daemon-lxc-2.0.0-27.45.1 libvirt-daemon-qemu-2.0.0-27.45.1 libvirt-debugsource-2.0.0-27.45.1 libvirt-doc-2.0.0-27.45.1 libvirt-lock-sanlock-2.0.0-27.45.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.45.1 libvirt-nss-2.0.0-27.45.1 libvirt-nss-debuginfo-2.0.0-27.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.45.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.45.1 libvirt-daemon-xen-2.0.0-27.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libvirt-2.0.0-27.45.1 libvirt-client-2.0.0-27.45.1 libvirt-client-debuginfo-2.0.0-27.45.1 libvirt-daemon-2.0.0-27.45.1 libvirt-daemon-config-network-2.0.0-27.45.1 libvirt-daemon-config-nwfilter-2.0.0-27.45.1 libvirt-daemon-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-interface-2.0.0-27.45.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-lxc-2.0.0-27.45.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-network-2.0.0-27.45.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-qemu-2.0.0-27.45.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-secret-2.0.0-27.45.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-storage-2.0.0-27.45.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.45.1 libvirt-daemon-hooks-2.0.0-27.45.1 libvirt-daemon-lxc-2.0.0-27.45.1 libvirt-daemon-qemu-2.0.0-27.45.1 libvirt-debugsource-2.0.0-27.45.1 libvirt-doc-2.0.0-27.45.1 libvirt-lock-sanlock-2.0.0-27.45.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.45.1 libvirt-nss-2.0.0-27.45.1 libvirt-nss-debuginfo-2.0.0-27.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): libvirt-daemon-driver-libxl-2.0.0-27.45.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.45.1 libvirt-daemon-xen-2.0.0-27.45.1 - SUSE Enterprise Storage 4 (x86_64): libvirt-2.0.0-27.45.1 libvirt-client-2.0.0-27.45.1 libvirt-client-debuginfo-2.0.0-27.45.1 libvirt-daemon-2.0.0-27.45.1 libvirt-daemon-config-network-2.0.0-27.45.1 libvirt-daemon-config-nwfilter-2.0.0-27.45.1 libvirt-daemon-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-interface-2.0.0-27.45.1 libvirt-daemon-driver-interface-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-libxl-2.0.0-27.45.1 libvirt-daemon-driver-libxl-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-lxc-2.0.0-27.45.1 libvirt-daemon-driver-lxc-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-network-2.0.0-27.45.1 libvirt-daemon-driver-network-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-2.0.0-27.45.1 libvirt-daemon-driver-nodedev-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-2.0.0-27.45.1 libvirt-daemon-driver-nwfilter-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-qemu-2.0.0-27.45.1 libvirt-daemon-driver-qemu-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-secret-2.0.0-27.45.1 libvirt-daemon-driver-secret-debuginfo-2.0.0-27.45.1 libvirt-daemon-driver-storage-2.0.0-27.45.1 libvirt-daemon-driver-storage-debuginfo-2.0.0-27.45.1 libvirt-daemon-hooks-2.0.0-27.45.1 libvirt-daemon-lxc-2.0.0-27.45.1 libvirt-daemon-qemu-2.0.0-27.45.1 libvirt-daemon-xen-2.0.0-27.45.1 libvirt-debugsource-2.0.0-27.45.1 libvirt-doc-2.0.0-27.45.1 libvirt-lock-sanlock-2.0.0-27.45.1 libvirt-lock-sanlock-debuginfo-2.0.0-27.45.1 libvirt-nss-2.0.0-27.45.1 libvirt-nss-debuginfo-2.0.0-27.45.1 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://bugzilla.suse.com/1079869 https://bugzilla.suse.com/1091427 https://bugzilla.suse.com/1094325 https://bugzilla.suse.com/1094725 https://bugzilla.suse.com/1100112 https://bugzilla.suse.com/959329 From sle-updates at lists.suse.com Thu Sep 6 04:13:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 12:13:57 +0200 (CEST) Subject: SUSE-SU-2018:2632-1: important: Security update for dovecot22 Message-ID: <20180906101357.56BDCFD58@maintenance.suse.de> SUSE Security Update: Security update for dovecot22 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2632-1 Rating: important References: #1082828 Cross-References: CVE-2017-15130 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dovecot22 fixes the following issues: Security issue fixed: - CVE-2017-15130: Fixed a potential denial of service via TLS SNI config lookups, which would slow the process down and could have led to exhaustive memory allocation and/or process restarts (bsc#1082828) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1844=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1844=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1844=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1844=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1844=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1844=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1844=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1844=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1844=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 dovecot22-devel-2.2.31-19.11.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 - SUSE Enterprise Storage 4 (x86_64): dovecot22-2.2.31-19.11.1 dovecot22-backend-mysql-2.2.31-19.11.1 dovecot22-backend-mysql-debuginfo-2.2.31-19.11.1 dovecot22-backend-pgsql-2.2.31-19.11.1 dovecot22-backend-pgsql-debuginfo-2.2.31-19.11.1 dovecot22-backend-sqlite-2.2.31-19.11.1 dovecot22-backend-sqlite-debuginfo-2.2.31-19.11.1 dovecot22-debuginfo-2.2.31-19.11.1 dovecot22-debugsource-2.2.31-19.11.1 References: https://www.suse.com/security/cve/CVE-2017-15130.html https://bugzilla.suse.com/1082828 From sle-updates at lists.suse.com Thu Sep 6 07:08:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 15:08:08 +0200 (CEST) Subject: SUSE-RU-2018:2633-1: moderate: Recommended update for libvirt Message-ID: <20180906130808.371FCFD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2633-1 Rating: moderate References: #1094325 #1094480 #1094725 #1095556 #959329 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for libvirt fixes the following issues: - Enable virsh blockresize for XEN guests (fate#325467, bsc#1094325, bsc#1094725) - Add SUSE path to OVMF and AAVMF images (bsc#1095556) - Fix leaking of logfile file descriptors (bsc#1094480) - Fixes an issue where the state of a virtual machine was incorrect (bsc#959329) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1846=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1846=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): libvirt-4.0.0-9.3.1 libvirt-admin-4.0.0-9.3.1 libvirt-admin-debuginfo-4.0.0-9.3.1 libvirt-client-4.0.0-9.3.1 libvirt-client-debuginfo-4.0.0-9.3.1 libvirt-daemon-4.0.0-9.3.1 libvirt-daemon-config-network-4.0.0-9.3.1 libvirt-daemon-config-nwfilter-4.0.0-9.3.1 libvirt-daemon-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-interface-4.0.0-9.3.1 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-lxc-4.0.0-9.3.1 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-network-4.0.0-9.3.1 libvirt-daemon-driver-network-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-nodedev-4.0.0-9.3.1 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-nwfilter-4.0.0-9.3.1 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-qemu-4.0.0-9.3.1 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-secret-4.0.0-9.3.1 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-4.0.0-9.3.1 libvirt-daemon-driver-storage-core-4.0.0-9.3.1 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-disk-4.0.0-9.3.1 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-iscsi-4.0.0-9.3.1 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-logical-4.0.0-9.3.1 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-mpath-4.0.0-9.3.1 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.3.1 libvirt-daemon-driver-storage-scsi-4.0.0-9.3.1 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.3.1 libvirt-daemon-hooks-4.0.0-9.3.1 libvirt-daemon-lxc-4.0.0-9.3.1 libvirt-daemon-qemu-4.0.0-9.3.1 libvirt-debugsource-4.0.0-9.3.1 libvirt-devel-4.0.0-9.3.1 libvirt-doc-4.0.0-9.3.1 libvirt-lock-sanlock-4.0.0-9.3.1 libvirt-lock-sanlock-debuginfo-4.0.0-9.3.1 libvirt-nss-4.0.0-9.3.1 libvirt-nss-debuginfo-4.0.0-9.3.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-4.0.0-9.3.1 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.3.1 - SUSE Linux Enterprise Module for Server Applications 15 (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.3.1 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.3.1 libvirt-daemon-xen-4.0.0-9.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-4.0.0-9.3.1 libvirt-libs-4.0.0-9.3.1 libvirt-libs-debuginfo-4.0.0-9.3.1 References: https://bugzilla.suse.com/1094325 https://bugzilla.suse.com/1094480 https://bugzilla.suse.com/1094725 https://bugzilla.suse.com/1095556 https://bugzilla.suse.com/959329 From sle-updates at lists.suse.com Thu Sep 6 07:09:31 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 15:09:31 +0200 (CEST) Subject: SUSE-RU-2018:2634-1: moderate: Recommended update for yast2-network Message-ID: <20180906130931.3E93EFD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-network ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2634-1 Rating: moderate References: #1095761 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-network provides the following fix: - Activate s390 network devices before applying udev naming rules, avoiding the "Invalid key/value pair in /etc/udev/rules.d/70-persistent-net.rules" error. (bsc#1095761) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1847=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1847=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (noarch): yast2-network-3.2.53-2.35.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): yast2-network-3.2.53-2.35.1 References: https://bugzilla.suse.com/1095761 From sle-updates at lists.suse.com Thu Sep 6 07:10:14 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 15:10:14 +0200 (CEST) Subject: SUSE-RU-2018:2635-1: moderate: Recommended update for conman Message-ID: <20180906131014.20840FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for conman ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2635-1 Rating: moderate References: #1101647 Affected Products: SUSE Linux Enterprise Module for HPC 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for conman fixes the following issues: - Allowed IPMI defaults to be overridden via libipmiconsole.conf. - Updated recognized strings for IPMI workaround-flags. (FATE#326641) - Make sure conmand connects to a newly created UNIX socket with minimal delay. The implementation uses inotify, however this triggers when the other side bind()s to the socket, however a connection is not possible until the other side calls listen(). Thus if the connection fails, reset the poll() timeout to return to connect() as soon as possible (bsc#1101647). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2018-1845=1 Package List: - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): conman-0.2.9-7.3.1 conman-debuginfo-0.2.9-7.3.1 conman-debugsource-0.2.9-7.3.1 References: https://bugzilla.suse.com/1101647 From sle-updates at lists.suse.com Thu Sep 6 07:10:49 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 15:10:49 +0200 (CEST) Subject: SUSE-RU-2018:2636-1: moderate: Recommended update for vhostmd Message-ID: <20180906131049.39392FD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for vhostmd ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2636-1 Rating: moderate References: #1098804 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for vhostmd fixes the following issues: - Reconnect to libvirtd in case of a SIGPIPE is raised (bsc#1098804) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1848=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1848=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1848=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1848=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1848=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1848=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1848=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 - SUSE Enterprise Storage 4 (x86_64): vhostmd-0.4-22.6.1 vhostmd-debuginfo-0.4-22.6.1 vhostmd-debugsource-0.4-22.6.1 vm-dump-metrics-0.4-22.6.1 vm-dump-metrics-debuginfo-0.4-22.6.1 References: https://bugzilla.suse.com/1098804 From sle-updates at lists.suse.com Thu Sep 6 10:07:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 18:07:59 +0200 (CEST) Subject: SUSE-SU-2018:2637-1: important: Security update for the Linux Kernel Message-ID: <20180906160759.46E71FD4E@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2637-1 Rating: important References: #1015828 #1037441 #1047487 #1082962 #1083900 #1085107 #1087081 #1089343 #1092904 #1093183 #1094353 #1096480 #1096728 #1097125 #1097234 #1097562 #1098016 #1098658 #1099709 #1099924 #1099942 #1100091 #1100132 #1100418 #1102087 #1103884 #1103909 #1104365 #1104475 #1104684 #909361 Cross-References: CVE-2016-8405 CVE-2017-13305 CVE-2018-1000204 CVE-2018-1068 CVE-2018-1130 CVE-2018-12233 CVE-2018-13053 CVE-2018-13406 CVE-2018-3620 CVE-2018-3646 CVE-2018-5803 CVE-2018-5814 CVE-2018-7492 Affected Products: SUSE Linux Enterprise Real Time Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 18 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2016-8405: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. (bnc#1099942). - CVE-2017-13305: A information disclosure vulnerability was fixed in the encrypted-keys handling. (bnc#1094353). - CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device lead to a local kernel data leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files. (bnc#1096728). - CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2018-1130: Linux kernel was vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allowed a local user to cause a denial of service by a number of certain crafted system calls (bnc#1092904). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c a memory corruption bug in JFS could be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr (bnc#1097234). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). - CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis (bnc#1087081). - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bnc#1089343 bnc#1104365). - CVE-2018-5803: An error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length could be exploited to cause a kernel crash (bnc#1083900). - CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480). - CVE-2018-7492: A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bnc#1082962). The following non-security bugs were fixed: - usb: add USB_DEVICE_INTERFACE_CLASS macro (bsc#1047487). - usb: hub: fix non-SS hub-descriptor handling (bsc#1047487). - usb: kobil_sct: fix non-atomic allocation in write path (bsc#1015828). - usb: serial: ftdi_sio: fix latency-timer error handling (bsc#1037441). - usb: serial: io_edgeport: fix NULL-deref at open (bsc#1015828). - usb: serial: io_edgeport: fix possible sleep-in-atomic (bsc#1037441). - usb: serial: keyspan_pda: fix modem-status error handling (bsc#1100132). - usb: visor: Match I330 phone more precisely (bsc#1047487). - cpu/hotplug: Add sysfs state interface (bsc#1089343). - cpu/hotplug: Provide knobs to control SMT (bsc#1089343). - cpu/hotplug: Provide knobs to control SMT (bsc#1089343). - cpu/hotplug: Split do_cpu_down() (bsc#1089343). - disable prot_none native mitigation (bnc#1104684) - drm/i915: fix use-after-free in page_flip_completed() (bsc#1103909). - drm: re-enable error handling (bsc#1103884) - efivarfs: maintain the efivarfs interfaces when sysfs be created and removed (bsc#1097125). - fix pgd underflow (bnc#1104475) custom walk_page_range rework was incorrect and could underflow pgd if the given range was below a first vma. - kthread, tracing: Do not expose half-written comm when creating kthreads (Git-fixes). - nvme: add device id's with intel stripe quirk (bsc#1097562). - perf/core: Fix group scheduling with mixed hw and sw events (Git-fixes). - perf/x86/intel: Handle Broadwell family processors (bsc#1093183). - s390/qeth: fix IPA command submission race (bnc#1099709, LTC#169004). - scsi: zfcp: fix infinite iteration on ERP ready list (bnc#1102087, LTC#168038). - scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (bnc#1102087, LTC#168765). - scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1102087, LTC#168765). - series.conf: Remove trailing whitespaces - slab: introduce kmalloc_array() (bsc#909361). - smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132). - x64/entry: move ENABLE_IBRS after switching from trampoline stack (bsc#1098658). - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343). - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). - x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343). - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343). - x86/cpu/common: Provide detect_ht_early() (bsc#1089343). - x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343). - x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343). - x86/cpu: Remove the pointless CPU printout (bsc#1089343). - x86/fpu: fix signal handling with eager FPU switching (bsc#1100091). - x86/mm: Simplify p[g4um]d_page() macros (bnc#1087081, bnc#1104684). - x86/smp: Provide topology_is_primary_thread() (bsc#1089343). - x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343). - x86/topology: Add topology_max_smt_threads() (bsc#1089343). - x86/topology: Provide topology_smt_supported() (bsc#1089343). - x86/traps: Fix bad_iret_stack in fixup_bad_iret() (bsc#1098658). - x86/traps: add missing kernel CR3 switch in bad_iret path (bsc#1098658). - xen/x86/cpu/common: Provide detect_ht_early() (bsc#1089343). - xen/x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343). - xen/x86/cpu: Remove the pointless CPU printout (bsc#1089343). - xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bsc#1100132). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 11-SP4: zypper in -t patch slertesp4-kernel-rt-20180827-13770=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-rt-20180827-13770=1 Package List: - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64): kernel-rt-3.0.101.rt130-69.33.1 kernel-rt-base-3.0.101.rt130-69.33.1 kernel-rt-devel-3.0.101.rt130-69.33.1 kernel-rt_trace-3.0.101.rt130-69.33.1 kernel-rt_trace-base-3.0.101.rt130-69.33.1 kernel-rt_trace-devel-3.0.101.rt130-69.33.1 kernel-source-rt-3.0.101.rt130-69.33.1 kernel-syms-rt-3.0.101.rt130-69.33.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): kernel-rt-debuginfo-3.0.101.rt130-69.33.1 kernel-rt-debugsource-3.0.101.rt130-69.33.1 kernel-rt_debug-debuginfo-3.0.101.rt130-69.33.1 kernel-rt_debug-debugsource-3.0.101.rt130-69.33.1 kernel-rt_trace-debuginfo-3.0.101.rt130-69.33.1 kernel-rt_trace-debugsource-3.0.101.rt130-69.33.1 References: https://www.suse.com/security/cve/CVE-2016-8405.html https://www.suse.com/security/cve/CVE-2017-13305.html https://www.suse.com/security/cve/CVE-2018-1000204.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-1130.html https://www.suse.com/security/cve/CVE-2018-12233.html https://www.suse.com/security/cve/CVE-2018-13053.html https://www.suse.com/security/cve/CVE-2018-13406.html https://www.suse.com/security/cve/CVE-2018-3620.html https://www.suse.com/security/cve/CVE-2018-3646.html https://www.suse.com/security/cve/CVE-2018-5803.html https://www.suse.com/security/cve/CVE-2018-5814.html https://www.suse.com/security/cve/CVE-2018-7492.html https://bugzilla.suse.com/1015828 https://bugzilla.suse.com/1037441 https://bugzilla.suse.com/1047487 https://bugzilla.suse.com/1082962 https://bugzilla.suse.com/1083900 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1087081 https://bugzilla.suse.com/1089343 https://bugzilla.suse.com/1092904 https://bugzilla.suse.com/1093183 https://bugzilla.suse.com/1094353 https://bugzilla.suse.com/1096480 https://bugzilla.suse.com/1096728 https://bugzilla.suse.com/1097125 https://bugzilla.suse.com/1097234 https://bugzilla.suse.com/1097562 https://bugzilla.suse.com/1098016 https://bugzilla.suse.com/1098658 https://bugzilla.suse.com/1099709 https://bugzilla.suse.com/1099924 https://bugzilla.suse.com/1099942 https://bugzilla.suse.com/1100091 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1100418 https://bugzilla.suse.com/1102087 https://bugzilla.suse.com/1103884 https://bugzilla.suse.com/1103909 https://bugzilla.suse.com/1104365 https://bugzilla.suse.com/1104475 https://bugzilla.suse.com/1104684 https://bugzilla.suse.com/909361 From sle-updates at lists.suse.com Thu Sep 6 10:13:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 18:13:41 +0200 (CEST) Subject: SUSE-RU-2018:2638-1: moderate: Recommended update for the SLE Module Legacy release and lifecycle-data Message-ID: <20180906161341.31B08FD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for the SLE Module Legacy release and lifecycle-data ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2638-1 Rating: moderate References: #1074137 Affected Products: SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for lifecycle-data-sle-module-legacy, sle-module-legacy-release fixes the following issues: - Remove End of Life Date from release-package. The lifecycle in the Legacy Module is tracked per package. (bsc#1074137) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2018-1850=1 Package List: - SUSE Linux Enterprise Module for Legacy Software 12 (aarch64 ppc64le s390x x86_64): lifecycle-data-sle-module-legacy-1-5.6.1 sle-module-legacy-release-12-10.7.1 References: https://bugzilla.suse.com/1074137 From sle-updates at lists.suse.com Thu Sep 6 10:14:13 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 18:14:13 +0200 (CEST) Subject: SUSE-RU-2018:2639-1: Recommended update for SUSE Manager 3.1 Release Notes Message-ID: <20180906161413.665CFFD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager 3.1 Release Notes ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2639-1 Rating: low References: #1087837 #1105440 #1105442 Affected Products: SUSE Manager Server 3.1 SUSE Manager Proxy 3.1 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for the SUSE Manager 3.0 Release Notes provides the following additions: - SUSE Manager Server bugs fixed by latest updates + bsc#1057635, bsc#1083295, bsc#1087837, bsc#1089362, bsc#1089526, bsc#1089662, bsc#1093458, bsc#1096264, bsc#1096514, bsc#1097250, bsc#1097697, bsc#1098388, bsc#1098394, bsc#1098815, bsc#1098993, bsc#1099583, bsc#1099638, bsc#1099781, bsc#1100131, bsc#1100731, bsc#1101670, bsc#1102009, bsc#1103044, bsc#1103090, bsc#1103218, bsc#1104025, bsc#1104503, bsc#1105440, bsc#1105442 - SUSE Manager Server security issues fixed by latest updates + CVE-2018-1000225, CVE-2018-1000226, CVE-2018-9159 - SUSE Manager Proxy bugs fixed by latest updates + bsc#1083295, bsc#1094705, bsc#1097697 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1849=1 - SUSE Manager Proxy 3.1: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2018-1849=1 Package List: - SUSE Manager Server 3.1 (ppc64le s390x x86_64): release-notes-susemanager-3.1.8-5.38.1 - SUSE Manager Proxy 3.1 (ppc64le x86_64): release-notes-susemanager-proxy-3.1.8-0.15.29.1 References: https://bugzilla.suse.com/1087837 https://bugzilla.suse.com/1105440 https://bugzilla.suse.com/1105442 From sle-updates at lists.suse.com Thu Sep 6 13:07:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 6 Sep 2018 21:07:47 +0200 (CEST) Subject: SUSE-SU-2018:2640-1: moderate: Security update for php7 Message-ID: <20180906190747.DD3F9FD54@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2640-1 Rating: moderate References: #1105466 Cross-References: CVE-2017-9118 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php7 fixes the following issues: - CVE-2017-9118: Fixed an out of bounds access in php_pcre_replace_impl via a crafted preg_replace call (bsc#1105466) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1852=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-1852=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.49.1 php7-debugsource-7.0.7-50.49.1 php7-devel-7.0.7-50.49.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-50.49.1 apache2-mod_php7-debuginfo-7.0.7-50.49.1 php7-7.0.7-50.49.1 php7-bcmath-7.0.7-50.49.1 php7-bcmath-debuginfo-7.0.7-50.49.1 php7-bz2-7.0.7-50.49.1 php7-bz2-debuginfo-7.0.7-50.49.1 php7-calendar-7.0.7-50.49.1 php7-calendar-debuginfo-7.0.7-50.49.1 php7-ctype-7.0.7-50.49.1 php7-ctype-debuginfo-7.0.7-50.49.1 php7-curl-7.0.7-50.49.1 php7-curl-debuginfo-7.0.7-50.49.1 php7-dba-7.0.7-50.49.1 php7-dba-debuginfo-7.0.7-50.49.1 php7-debuginfo-7.0.7-50.49.1 php7-debugsource-7.0.7-50.49.1 php7-dom-7.0.7-50.49.1 php7-dom-debuginfo-7.0.7-50.49.1 php7-enchant-7.0.7-50.49.1 php7-enchant-debuginfo-7.0.7-50.49.1 php7-exif-7.0.7-50.49.1 php7-exif-debuginfo-7.0.7-50.49.1 php7-fastcgi-7.0.7-50.49.1 php7-fastcgi-debuginfo-7.0.7-50.49.1 php7-fileinfo-7.0.7-50.49.1 php7-fileinfo-debuginfo-7.0.7-50.49.1 php7-fpm-7.0.7-50.49.1 php7-fpm-debuginfo-7.0.7-50.49.1 php7-ftp-7.0.7-50.49.1 php7-ftp-debuginfo-7.0.7-50.49.1 php7-gd-7.0.7-50.49.1 php7-gd-debuginfo-7.0.7-50.49.1 php7-gettext-7.0.7-50.49.1 php7-gettext-debuginfo-7.0.7-50.49.1 php7-gmp-7.0.7-50.49.1 php7-gmp-debuginfo-7.0.7-50.49.1 php7-iconv-7.0.7-50.49.1 php7-iconv-debuginfo-7.0.7-50.49.1 php7-imap-7.0.7-50.49.1 php7-imap-debuginfo-7.0.7-50.49.1 php7-intl-7.0.7-50.49.1 php7-intl-debuginfo-7.0.7-50.49.1 php7-json-7.0.7-50.49.1 php7-json-debuginfo-7.0.7-50.49.1 php7-ldap-7.0.7-50.49.1 php7-ldap-debuginfo-7.0.7-50.49.1 php7-mbstring-7.0.7-50.49.1 php7-mbstring-debuginfo-7.0.7-50.49.1 php7-mcrypt-7.0.7-50.49.1 php7-mcrypt-debuginfo-7.0.7-50.49.1 php7-mysql-7.0.7-50.49.1 php7-mysql-debuginfo-7.0.7-50.49.1 php7-odbc-7.0.7-50.49.1 php7-odbc-debuginfo-7.0.7-50.49.1 php7-opcache-7.0.7-50.49.1 php7-opcache-debuginfo-7.0.7-50.49.1 php7-openssl-7.0.7-50.49.1 php7-openssl-debuginfo-7.0.7-50.49.1 php7-pcntl-7.0.7-50.49.1 php7-pcntl-debuginfo-7.0.7-50.49.1 php7-pdo-7.0.7-50.49.1 php7-pdo-debuginfo-7.0.7-50.49.1 php7-pgsql-7.0.7-50.49.1 php7-pgsql-debuginfo-7.0.7-50.49.1 php7-phar-7.0.7-50.49.1 php7-phar-debuginfo-7.0.7-50.49.1 php7-posix-7.0.7-50.49.1 php7-posix-debuginfo-7.0.7-50.49.1 php7-pspell-7.0.7-50.49.1 php7-pspell-debuginfo-7.0.7-50.49.1 php7-shmop-7.0.7-50.49.1 php7-shmop-debuginfo-7.0.7-50.49.1 php7-snmp-7.0.7-50.49.1 php7-snmp-debuginfo-7.0.7-50.49.1 php7-soap-7.0.7-50.49.1 php7-soap-debuginfo-7.0.7-50.49.1 php7-sockets-7.0.7-50.49.1 php7-sockets-debuginfo-7.0.7-50.49.1 php7-sqlite-7.0.7-50.49.1 php7-sqlite-debuginfo-7.0.7-50.49.1 php7-sysvmsg-7.0.7-50.49.1 php7-sysvmsg-debuginfo-7.0.7-50.49.1 php7-sysvsem-7.0.7-50.49.1 php7-sysvsem-debuginfo-7.0.7-50.49.1 php7-sysvshm-7.0.7-50.49.1 php7-sysvshm-debuginfo-7.0.7-50.49.1 php7-tokenizer-7.0.7-50.49.1 php7-tokenizer-debuginfo-7.0.7-50.49.1 php7-wddx-7.0.7-50.49.1 php7-wddx-debuginfo-7.0.7-50.49.1 php7-xmlreader-7.0.7-50.49.1 php7-xmlreader-debuginfo-7.0.7-50.49.1 php7-xmlrpc-7.0.7-50.49.1 php7-xmlrpc-debuginfo-7.0.7-50.49.1 php7-xmlwriter-7.0.7-50.49.1 php7-xmlwriter-debuginfo-7.0.7-50.49.1 php7-xsl-7.0.7-50.49.1 php7-xsl-debuginfo-7.0.7-50.49.1 php7-zip-7.0.7-50.49.1 php7-zip-debuginfo-7.0.7-50.49.1 php7-zlib-7.0.7-50.49.1 php7-zlib-debuginfo-7.0.7-50.49.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-50.49.1 php7-pear-Archive_Tar-7.0.7-50.49.1 References: https://www.suse.com/security/cve/CVE-2017-9118.html https://bugzilla.suse.com/1105466 From sle-updates at lists.suse.com Thu Sep 6 16:07:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 00:07:47 +0200 (CEST) Subject: SUSE-SU-2018:2641-1: moderate: Security update for enigmail Message-ID: <20180906220747.D841FFD54@maintenance.suse.de> SUSE Security Update: Security update for enigmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2641-1 Rating: moderate References: #1104036 Affected Products: SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for enigmail to 2.0.8 fixes the following issues: The enigmail 2.0.8 release addresses a security issue and solves a few regression bugs. * A security issue has been fixed that allows an attacker to prepare a plain, unauthenticated HTML message in a way that it looks like it's signed and/or encrypted (boo#1104036) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2018-1853=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): enigmail-2.0.8-3.10.1 References: https://bugzilla.suse.com/1104036 From sle-updates at lists.suse.com Fri Sep 7 07:08:48 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 15:08:48 +0200 (CEST) Subject: SUSE-RU-2018:2646-1: moderate: Recommended update for resource-agents Message-ID: <20180907130848.33176FD54@maintenance.suse.de> SUSE Recommended Update: Recommended update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2646-1 Rating: moderate References: #1092384 #1096744 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for resource-agents provides the following fixes: - Implements the reload operation on the SAPInstance RA. (bsc#1096744) - Include the enq_server and enq_replicator on the default service list to be monitored for the new S/4 HANA Enq. Services 2. (bsc#1092384) - Improved SAPInstance START profile detection, avoiding the need of setting the START_PROFILE parameter. (bsc#1096744) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2018-1855=1 Package List: - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ldirectord-4.1.1+git0.5a1edf2b-3.3.2 resource-agents-4.1.1+git0.5a1edf2b-3.3.2 resource-agents-debuginfo-4.1.1+git0.5a1edf2b-3.3.2 resource-agents-debugsource-4.1.1+git0.5a1edf2b-3.3.2 - SUSE Linux Enterprise High Availability 15 (noarch): monitoring-plugins-metadata-4.1.1+git0.5a1edf2b-3.3.2 References: https://bugzilla.suse.com/1092384 https://bugzilla.suse.com/1096744 From sle-updates at lists.suse.com Fri Sep 7 07:09:32 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 15:09:32 +0200 (CEST) Subject: SUSE-SU-2018:2647-1: moderate: Security update for nodejs4 Message-ID: <20180907130932.566AEFD53@maintenance.suse.de> SUSE Security Update: Security update for nodejs4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2647-1 Rating: moderate References: #1082318 #1091764 #1097158 #1097748 #1105019 Cross-References: CVE-2018-0732 CVE-2018-12115 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for nodejs4 fixes the following issues: Security issues fixed: - CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could be used to write to memory outside of a Buffer's memory space buffer (bsc#1105019) - Upgrade to OpenSSL 1.0.2p, which fixed: - CVE-2018-0732: Client denial-of-service due to large DH parameter (bsc#1097158) - ECDSA key extraction via local side-channel Other changes made: - Recommend same major version npm package (bsc#1097748) - Use absolute paths in executable shebang lines - Fix building with ICU61.1 (bsc#1091764) - Install license with %license, not %doc (bsc#1082318) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-1854=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1854=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le x86_64): nodejs4-4.9.1-15.14.1 nodejs4-debuginfo-4.9.1-15.14.1 nodejs4-debugsource-4.9.1-15.14.1 nodejs4-devel-4.9.1-15.14.1 npm4-4.9.1-15.14.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs4-docs-4.9.1-15.14.1 - SUSE Enterprise Storage 4 (aarch64 x86_64): nodejs4-4.9.1-15.14.1 nodejs4-debuginfo-4.9.1-15.14.1 nodejs4-debugsource-4.9.1-15.14.1 References: https://www.suse.com/security/cve/CVE-2018-0732.html https://www.suse.com/security/cve/CVE-2018-12115.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1091764 https://bugzilla.suse.com/1097158 https://bugzilla.suse.com/1097748 https://bugzilla.suse.com/1105019 From sle-updates at lists.suse.com Fri Sep 7 10:08:00 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 18:08:00 +0200 (CEST) Subject: SUSE-SU-2018:2649-1: important: Security update for java-1_7_1-ibm Message-ID: <20180907160800.79BCDFD4E@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2649-1 Rating: important References: #1104668 Cross-References: CVE-2018-12539 CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: Security issues fixed: - CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may allow an attacker to inflict a denial-of-service attack with specially crafted String data. - CVE-2018-1656: Protect against path traversal attacks when extracting compressed dump files. - CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to unauthorized read access. - CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency subcomponent, which allowed unauthenticated attackers with network access via multiple protocols to compromise the Java SE, leading to denial of service. - CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE subcomponent, which allowed unauthenticated attackers with network access via SSL/TLS to compromise the Java SE, leading to unauthorized creation, deletion or modification access to critical data. - CVE-2018-12539: Fixed a vulnerability in which users other than the process owner may be able to use Java Attach API to connect to the IBM JVM on the same machine and use Attach API operations, including the ability to execute untrusted arbitrary code. Other changes made: - Various JIT/JVM crash fixes - Version update to 7.1.4.30 (bsc#1104668) You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilities/# IBM_Security_Update_August_2018). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1858=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1858=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1858=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1858=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1858=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1858=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1858=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1858=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1858=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 - SUSE Enterprise Storage 4 (x86_64): java-1_7_1-ibm-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-alsa-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-devel-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.30-38.26.1 java-1_7_1-ibm-plugin-1.7.1_sr4.30-38.26.1 References: https://www.suse.com/security/cve/CVE-2018-12539.html https://www.suse.com/security/cve/CVE-2018-1517.html https://www.suse.com/security/cve/CVE-2018-1656.html https://www.suse.com/security/cve/CVE-2018-2940.html https://www.suse.com/security/cve/CVE-2018-2952.html https://www.suse.com/security/cve/CVE-2018-2973.html https://bugzilla.suse.com/1104668 From sle-updates at lists.suse.com Fri Sep 7 10:08:36 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 18:08:36 +0200 (CEST) Subject: SUSE-SU-2018:2650-1: moderate: Security update for kvm Message-ID: <20180907160836.57C26FD53@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2650-1 Rating: moderate References: #1092885 #1096223 #1098735 Cross-References: CVE-2018-11806 CVE-2018-12617 CVE-2018-3639 Affected Products: SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for kvm fixes the following security issues: - CVE-2018-12617: qmp_guest_file_read had an integer overflow that could have been exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket causing DoS (bsc#1098735) - CVE-2018-11806: Prevent heap-based buffer overflow via incoming fragmented datagrams (bsc#1096223) With this release the mitigations for Spectre v4 are moved the the patches from upstream (CVE-2018-3639, bsc#1092885). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-kvm-13771=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 s390x x86_64): kvm-1.4.2-60.15.2 References: https://www.suse.com/security/cve/CVE-2018-11806.html https://www.suse.com/security/cve/CVE-2018-12617.html https://www.suse.com/security/cve/CVE-2018-3639.html https://bugzilla.suse.com/1092885 https://bugzilla.suse.com/1096223 https://bugzilla.suse.com/1098735 From sle-updates at lists.suse.com Fri Sep 7 10:09:29 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 18:09:29 +0200 (CEST) Subject: SUSE-RU-2018:2651-1: moderate: Recommended update for vncmanager-controller Message-ID: <20180907160929.AA45CFD53@maintenance.suse.de> SUSE Recommended Update: Recommended update for vncmanager-controller ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2651-1 Rating: moderate References: #1102080 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for vncmanager-controller fixes the following issues: - Fixes loading of the gnome shell extensions (bsc#1102080) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1857=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): vncmanager-controller-1.0.0-3.3.3 vncmanager-controller-debuginfo-1.0.0-3.3.3 vncmanager-controller-debugsource-1.0.0-3.3.3 vncmanager-controller-gnome-1.0.0-3.3.3 References: https://bugzilla.suse.com/1102080 From sle-updates at lists.suse.com Fri Sep 7 13:07:45 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 21:07:45 +0200 (CEST) Subject: SUSE-RU-2018:2652-1: moderate: Recommended update for openvswitch Message-ID: <20180907190745.82DE6FD2D@maintenance.suse.de> SUSE Recommended Update: Recommended update for openvswitch ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2652-1 Rating: moderate References: #1094234 #1098630 #1104049 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for openvswitch provides version 2.8.4 and fixes the following issues: - Fix permissions when running the logrotate script. (bsc#1104049) - Fix dbus timeout due to deadlock in systemd dependencies. (bsc#1098630) - dpif-netdev: Free packets on TUNNEL_PUSH if may_steal. . netdev-dpdk: Fix check for "net_nfp" driver. - netdev-dpdk: Don't use PMD driver if not configured successfully. - netdev-dpdk: Remove use of rte_mempool_ops_get_count. - conntrack-tcp: Handle tcp session reuse. - tunnel: Make tun_key_to_attr aware of tunnel type. - Configurable Link State Change (LSC) detection mode. - netdev-dpdk: Don't enable scatter for jumbo RX support for nfp. - faq: Document DPDK version maintenance. - Avoid crash in OvS while transmitting fragmented packets over tunnel. - compat: Fix upstream 4.4.119 kernel. - ovs-vsctl: Fix segfault when attempting to del-port from parent bridge. - ofproto-dpif-xlate: Fix segmentation fault caused by tun_table. - odp-util: Remove unnecessary TOS ECN bits rewrite for tunnels. - datapath: Prevent panic. - netdev-dpdk: Free mempool only when no in-use mbufs. - python: Fix a double encoding attempt on an Unicode string. - ofproto-dpif: Init ukey->dump_seq to zero. - nsh: Add unit test for double NSH encap and decap. - xlate: Correct handling of double encap() actions. - tc: Change filter error to debug once. - lib/tc: Handle error parsing action in nl_parse_single_action. - ovn: Fix tunnel id overflow. - ofp-actions: Correct execution of encap/decap actions in action set. - ovsdb-idl.at: Fix test failed. (writing large data via IDL with unicode) - netdev-dpdk: Limit rate of DPDK logs. - netdev-dpdk: Remove 'error' from non error log. - odp-util: Print eth() for Ethernet flows if packet_type is absent. - python: Fix decoding error when the received data is larger than 4096. - datapath-windows: Fix hash creation on ct mark. - tunnel: Fix deletion of datapath tunnel ports in case of reconfiguration. - tests: Make packet-type-aware.at hash independent. - Use openvswitch user/group for the log directory. - Add support for RedHat distributions. All SUSE macros are now conditional and the spec file has been adapted based on the upstream one. (fate#324537) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1860=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): libopenvswitch-2_8-0-2.8.4-6.4.1 libopenvswitch-2_8-0-debuginfo-2.8.4-6.4.1 openvswitch-2.8.4-6.4.1 openvswitch-debuginfo-2.8.4-6.4.1 openvswitch-debugsource-2.8.4-6.4.1 openvswitch-devel-2.8.4-6.4.1 References: https://bugzilla.suse.com/1094234 https://bugzilla.suse.com/1098630 https://bugzilla.suse.com/1104049 From sle-updates at lists.suse.com Fri Sep 7 13:08:35 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 7 Sep 2018 21:08:35 +0200 (CEST) Subject: SUSE-RU-2018:2653-1: moderate: Recommended update for several packages for ardana Message-ID: <20180907190835.A951DFD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for several packages for ardana ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2653-1 Rating: moderate References: #1081424 #1082708 #1086390 #1091459 #1091462 #1091492 #1091869 #1092431 #1095254 #1095912 #1096308 #1096798 #1097241 #1097252 #1097904 #1098244 #1098657 #1100688 #1101713 #1101865 #1102475 #1102662 #1104413 Affected Products: SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has 23 recommended fixes can now be installed. Description: This update for ardana fixes for the following issues: ardana-cluster: - SCRD-2019 Remove tasks to in-place modify systemd files ardana-cobbler: - Check for proper ipmi settings in servers.yml (bsc#1091459) - Fix mac-node mapping on prepare grub2 playbooks (bsc#1101865, bsc#1101713) - SCRD-2997 Fix missing dependency for HPILO playbooks - SCRD-2997 HPILO SMASH CLP playbooks ardana-db: - Quick check to reduce Percona confusion (bsc#1091492) - Use galera-bootstrap for galera cluster (bsc#1091869) ardana-input-model: - SCPL-391 Add tempest to demo model services ardana-keystone: - Allow extra roles to admin user for admin project (bsc#1081424) - Properly add the host fingerprints (bsc#1097904) - Fudge host key validation (bsc#1097904) - Do not change token provider on manual update (bsc#1097241) ardana-neutron: - Fix typo in ext-net creation command (bsc#1102475) - Set OVS.ovsdb_interface to "vsctl" for ovsvapp agents (bsc#1098244) - Switch to new neutron-venv before adding ovsvapp db changes (bsc#1096308) ardana-nova: - Fixes cell mapping management (bsc#1102662) - Switch to stable/pike branch - SCPL-409 Fix .gitreview for stable/pike - Fix nova_heartbeat_check.yaml not updated during password changes (bsc#1104413) - Bypass setting hugepage directory file permissions (bsc#1092431) - "qemu" user needs access to HugePage directory (bsc#1092431, bsc#1096798) ardana-osconfig: - Hugepage directories need a valid user (bsc#1092431) - Remove ifcfg-* stale files (bsc#1086390) - Bond interface does not get reconfigured (bsc#1095912) - DPDK options configuration must be done through ovsdb (bsc#1095254) - qemu user needs access to HugePage directory (bsc#1092431) - Part 2 Including RHEL workaround for ardana update flow (bsc#1091462) - Assure NORMAL flow present on ovs_bridges (bsc#1097252) - SCRD-2019 Remove setup of legacy extra repos ardana-swift: - Use RPM installed swiftlm monasca plugins (bsc#1098657) ardana-ansible: - Use sosreport for RHEL and supportutils for SLES nodes. (bsc#1100688) - Add Keystone Fernet master node monitoring. (bsc#1097241) - Don't install systemd service file when SUSEified (bsc#1082708) - SCRD-2019 Switch to non-legacy media layout by default. - SCRD-2497 add restart verb for maintenance updates - SCRD-2019 Remove tasks to in-place modify systemd files Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1859=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1859=1 Package List: - SUSE OpenStack Cloud 8 (noarch): ardana-ansible-8.0+git.1532100751.5b52850-3.13.2 ardana-cluster-8.0+git.1529583169.6c1e0da-3.13.2 ardana-cobbler-8.0+git.1532375592.2687e16-3.13.2 ardana-db-8.0+git.1530691744.16f8c63-3.13.2 ardana-input-model-8.0+git.1530100660.7e77a0c-3.16.2 ardana-keystone-8.0+git.1531312142.8e16227-3.10.2 ardana-neutron-8.0+git.1532463619.6a3a421-3.16.2 ardana-nova-8.0+git.1534350622.6998ffe-3.9.1 ardana-osconfig-8.0+git.1532637501.89ef824-3.20.2 ardana-swift-8.0+git.1529688594.a3a7ddd-3.13.2 - HPE Helion Openstack 8 (noarch): ardana-ansible-8.0+git.1532100751.5b52850-3.13.2 ardana-cluster-8.0+git.1529583169.6c1e0da-3.13.2 ardana-cobbler-8.0+git.1532375592.2687e16-3.13.2 ardana-db-8.0+git.1530691744.16f8c63-3.13.2 ardana-input-model-8.0+git.1530100660.7e77a0c-3.16.2 ardana-keystone-8.0+git.1531312142.8e16227-3.10.2 ardana-neutron-8.0+git.1532463619.6a3a421-3.16.2 ardana-nova-8.0+git.1534350622.6998ffe-3.9.1 ardana-osconfig-8.0+git.1532637501.89ef824-3.20.2 ardana-swift-8.0+git.1529688594.a3a7ddd-3.13.2 References: https://bugzilla.suse.com/1081424 https://bugzilla.suse.com/1082708 https://bugzilla.suse.com/1086390 https://bugzilla.suse.com/1091459 https://bugzilla.suse.com/1091462 https://bugzilla.suse.com/1091492 https://bugzilla.suse.com/1091869 https://bugzilla.suse.com/1092431 https://bugzilla.suse.com/1095254 https://bugzilla.suse.com/1095912 https://bugzilla.suse.com/1096308 https://bugzilla.suse.com/1096798 https://bugzilla.suse.com/1097241 https://bugzilla.suse.com/1097252 https://bugzilla.suse.com/1097904 https://bugzilla.suse.com/1098244 https://bugzilla.suse.com/1098657 https://bugzilla.suse.com/1100688 https://bugzilla.suse.com/1101713 https://bugzilla.suse.com/1101865 https://bugzilla.suse.com/1102475 https://bugzilla.suse.com/1102662 https://bugzilla.suse.com/1104413 From sle-updates at lists.suse.com Mon Sep 10 07:08:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 15:08:02 +0200 (CEST) Subject: SUSE-RU-2018:2675-1: moderate: Recommended update for firewalld and susefirewall2-to-firewalld Message-ID: <20180910130802.2A2A3FCBF@maintenance.suse.de> SUSE Recommended Update: Recommended update for firewalld and susefirewall2-to-firewalld ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2675-1 Rating: moderate References: #1096542 #1098986 #1099698 #1105157 #1105170 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for firewalld and susefirewall2-to-firewalld fixes the following issues: firewalld: - Drop global read permissions from the log file (bsc#1098986) - Add missing ipv6-icmp protocol to UI drop-down list (bsc#1099698) - Fix some untranslated strings in the creation of rich rules and firewall-config. (bsc#1096542) - fw: If failure occurs during startup set state to FAILED. - fw_direct: Avoid log for untracked passthrough queries. - Rich Rule Masquerade inverted source-destination in Forward Chain. - Don't forward interface to zone requests to NM for generated interfaces. - firewall-cmd, firewall-offline-cmd: Add --check-config option. - ipset: Check type when parsing ipset definition. - firewall-config: Add ipv6-icmp to the protocol dropdown box. - core/logger: Remove world-readable bit from logfile. - IPv6 rpfilter: Explicitly allow neighbor solicitation. susefirewall2-to-firewalld: - Do not try to handle unknown iptables chains. - Handle source whitelisting. (bsc#1105157) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1861=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1861=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (noarch): firewall-applet-0.5.4-4.7.1 firewall-config-0.5.4-4.7.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): firewall-macros-0.5.4-4.7.1 firewalld-0.5.4-4.7.1 firewalld-lang-0.5.4-4.7.1 python3-firewall-0.5.4-4.7.1 susefirewall2-to-firewalld-0.0.3-3.3.1 References: https://bugzilla.suse.com/1096542 https://bugzilla.suse.com/1098986 https://bugzilla.suse.com/1099698 https://bugzilla.suse.com/1105157 https://bugzilla.suse.com/1105170 From sle-updates at lists.suse.com Mon Sep 10 10:08:06 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 18:08:06 +0200 (CEST) Subject: SUSE-SU-2018:2676-1: moderate: Security update for tiff Message-ID: <20180910160806.7A003FD2D@maintenance.suse.de> SUSE Security Update: Security update for tiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2676-1 Rating: moderate References: #1074186 #1092480 #960589 #983440 Cross-References: CVE-2015-8668 CVE-2016-5319 CVE-2017-17942 CVE-2018-10779 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for tiff fixes the following issues: The following security vulnerabilities were addressed: - CVE-2015-8668: Fixed a heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff, which allowed remote attackers to execute arbitrary code or cause a denial of service via a large width field in a specially crafted BMP image. (bsc#960589) - CVE-2018-10779: Fixed a heap-based buffer over-read in TIFFWriteScanline() in tif_write.c (bsc#1092480) - CVE-2017-17942: Fixed a heap-based buffer overflow in the function PackBitsEncode in tif_packbits.c. (bsc#1074186) - CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-tiff-13772=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-tiff-13772=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-tiff-13772=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtiff-devel-3.8.2-141.169.16.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): libtiff-devel-32bit-3.8.2-141.169.16.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libtiff3-3.8.2-141.169.16.1 tiff-3.8.2-141.169.16.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libtiff3-32bit-3.8.2-141.169.16.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libtiff3-x86-3.8.2-141.169.16.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): tiff-debuginfo-3.8.2-141.169.16.1 tiff-debugsource-3.8.2-141.169.16.1 References: https://www.suse.com/security/cve/CVE-2015-8668.html https://www.suse.com/security/cve/CVE-2016-5319.html https://www.suse.com/security/cve/CVE-2017-17942.html https://www.suse.com/security/cve/CVE-2018-10779.html https://bugzilla.suse.com/1074186 https://bugzilla.suse.com/1092480 https://bugzilla.suse.com/960589 https://bugzilla.suse.com/983440 From sle-updates at lists.suse.com Mon Sep 10 13:07:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:07:58 +0200 (CEST) Subject: SUSE-SU-2018:2677-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 15) Message-ID: <20180910190758.48672FD2C@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 1 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2677-1 Rating: important References: #1105026 Cross-References: CVE-2018-15471 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-25_3 fixes one issue. The following security issue was fixed: - CVE-2018-15471: An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c. The Linux netback driver allowed frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks (bsc#1105026). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-1868=1 SUSE-SLE-Module-Live-Patching-15-2018-1870=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-23-default-3-7.3 kernel-livepatch-4_12_14-23-default-debuginfo-3-7.3 kernel-livepatch-4_12_14-25_3-default-3-2.1 kernel-livepatch-4_12_14-25_3-default-debuginfo-3-2.1 kernel-livepatch-SLE15_Update_0-debugsource-3-7.3 References: https://www.suse.com/security/cve/CVE-2018-15471.html https://bugzilla.suse.com/1105026 From sle-updates at lists.suse.com Mon Sep 10 13:08:28 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:08:28 +0200 (CEST) Subject: SUSE-SU-2018:2678-1: important: Security update for the Linux Kernel (Live Patch 2 for SLE 15) Message-ID: <20180910190828.6C5CEFD2C@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 2 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2678-1 Rating: important References: #1097108 #1103203 #1105026 Cross-References: CVE-2018-10853 CVE-2018-15471 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-25_6 fixes several issues. The following security issues were fixed: - CVE-2018-15471: An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c. The Linux netback driver allowed frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks (bsc#1105026). - CVE-2018-10853: A KVM guest userspace to guest kernel write was fixed, which could be used by guest users to crash the guest kernel (bsc#1097108). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-1869=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-25_6-default-3-2.1 kernel-livepatch-4_12_14-25_6-default-debuginfo-3-2.1 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-15471.html https://bugzilla.suse.com/1097108 https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1105026 From sle-updates at lists.suse.com Mon Sep 10 13:09:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:09:20 +0200 (CEST) Subject: SUSE-SU-2018:2679-1: moderate: Security update for qemu Message-ID: <20180910190920.B331FFD2D@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2679-1 Rating: moderate References: #1094898 #1098735 #1102604 #1103628 #1105279 Cross-References: CVE-2018-12617 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: This update for qemu fixes the following issues: This security issue was fixed: - CVE-2018-12617: qmp_guest_file_read had an integer overflow that could have been exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket causing DoS (bsc#1098735) These non-security issues were fixed: - Allow kvm group access to /dev/sev (bsc#1102604). - Fix for the value used for reduced_phys_bits. Please update the reduced_phys_bits value used on the commandline or in libvirt XML to the value 1 (explicitly set now in QEMU code). (bsc#1103628) - Fix (again) the qemu guest agent udev rule file, which got unfixed in a series of unfortunate events (bsc#1094898 and now bsc#1105279) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1866=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1866=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): qemu-2.11.2-9.9.1 qemu-block-curl-2.11.2-9.9.1 qemu-block-curl-debuginfo-2.11.2-9.9.1 qemu-block-iscsi-2.11.2-9.9.1 qemu-block-iscsi-debuginfo-2.11.2-9.9.1 qemu-block-rbd-2.11.2-9.9.1 qemu-block-rbd-debuginfo-2.11.2-9.9.1 qemu-block-ssh-2.11.2-9.9.1 qemu-block-ssh-debuginfo-2.11.2-9.9.1 qemu-debuginfo-2.11.2-9.9.1 qemu-debugsource-2.11.2-9.9.1 qemu-guest-agent-2.11.2-9.9.1 qemu-guest-agent-debuginfo-2.11.2-9.9.1 qemu-lang-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (s390x x86_64): qemu-kvm-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (aarch64): qemu-arm-2.11.2-9.9.1 qemu-arm-debuginfo-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (ppc64le): qemu-ppc-2.11.2-9.9.1 qemu-ppc-debuginfo-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (x86_64): qemu-x86-2.11.2-9.9.1 qemu-x86-debuginfo-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (noarch): qemu-ipxe-1.0.0-9.9.1 qemu-seabios-1.11.0-9.9.1 qemu-sgabios-8-9.9.1 qemu-vgabios-1.11.0-9.9.1 - SUSE Linux Enterprise Module for Server Applications 15 (s390x): qemu-s390-2.11.2-9.9.1 qemu-s390-debuginfo-2.11.2-9.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-2.11.2-9.9.1 qemu-debugsource-2.11.2-9.9.1 qemu-tools-2.11.2-9.9.1 qemu-tools-debuginfo-2.11.2-9.9.1 References: https://www.suse.com/security/cve/CVE-2018-12617.html https://bugzilla.suse.com/1094898 https://bugzilla.suse.com/1098735 https://bugzilla.suse.com/1102604 https://bugzilla.suse.com/1103628 https://bugzilla.suse.com/1105279 From sle-updates at lists.suse.com Mon Sep 10 13:10:26 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:10:26 +0200 (CEST) Subject: SUSE-RU-2018:2680-1: moderate: Recommended update for kiwi-templates-SLES12-RPi Message-ID: <20180910191026.4CC26FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for kiwi-templates-SLES12-RPi ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2680-1 Rating: moderate References: #1070591 #1070600 #1072188 #1078264 #1078270 #1082083 #1083735 #1084121 #1090062 #1105129 Affected Products: SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that has 10 recommended fixes can now be installed. Description: The SUSE Linux Enterprise 12 SP3 kiwi image build templates for the Raspberry Pi 3 were updated to the GA delivery state. (bsc#1082083) Various adjustments to the package lists and default configuration were done. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1867=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (noarch): kiwi-templates-SLES12-RPi-12-12.8.1 References: https://bugzilla.suse.com/1070591 https://bugzilla.suse.com/1070600 https://bugzilla.suse.com/1072188 https://bugzilla.suse.com/1078264 https://bugzilla.suse.com/1078270 https://bugzilla.suse.com/1082083 https://bugzilla.suse.com/1083735 https://bugzilla.suse.com/1084121 https://bugzilla.suse.com/1090062 https://bugzilla.suse.com/1105129 From sle-updates at lists.suse.com Mon Sep 10 13:12:28 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:12:28 +0200 (CEST) Subject: SUSE-SU-2018:2681-1: moderate: Security update for php53 Message-ID: <20180910191228.29232FD2D@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2681-1 Rating: moderate References: #1103659 #1103836 #1105466 Cross-References: CVE-2017-9118 CVE-2018-14851 CVE-2018-14883 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php53 fixes the following issues: The following security issues were fixed: - CVE-2018-14851: Fixed an out-of-bound read in exif_process_IFD_in_MAKERNOTE, which could be exploited by an attacker via crafted JPG files, and could result in an application crash. (bsc#1103659) - CVE-2018-14883: Fixed an integer overflow leading to a heap based buffer over-read in exif_thumbnail_extract of exif.c. (bsc#1103836) - CVE-2017-9118: Fixed an out of bounds access in php_pcre_replace_impl via a crafted preg_replace call (bsc#1105466) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-php53-13773=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-php53-13773=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-php53-13773=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-devel-5.3.17-112.38.1 php53-imap-5.3.17-112.38.1 php53-posix-5.3.17-112.38.1 php53-readline-5.3.17-112.38.1 php53-sockets-5.3.17-112.38.1 php53-sqlite-5.3.17-112.38.1 php53-tidy-5.3.17-112.38.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-112.38.1 php53-5.3.17-112.38.1 php53-bcmath-5.3.17-112.38.1 php53-bz2-5.3.17-112.38.1 php53-calendar-5.3.17-112.38.1 php53-ctype-5.3.17-112.38.1 php53-curl-5.3.17-112.38.1 php53-dba-5.3.17-112.38.1 php53-dom-5.3.17-112.38.1 php53-exif-5.3.17-112.38.1 php53-fastcgi-5.3.17-112.38.1 php53-fileinfo-5.3.17-112.38.1 php53-ftp-5.3.17-112.38.1 php53-gd-5.3.17-112.38.1 php53-gettext-5.3.17-112.38.1 php53-gmp-5.3.17-112.38.1 php53-iconv-5.3.17-112.38.1 php53-intl-5.3.17-112.38.1 php53-json-5.3.17-112.38.1 php53-ldap-5.3.17-112.38.1 php53-mbstring-5.3.17-112.38.1 php53-mcrypt-5.3.17-112.38.1 php53-mysql-5.3.17-112.38.1 php53-odbc-5.3.17-112.38.1 php53-openssl-5.3.17-112.38.1 php53-pcntl-5.3.17-112.38.1 php53-pdo-5.3.17-112.38.1 php53-pear-5.3.17-112.38.1 php53-pgsql-5.3.17-112.38.1 php53-pspell-5.3.17-112.38.1 php53-shmop-5.3.17-112.38.1 php53-snmp-5.3.17-112.38.1 php53-soap-5.3.17-112.38.1 php53-suhosin-5.3.17-112.38.1 php53-sysvmsg-5.3.17-112.38.1 php53-sysvsem-5.3.17-112.38.1 php53-sysvshm-5.3.17-112.38.1 php53-tokenizer-5.3.17-112.38.1 php53-wddx-5.3.17-112.38.1 php53-xmlreader-5.3.17-112.38.1 php53-xmlrpc-5.3.17-112.38.1 php53-xmlwriter-5.3.17-112.38.1 php53-xsl-5.3.17-112.38.1 php53-zip-5.3.17-112.38.1 php53-zlib-5.3.17-112.38.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): php53-debuginfo-5.3.17-112.38.1 php53-debugsource-5.3.17-112.38.1 References: https://www.suse.com/security/cve/CVE-2017-9118.html https://www.suse.com/security/cve/CVE-2018-14851.html https://www.suse.com/security/cve/CVE-2018-14883.html https://bugzilla.suse.com/1103659 https://bugzilla.suse.com/1103836 https://bugzilla.suse.com/1105466 From sle-updates at lists.suse.com Mon Sep 10 13:13:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:13:20 +0200 (CEST) Subject: SUSE-SU-2018:2682-1: moderate: Security update for php5 Message-ID: <20180910191320.4C3EBFD2C@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2682-1 Rating: moderate References: #1096984 #1099098 #1103659 #1105466 Cross-References: CVE-2017-9118 CVE-2018-10360 CVE-2018-12882 CVE-2018-14851 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php5 fixes the following issues: The following security issues were fixed: - CVE-2018-10360: Fixed an out-of-bounds read in the do_core_note function in readelf.c in libmagic.a, which allowed remote attackers to cause a denial of service via a crafted ELF file (bsc#1096984) - CVE-2018-14851: Fixed an out-of-bound read in exif_process_IFD_in_MAKERNOTE, which could be exploited by an attacker via crafted JPG files, and could result in an application crash. (bsc#1103659) - CVE-2018-12882: Fixed an use-after-free in exif_read_from_impl in ext/exif/exif.c (bsc#1099098) - CVE-2017-9118: Fixed an out of bounds access in php_pcre_replace_impl via a crafted preg_replace call (bsc#1105466) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1871=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-1871=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php5-debuginfo-5.5.14-109.38.1 php5-debugsource-5.5.14-109.38.1 php5-devel-5.5.14-109.38.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-109.38.1 apache2-mod_php5-debuginfo-5.5.14-109.38.1 php5-5.5.14-109.38.1 php5-bcmath-5.5.14-109.38.1 php5-bcmath-debuginfo-5.5.14-109.38.1 php5-bz2-5.5.14-109.38.1 php5-bz2-debuginfo-5.5.14-109.38.1 php5-calendar-5.5.14-109.38.1 php5-calendar-debuginfo-5.5.14-109.38.1 php5-ctype-5.5.14-109.38.1 php5-ctype-debuginfo-5.5.14-109.38.1 php5-curl-5.5.14-109.38.1 php5-curl-debuginfo-5.5.14-109.38.1 php5-dba-5.5.14-109.38.1 php5-dba-debuginfo-5.5.14-109.38.1 php5-debuginfo-5.5.14-109.38.1 php5-debugsource-5.5.14-109.38.1 php5-dom-5.5.14-109.38.1 php5-dom-debuginfo-5.5.14-109.38.1 php5-enchant-5.5.14-109.38.1 php5-enchant-debuginfo-5.5.14-109.38.1 php5-exif-5.5.14-109.38.1 php5-exif-debuginfo-5.5.14-109.38.1 php5-fastcgi-5.5.14-109.38.1 php5-fastcgi-debuginfo-5.5.14-109.38.1 php5-fileinfo-5.5.14-109.38.1 php5-fileinfo-debuginfo-5.5.14-109.38.1 php5-fpm-5.5.14-109.38.1 php5-fpm-debuginfo-5.5.14-109.38.1 php5-ftp-5.5.14-109.38.1 php5-ftp-debuginfo-5.5.14-109.38.1 php5-gd-5.5.14-109.38.1 php5-gd-debuginfo-5.5.14-109.38.1 php5-gettext-5.5.14-109.38.1 php5-gettext-debuginfo-5.5.14-109.38.1 php5-gmp-5.5.14-109.38.1 php5-gmp-debuginfo-5.5.14-109.38.1 php5-iconv-5.5.14-109.38.1 php5-iconv-debuginfo-5.5.14-109.38.1 php5-imap-5.5.14-109.38.1 php5-imap-debuginfo-5.5.14-109.38.1 php5-intl-5.5.14-109.38.1 php5-intl-debuginfo-5.5.14-109.38.1 php5-json-5.5.14-109.38.1 php5-json-debuginfo-5.5.14-109.38.1 php5-ldap-5.5.14-109.38.1 php5-ldap-debuginfo-5.5.14-109.38.1 php5-mbstring-5.5.14-109.38.1 php5-mbstring-debuginfo-5.5.14-109.38.1 php5-mcrypt-5.5.14-109.38.1 php5-mcrypt-debuginfo-5.5.14-109.38.1 php5-mysql-5.5.14-109.38.1 php5-mysql-debuginfo-5.5.14-109.38.1 php5-odbc-5.5.14-109.38.1 php5-odbc-debuginfo-5.5.14-109.38.1 php5-opcache-5.5.14-109.38.1 php5-opcache-debuginfo-5.5.14-109.38.1 php5-openssl-5.5.14-109.38.1 php5-openssl-debuginfo-5.5.14-109.38.1 php5-pcntl-5.5.14-109.38.1 php5-pcntl-debuginfo-5.5.14-109.38.1 php5-pdo-5.5.14-109.38.1 php5-pdo-debuginfo-5.5.14-109.38.1 php5-pgsql-5.5.14-109.38.1 php5-pgsql-debuginfo-5.5.14-109.38.1 php5-phar-5.5.14-109.38.1 php5-phar-debuginfo-5.5.14-109.38.1 php5-posix-5.5.14-109.38.1 php5-posix-debuginfo-5.5.14-109.38.1 php5-pspell-5.5.14-109.38.1 php5-pspell-debuginfo-5.5.14-109.38.1 php5-shmop-5.5.14-109.38.1 php5-shmop-debuginfo-5.5.14-109.38.1 php5-snmp-5.5.14-109.38.1 php5-snmp-debuginfo-5.5.14-109.38.1 php5-soap-5.5.14-109.38.1 php5-soap-debuginfo-5.5.14-109.38.1 php5-sockets-5.5.14-109.38.1 php5-sockets-debuginfo-5.5.14-109.38.1 php5-sqlite-5.5.14-109.38.1 php5-sqlite-debuginfo-5.5.14-109.38.1 php5-suhosin-5.5.14-109.38.1 php5-suhosin-debuginfo-5.5.14-109.38.1 php5-sysvmsg-5.5.14-109.38.1 php5-sysvmsg-debuginfo-5.5.14-109.38.1 php5-sysvsem-5.5.14-109.38.1 php5-sysvsem-debuginfo-5.5.14-109.38.1 php5-sysvshm-5.5.14-109.38.1 php5-sysvshm-debuginfo-5.5.14-109.38.1 php5-tokenizer-5.5.14-109.38.1 php5-tokenizer-debuginfo-5.5.14-109.38.1 php5-wddx-5.5.14-109.38.1 php5-wddx-debuginfo-5.5.14-109.38.1 php5-xmlreader-5.5.14-109.38.1 php5-xmlreader-debuginfo-5.5.14-109.38.1 php5-xmlrpc-5.5.14-109.38.1 php5-xmlrpc-debuginfo-5.5.14-109.38.1 php5-xmlwriter-5.5.14-109.38.1 php5-xmlwriter-debuginfo-5.5.14-109.38.1 php5-xsl-5.5.14-109.38.1 php5-xsl-debuginfo-5.5.14-109.38.1 php5-zip-5.5.14-109.38.1 php5-zip-debuginfo-5.5.14-109.38.1 php5-zlib-5.5.14-109.38.1 php5-zlib-debuginfo-5.5.14-109.38.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-109.38.1 References: https://www.suse.com/security/cve/CVE-2017-9118.html https://www.suse.com/security/cve/CVE-2018-10360.html https://www.suse.com/security/cve/CVE-2018-12882.html https://www.suse.com/security/cve/CVE-2018-14851.html https://bugzilla.suse.com/1096984 https://bugzilla.suse.com/1099098 https://bugzilla.suse.com/1103659 https://bugzilla.suse.com/1105466 From sle-updates at lists.suse.com Mon Sep 10 13:14:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 10 Sep 2018 21:14:20 +0200 (CEST) Subject: SUSE-SU-2018:2683-1: moderate: Security update for compat-openssl098 Message-ID: <20180910191420.8D43AFD2D@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2683-1 Rating: moderate References: #1087102 #1089039 #1097158 #1097624 #1098592 Cross-References: CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Module for Legacy Software 12 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for compat-openssl098 fixes the following security issues: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could have resulted in DoS (bsc#1087102). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2018-1872=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1872=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1872=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2018-1872=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1872=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): compat-openssl098-debugsource-0.9.8j-106.6.1 libopenssl0_9_8-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-0.9.8j-106.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): compat-openssl098-debugsource-0.9.8j-106.6.1 libopenssl0_9_8-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-0.9.8j-106.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): compat-openssl098-debugsource-0.9.8j-106.6.1 libopenssl0_9_8-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-0.9.8j-106.6.1 - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-106.6.1 libopenssl0_9_8-0.9.8j-106.6.1 libopenssl0_9_8-32bit-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-106.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): compat-openssl098-debugsource-0.9.8j-106.6.1 libopenssl0_9_8-0.9.8j-106.6.1 libopenssl0_9_8-32bit-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-0.9.8j-106.6.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-106.6.1 References: https://www.suse.com/security/cve/CVE-2018-0732.html https://www.suse.com/security/cve/CVE-2018-0737.html https://www.suse.com/security/cve/CVE-2018-0739.html https://bugzilla.suse.com/1087102 https://bugzilla.suse.com/1089039 https://bugzilla.suse.com/1097158 https://bugzilla.suse.com/1097624 https://bugzilla.suse.com/1098592 From sle-updates at lists.suse.com Tue Sep 11 04:11:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 12:11:41 +0200 (CEST) Subject: SUSE-SU-2018:2684-1: important: Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP1) Message-ID: <20180911101141.11E79FD2D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2684-1 Rating: important References: #1097108 Cross-References: CVE-2018-10853 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 3.12.74-60_64_99 fixes one issue. The following security issue was fixed: - CVE-2018-10853: A KVM guest userspace to guest kernel write was fixed, which could be used by guest users to crash the guest kernel (bsc#1097108). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1875=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1874=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1875=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1874=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1873=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): kgraft-patch-4_4_121-92_92-default-2-2.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kgraft-patch-3_12_74-60_64_99-default-2-2.1 kgraft-patch-3_12_74-60_64_99-xen-2-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): kgraft-patch-4_4_121-92_92-default-2-2.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kgraft-patch-3_12_74-60_64_99-default-2-2.1 kgraft-patch-3_12_74-60_64_99-xen-2-2.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_61-52_141-default-2-2.1 kgraft-patch-3_12_61-52_141-xen-2-2.1 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://bugzilla.suse.com/1097108 From sle-updates at lists.suse.com Tue Sep 11 07:08:04 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 15:08:04 +0200 (CEST) Subject: SUSE-SU-2018:2685-1: moderate: Security update for openssh Message-ID: <20180911130804.83FDFFD2C@maintenance.suse.de> SUSE Security Update: Security update for openssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2685-1 Rating: moderate References: #1016370 #1017099 #1023275 #1048367 #1053972 #1065000 #1069509 #1076957 #1092582 Cross-References: CVE-2008-1483 CVE-2016-10012 CVE-2016-10708 CVE-2017-15906 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has 5 fixes is now available. Description: This update for openssh provides the following fixes: Security issues fixed: - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). - CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). - CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: - bsc#1017099: Enable case-insensitive hostname matching. - bsc#1023275: Add a new switch for printing diagnostic messages in sftp client's batch mode. - bsc#1048367: systemd integration to work around various race conditions. - bsc#1053972: Remove duplicate KEX method. - bsc#1092582: Add missing piece of systemd integration. - Remove the limit on the amount of tasks sshd can run. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1876=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1876=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1876=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): openssh-6.6p1-54.15.2 openssh-askpass-gnome-6.6p1-54.15.1 openssh-askpass-gnome-debuginfo-6.6p1-54.15.1 openssh-debuginfo-6.6p1-54.15.2 openssh-debugsource-6.6p1-54.15.2 openssh-fips-6.6p1-54.15.2 openssh-helpers-6.6p1-54.15.2 openssh-helpers-debuginfo-6.6p1-54.15.2 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): openssh-6.6p1-54.15.2 openssh-askpass-gnome-6.6p1-54.15.1 openssh-askpass-gnome-debuginfo-6.6p1-54.15.1 openssh-debuginfo-6.6p1-54.15.2 openssh-debugsource-6.6p1-54.15.2 openssh-fips-6.6p1-54.15.2 openssh-helpers-6.6p1-54.15.2 openssh-helpers-debuginfo-6.6p1-54.15.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): openssh-6.6p1-54.15.2 openssh-askpass-gnome-6.6p1-54.15.1 openssh-askpass-gnome-debuginfo-6.6p1-54.15.1 openssh-debuginfo-6.6p1-54.15.2 openssh-debugsource-6.6p1-54.15.2 openssh-fips-6.6p1-54.15.2 openssh-helpers-6.6p1-54.15.2 openssh-helpers-debuginfo-6.6p1-54.15.2 References: https://www.suse.com/security/cve/CVE-2008-1483.html https://www.suse.com/security/cve/CVE-2016-10012.html https://www.suse.com/security/cve/CVE-2016-10708.html https://www.suse.com/security/cve/CVE-2017-15906.html https://bugzilla.suse.com/1016370 https://bugzilla.suse.com/1017099 https://bugzilla.suse.com/1023275 https://bugzilla.suse.com/1048367 https://bugzilla.suse.com/1053972 https://bugzilla.suse.com/1065000 https://bugzilla.suse.com/1069509 https://bugzilla.suse.com/1076957 https://bugzilla.suse.com/1092582 From sle-updates at lists.suse.com Tue Sep 11 10:07:55 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 18:07:55 +0200 (CEST) Subject: SUSE-SU-2018:2686-1: important: Security update for zsh Message-ID: <20180911160755.CB7BDFD2D@maintenance.suse.de> SUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2686-1 Rating: important References: #1107294 #1107296 Cross-References: CVE-2018-0502 CVE-2018-13259 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zsh to version 5.6 fixes the following security issues: - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1880=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): zsh-5.6-3.6.1 zsh-debuginfo-5.6-3.6.1 zsh-debugsource-5.6-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-0502.html https://www.suse.com/security/cve/CVE-2018-13259.html https://bugzilla.suse.com/1107294 https://bugzilla.suse.com/1107296 From sle-updates at lists.suse.com Tue Sep 11 10:08:36 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 18:08:36 +0200 (CEST) Subject: SUSE-RU-2018:2687-1: moderate: Recommended update for sle-module-legacy-release Message-ID: <20180911160836.35BA4FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for sle-module-legacy-release ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2687-1 Rating: moderate References: #1104195 Affected Products: SUSE Linux Enterprise Module for Legacy Software 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for sle-module-legacy-release fixes the following issues: - Set lifecycle end to 2021-07-31. (bsc#1104195) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2018-1878=1 Package List: - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): sle-module-legacy-release-15-114.5.1 References: https://bugzilla.suse.com/1104195 From sle-updates at lists.suse.com Tue Sep 11 10:09:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 18:09:08 +0200 (CEST) Subject: SUSE-SU-2018:2688-1: important: Security update for libzypp, zypper Message-ID: <20180911160908.0979AFD2C@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2688-1 Rating: important References: #1036304 #1037210 #1038984 #1045735 #1048315 #1054088 #1070851 #1076192 #1079334 #1088705 #1091624 #1092413 #1096803 #1099847 #1100028 #1101349 #1102429 Cross-References: CVE-2017-7435 CVE-2017-7436 CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has 13 fixes is now available. Description: This update for libzypp, zypper fixes the following issues: libzypp security fixes: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269) - Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269) libzypp other changes/bugs fixed: - Update to version 14.45.17 - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210) - PackageProvider: as well support downloading SrcPackage (for bsc#1037210) - Adapt to work with GnuPG 2.1.23 (bsc#1054088) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - Prefer calling "repo2solv" rather than "repo2solv.sh" - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) zypper security fixes: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) zypper other changes/bugs fixed: - Update to version 1.11.70 - Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413) - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - do not recommend cron (bsc#1079334) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1879=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libzypp-14.45.17-2.82.1 libzypp-debuginfo-14.45.17-2.82.1 libzypp-debugsource-14.45.17-2.82.1 zypper-1.11.70-2.69.2 zypper-debuginfo-1.11.70-2.69.2 zypper-debugsource-1.11.70-2.69.2 - SUSE Linux Enterprise Server 12-LTSS (noarch): zypper-log-1.11.70-2.69.2 References: https://www.suse.com/security/cve/CVE-2017-7435.html https://www.suse.com/security/cve/CVE-2017-7436.html https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1037210 https://bugzilla.suse.com/1038984 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1048315 https://bugzilla.suse.com/1054088 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1079334 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 From sle-updates at lists.suse.com Tue Sep 11 13:07:50 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 21:07:50 +0200 (CEST) Subject: SUSE-SU-2018:2689-1: moderate: Security update for spark Message-ID: <20180911190750.529D4FD2D@maintenance.suse.de> SUSE Security Update: Security update for spark ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2689-1 Rating: moderate References: #1087837 Cross-References: CVE-2018-9159 Affected Products: SUSE Manager Server 3.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spark fixes the following security issue: - CVE-2018-9159: Fix a security problem in the serving of static files. (bsc#1087837) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1885=1 Package List: - SUSE Manager Server 3.1 (noarch): spark-2.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-9159.html https://bugzilla.suse.com/1087837 From sle-updates at lists.suse.com Tue Sep 11 13:08:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 21:08:21 +0200 (CEST) Subject: SUSE-SU-2018:2690-1: important: Security update for libzypp, zypper Message-ID: <20180911190821.C1B4BFD2C@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2690-1 Rating: important References: #1036304 #1041178 #1043166 #1045735 #1058515 #1066215 #1070770 #1070851 #1082318 #1084525 #1088037 #1088705 #1091624 #1092413 #1093103 #1096217 #1096617 #1096803 #1099847 #1100028 #1100095 #1100427 #1101349 #1102019 #1102429 #408814 #428822 #907538 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has 26 fixes is now available. Description: This update for libzypp, zypper, libsolv provides the following fixes: Security fixes in libzypp: - CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735) Changes in libzypp: - Update to version 17.6.4 - Automatically fetch repository signing key from gpgkey url (bsc#1088037) - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304) - Check for not imported keys after multi key import from rpmdb (bsc#1096217) - Flags: make it std=c++14 ready - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617) - Show GPGME version in log - Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427) - RepoInfo::provideKey: add report telling where we look for missing keys. - Support listing gpgkey URLs in repo files (bsc#1088037) - Add new report to request user approval for importing a package key - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - Add filesize check for downloads with known size (bsc#408814) - Removed superfluous space in translation (bsc#1102019) - Prevent the system from sleeping during a commit - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - Avoid zombies from ExternalProgram - Update ApiConfig - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - lsof: use '-K i' if lsof supports it (bsc#1099847) - Add filesize check for downloads with known size (bsc#408814) - Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file. - Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095) - Make use of %license macro (bsc#1082318) Security fix in zypper: - CVE-2017-9269: Improve signature check callback messages (bsc#1045735) Changes in zypper: - Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103) - Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217) - Detect read only filesystem on system modifying operations (fixes #199) - Use %license (bsc#1082318) - Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178) - Fix broken display of detailed query results. - Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770) - Disable repository operations when searching installed packages. (bsc#1084525) - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - Fix some translation errors. - Support listing gpgkey URLs in repo files (bsc#1088037) - Check for root privileges in zypper verify and si (bsc#1058515) - XML attribute `packages-to-change` added (bsc#1102429) - Add expert (allow-*) options to all installer commands (bsc#428822) - Sort search results by multiple columns (bsc#1066215) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Set error status if repositories passed to lr and ref are not known (bsc#1093103) - Do not override table style in search - Fix out of bound read in MbsIterator - Add --supplements switch to search and info - Add setter functions for zypp cache related config values to ZConfig Changes in libsolv: - convert repo2solv.sh script into a binary tool - Make use of %license macro (bsc#1082318) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 perl-solv-0.6.35-3.5.2 perl-solv-debuginfo-0.6.35-3.5.2 python3-solv-0.6.35-3.5.2 python3-solv-debuginfo-0.6.35-3.5.2 ruby-solv-0.6.35-3.5.2 ruby-solv-debuginfo-0.6.35-3.5.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 libsolv-devel-0.6.35-3.5.2 libsolv-devel-debuginfo-0.6.35-3.5.2 libsolv-tools-0.6.35-3.5.2 libsolv-tools-debuginfo-0.6.35-3.5.2 libzypp-17.6.4-3.10.1 libzypp-debuginfo-17.6.4-3.10.1 libzypp-debugsource-17.6.4-3.10.1 libzypp-devel-17.6.4-3.10.1 python-solv-0.6.35-3.5.2 python-solv-debuginfo-0.6.35-3.5.2 zypper-1.14.10-3.7.1 zypper-debuginfo-1.14.10-3.7.1 zypper-debugsource-1.14.10-3.7.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): zypper-log-1.14.10-3.7.1 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1041178 https://bugzilla.suse.com/1043166 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1058515 https://bugzilla.suse.com/1066215 https://bugzilla.suse.com/1070770 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1084525 https://bugzilla.suse.com/1088037 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1093103 https://bugzilla.suse.com/1096217 https://bugzilla.suse.com/1096617 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1100095 https://bugzilla.suse.com/1100427 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102019 https://bugzilla.suse.com/1102429 https://bugzilla.suse.com/408814 https://bugzilla.suse.com/428822 https://bugzilla.suse.com/907538 From sle-updates at lists.suse.com Tue Sep 11 13:12:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 21:12:58 +0200 (CEST) Subject: SUSE-RU-2018:2691-1: moderate: Recommended update for tigervnc Message-ID: <20180911191258.B3663FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2691-1 Rating: moderate References: #1095664 #1103552 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for tigervnc fixes the following issues: - Fix a bug where scrolling was not possible. (bsc#1095664) - Fix xvnc-novnc.service's dependency. (bsc#1103552) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1882=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1882=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): libXvnc-devel-1.8.0-13.5.2 tigervnc-debuginfo-1.8.0-13.5.2 tigervnc-debugsource-1.8.0-13.5.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libXvnc1-1.8.0-13.5.2 libXvnc1-debuginfo-1.8.0-13.5.2 tigervnc-1.8.0-13.5.2 tigervnc-debuginfo-1.8.0-13.5.2 tigervnc-debugsource-1.8.0-13.5.2 xorg-x11-Xvnc-1.8.0-13.5.2 xorg-x11-Xvnc-debuginfo-1.8.0-13.5.2 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): xorg-x11-Xvnc-novnc-1.8.0-13.5.2 References: https://bugzilla.suse.com/1095664 https://bugzilla.suse.com/1103552 From sle-updates at lists.suse.com Tue Sep 11 13:13:38 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 11 Sep 2018 21:13:38 +0200 (CEST) Subject: SUSE-RU-2018:2692-1: moderate: Recommended update for cluster-glue Message-ID: <20180911191338.D69D7FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for cluster-glue ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2692-1 Rating: moderate References: #1088656 #1098758 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for cluster-glue fixes the following issues: - Fix: stonith:ibmhmc: Add "managedsyspat" and "password" as supported parameters (bsc#1098758) - external/ec2: Avoid unicode errors and improve performance (bsc#1088656) - external/ec2: Mitigate fence race (bsc#1088656) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1881=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1881=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): cluster-glue-debuginfo-1.0.12+v1.git.1485976882.03d61cd-3.8.1 cluster-glue-debugsource-1.0.12+v1.git.1485976882.03d61cd-3.8.1 libglue-devel-1.0.12+v1.git.1485976882.03d61cd-3.8.1 libglue-devel-debuginfo-1.0.12+v1.git.1485976882.03d61cd-3.8.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-glue-1.0.12+v1.git.1485976882.03d61cd-3.8.1 cluster-glue-debuginfo-1.0.12+v1.git.1485976882.03d61cd-3.8.1 cluster-glue-debugsource-1.0.12+v1.git.1485976882.03d61cd-3.8.1 libglue2-1.0.12+v1.git.1485976882.03d61cd-3.8.1 libglue2-debuginfo-1.0.12+v1.git.1485976882.03d61cd-3.8.1 References: https://bugzilla.suse.com/1088656 https://bugzilla.suse.com/1098758 From sle-updates at lists.suse.com Wed Sep 12 07:07:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 12 Sep 2018 15:07:59 +0200 (CEST) Subject: SUSE-SU-2018:2696-1: moderate: Security update for python3 Message-ID: <20180912130759.D564BFD2D@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2696-1 Rating: moderate References: #1086001 #1088004 #1088009 #1107030 Cross-References: CVE-2018-1060 CVE-2018-1061 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has two fixes is now available. Description: This update for python3 provides the following fixes: These security issues were fixed: - CVE-2018-1061: Prevent catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could have used this flaw to cause denial of service (bsc#1088004). - CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop() method. An attacker could have used this flaw to cause denial of service (bsc#1088009). These non-security issues were fixed: - Sort files and directories when creating tarfile archives so that they are created in a more predictable way. (bsc#1086001) - Add -fwrapv to OPTS (bsc#1107030) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1886=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1886=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-1886=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1886=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.6-25.16.1 python3-base-debugsource-3.4.6-25.16.1 python3-devel-3.4.6-25.16.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.6-25.16.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.6-25.16.1 libpython3_4m1_0-debuginfo-3.4.6-25.16.1 python3-3.4.6-25.16.1 python3-base-3.4.6-25.16.1 python3-base-debuginfo-3.4.6-25.16.1 python3-base-debugsource-3.4.6-25.16.1 python3-curses-3.4.6-25.16.1 python3-curses-debuginfo-3.4.6-25.16.1 python3-debuginfo-3.4.6-25.16.1 python3-debugsource-3.4.6-25.16.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.6-25.16.1 libpython3_4m1_0-debuginfo-3.4.6-25.16.1 python3-3.4.6-25.16.1 python3-base-3.4.6-25.16.1 python3-base-debuginfo-3.4.6-25.16.1 python3-base-debugsource-3.4.6-25.16.1 python3-debuginfo-3.4.6-25.16.1 python3-debugsource-3.4.6-25.16.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libpython3_4m1_0-3.4.6-25.16.1 libpython3_4m1_0-debuginfo-3.4.6-25.16.1 python3-3.4.6-25.16.1 python3-base-3.4.6-25.16.1 python3-base-debuginfo-3.4.6-25.16.1 python3-base-debugsource-3.4.6-25.16.1 python3-curses-3.4.6-25.16.1 python3-curses-debuginfo-3.4.6-25.16.1 python3-debuginfo-3.4.6-25.16.1 python3-debugsource-3.4.6-25.16.1 References: https://www.suse.com/security/cve/CVE-2018-1060.html https://www.suse.com/security/cve/CVE-2018-1061.html https://bugzilla.suse.com/1086001 https://bugzilla.suse.com/1088004 https://bugzilla.suse.com/1088009 https://bugzilla.suse.com/1107030 From sle-updates at lists.suse.com Wed Sep 12 10:07:55 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 12 Sep 2018 18:07:55 +0200 (CEST) Subject: SUSE-RU-2018:2697-1: moderate: Recommended update for python-websocket-client Message-ID: <20180912160755.1D214FD17@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-websocket-client ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2697-1 Rating: moderate References: #1076519 Affected Products: SUSE Manager Tools 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15: zypper in -t patch SUSE-SLE-Manager-Tools-15-2018-1887=1 Package List: - SUSE Manager Tools 15 (noarch): python3-websocket-client-0.44.0-3.3.1 References: https://bugzilla.suse.com/1076519 From sle-updates at lists.suse.com Wed Sep 12 10:08:29 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 12 Sep 2018 18:08:29 +0200 (CEST) Subject: SUSE-RU-2018:2698-1: moderate: Recommended update for xorg-x11-libxcb Message-ID: <20180912160829.A8DA0FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for xorg-x11-libxcb ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2698-1 Rating: moderate References: #1070498 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for xorg-x11-libxcb provides the following fix: - Backport a new XCB hand off mechanism to fix crashes in some clients. (bsc#1070498) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libxcb-13775=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libxcb-13775=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xorg-x11-libxcb-13775=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xorg-x11-libxcb-13775=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libxcb-13775=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xorg-x11-libxcb-13775=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libxcb-devel-7.4-1.31.6.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libxcb-devel-32bit-7.4-1.31.6.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libxcb-7.4-1.31.6.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libxcb-32bit-7.4-1.31.6.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libxcb-x86-7.4-1.31.6.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): xorg-x11-libxcb-7.4-1.31.6.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): xorg-x11-libxcb-32bit-7.4-1.31.6.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xorg-x11-libxcb-7.4-1.31.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libxcb-debuginfo-7.4-1.31.6.1 xorg-x11-libxcb-debugsource-7.4-1.31.6.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xorg-x11-libxcb-debuginfo-7.4-1.31.6.1 xorg-x11-libxcb-debugsource-7.4-1.31.6.1 References: https://bugzilla.suse.com/1070498 From sle-updates at lists.suse.com Thu Sep 13 04:11:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 12:11:08 +0200 (CEST) Subject: SUSE-SU-2018:2699-1: moderate: Security update for tomcat Message-ID: <20180913101108.C355CFD17@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2699-1 Rating: moderate References: #1067720 #1093697 #1095472 #1102379 #1102400 #1102410 Cross-References: CVE-2018-1336 CVE-2018-8014 CVE-2018-8034 CVE-2018-8037 Affected Products: SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: This update for tomcat to 8.0.53 fixes the following issues: Security issue fixed: - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). Bug fixes: - bsc#1067720: Avoid overwriting of customer's configuration during update. - bsc#1095472: Add Obsoletes for tomcat6 packages. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1890=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (noarch): tomcat-8.0.53-29.13.1 tomcat-admin-webapps-8.0.53-29.13.1 tomcat-docs-webapp-8.0.53-29.13.1 tomcat-el-3_0-api-8.0.53-29.13.1 tomcat-javadoc-8.0.53-29.13.1 tomcat-jsp-2_3-api-8.0.53-29.13.1 tomcat-lib-8.0.53-29.13.1 tomcat-servlet-3_1-api-8.0.53-29.13.1 tomcat-webapps-8.0.53-29.13.1 References: https://www.suse.com/security/cve/CVE-2018-1336.html https://www.suse.com/security/cve/CVE-2018-8014.html https://www.suse.com/security/cve/CVE-2018-8034.html https://www.suse.com/security/cve/CVE-2018-8037.html https://bugzilla.suse.com/1067720 https://bugzilla.suse.com/1093697 https://bugzilla.suse.com/1095472 https://bugzilla.suse.com/1102379 https://bugzilla.suse.com/1102400 https://bugzilla.suse.com/1102410 From sle-updates at lists.suse.com Thu Sep 13 10:08:11 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:08:11 +0200 (CEST) Subject: SUSE-RU-2018:2700-1: moderate: Recommended update for slurm Message-ID: <20180913160811.A8F04FD2D@maintenance.suse.de> SUSE Recommended Update: Recommended update for slurm ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2700-1 Rating: moderate References: #1084917 #1103561 Affected Products: SUSE Linux Enterprise Module for HPC 12 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for slurm fixes the following issues: - When using a remote shared StateSaveLocation, slurmctld needs to be started after remote filesystems have become available. (bsc#1103561) - Fix race in the slurmctld backup controller which prevents it to clean up allocations on nodes properly after failing over. (bsc#1084917) - Recommend slurm-munge in slurm-slurmdbd. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 12: zypper in -t patch SUSE-SLE-Module-HPC-12-2018-1891=1 Package List: - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64): libpmi0-17.02.11-6.22.1 libpmi0-debuginfo-17.02.11-6.22.1 libslurm31-17.02.11-6.22.1 libslurm31-debuginfo-17.02.11-6.22.1 perl-slurm-17.02.11-6.22.1 perl-slurm-debuginfo-17.02.11-6.22.1 slurm-17.02.11-6.22.1 slurm-auth-none-17.02.11-6.22.1 slurm-auth-none-debuginfo-17.02.11-6.22.1 slurm-config-17.02.11-6.22.1 slurm-debuginfo-17.02.11-6.22.1 slurm-debugsource-17.02.11-6.22.1 slurm-devel-17.02.11-6.22.1 slurm-doc-17.02.11-6.22.1 slurm-lua-17.02.11-6.22.1 slurm-lua-debuginfo-17.02.11-6.22.1 slurm-munge-17.02.11-6.22.1 slurm-munge-debuginfo-17.02.11-6.22.1 slurm-pam_slurm-17.02.11-6.22.1 slurm-pam_slurm-debuginfo-17.02.11-6.22.1 slurm-plugins-17.02.11-6.22.1 slurm-plugins-debuginfo-17.02.11-6.22.1 slurm-sched-wiki-17.02.11-6.22.1 slurm-slurmdb-direct-17.02.11-6.22.1 slurm-slurmdbd-17.02.11-6.22.1 slurm-slurmdbd-debuginfo-17.02.11-6.22.1 slurm-sql-17.02.11-6.22.1 slurm-sql-debuginfo-17.02.11-6.22.1 slurm-torque-17.02.11-6.22.1 slurm-torque-debuginfo-17.02.11-6.22.1 References: https://bugzilla.suse.com/1084917 https://bugzilla.suse.com/1103561 From sle-updates at lists.suse.com Thu Sep 13 10:09:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:09:02 +0200 (CEST) Subject: SUSE-RU-2018:2701-1: moderate: Recommended update for cluster-glue Message-ID: <20180913160902.42F97FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for cluster-glue ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2701-1 Rating: moderate References: #1088656 #1098758 Affected Products: SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for cluster-glue provides the following fixes: - external/ec2: Avoid unicode errors and improve performance. (bsc#1088656) - external/ec2: Mitigate fence race. (bsc#1088656) - stonith:ibmhmc: Add "managedsyspat" and "password" as supported parameters. (bsc#1098758) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-1894=1 Package List: - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-glue-1.0.12-22.8.1 cluster-glue-debuginfo-1.0.12-22.8.1 cluster-glue-debugsource-1.0.12-22.8.1 libglue2-1.0.12-22.8.1 libglue2-debuginfo-1.0.12-22.8.1 References: https://bugzilla.suse.com/1088656 https://bugzilla.suse.com/1098758 From sle-updates at lists.suse.com Thu Sep 13 10:09:52 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:09:52 +0200 (CEST) Subject: SUSE-RU-2018:2702-1: moderate: Recommended update for python-M2Crypto Message-ID: <20180913160952.B1560FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-M2Crypto ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2702-1 Rating: moderate References: #1072973 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-M2Crypto provides version 0.29.0 and brings many fixes and improvements. For a detailed description, please refer to the changelog. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1893=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1893=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1893=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): python-M2Crypto-0.29.0-22.3.1 python-M2Crypto-debuginfo-0.29.0-22.3.1 python-M2Crypto-debugsource-0.29.0-22.3.1 python3-M2Crypto-0.29.0-22.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): python-M2Crypto-0.29.0-22.3.1 python-M2Crypto-debuginfo-0.29.0-22.3.1 python-M2Crypto-debugsource-0.29.0-22.3.1 python3-M2Crypto-0.29.0-22.3.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): python-M2Crypto-0.29.0-22.3.1 python-M2Crypto-debuginfo-0.29.0-22.3.1 python-M2Crypto-debugsource-0.29.0-22.3.1 python3-M2Crypto-0.29.0-22.3.1 References: https://bugzilla.suse.com/1072973 From sle-updates at lists.suse.com Thu Sep 13 10:10:29 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:10:29 +0200 (CEST) Subject: SUSE-RU-2018:2703-1: moderate: Recommended update for velum Message-ID: <20180913161029.0E2EFFD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for velum ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2703-1 Rating: moderate References: #1098085 #1107080 #1107081 #1107082 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for velum provides several fixes for Public Cloud instances (bsc#1098085, bsc#1107080, bsc#1107081, bsc#1107082) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): sles12-velum-image-3.1.1-3.8.3 References: https://bugzilla.suse.com/1098085 https://bugzilla.suse.com/1107080 https://bugzilla.suse.com/1107081 https://bugzilla.suse.com/1107082 From sle-updates at lists.suse.com Thu Sep 13 10:11:27 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:11:27 +0200 (CEST) Subject: SUSE-SU-2018:2704-1: moderate: Security update for podman Message-ID: <20180913161127.7120CFD2C@maintenance.suse.de> SUSE Security Update: Security update for podman ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2704-1 Rating: moderate References: #1097970 Cross-References: CVE-2018-10856 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for podman to version 0.8.5 fixes the following issues: This security issue was fixed: - CVE-2018-10856: podman did not drop capabilities when executing a container as a non-root user. This resulted in unnecessary privileges being granted to the container (bsc#1097970). For additional non-security changes please refer to the changelog. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): podman-0.8.5-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-10856.html https://bugzilla.suse.com/1097970 From sle-updates at lists.suse.com Thu Sep 13 10:12:00 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 18:12:00 +0200 (CEST) Subject: SUSE-RU-2018:2705-1: moderate: Recommended update for patterns-base Message-ID: <20180913161200.203EBFD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for patterns-base ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2705-1 Rating: moderate References: #1095916 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for patterns-base fixes the following issues: - Moved xfsprogs from the enhanced base pattern to the minimal base pattern and recommends instead of suggests it. (bsc#1095916) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1892=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): patterns-base-apparmor-20171206-24.3.1 patterns-base-apparmor-32bit-20171206-24.3.1 patterns-base-base-20171206-24.3.1 patterns-base-base-32bit-20171206-24.3.1 patterns-base-basesystem-20171206-24.3.1 patterns-base-documentation-20171206-24.3.1 patterns-base-enhanced_base-20171206-24.3.1 patterns-base-enhanced_base-32bit-20171206-24.3.1 patterns-base-minimal_base-20171206-24.3.1 patterns-base-minimal_base-32bit-20171206-24.3.1 patterns-base-sw_management-20171206-24.3.1 patterns-base-sw_management-32bit-20171206-24.3.1 patterns-base-x11-20171206-24.3.1 patterns-base-x11-32bit-20171206-24.3.1 patterns-base-x11_enhanced-20171206-24.3.1 patterns-base-x11_enhanced-32bit-20171206-24.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le x86_64): patterns-base-32bit-20171206-24.3.1 References: https://bugzilla.suse.com/1095916 From sle-updates at lists.suse.com Thu Sep 13 13:07:56 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 21:07:56 +0200 (CEST) Subject: SUSE-RU-2018:2706-1: moderate: Recommended update for slurm Message-ID: <20180913190756.168F6FD2D@maintenance.suse.de> SUSE Recommended Update: Recommended update for slurm ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2706-1 Rating: moderate References: #1084917 #1103561 Affected Products: SUSE Linux Enterprise Module for HPC 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for slurm provides version 17.11.9 and fixes the following issues: - When using a remote shared StateSaveLocation, slurmctld needs to be started after remote filesystems have become available. (bsc#1103561) - Fix race in the slurmctld backup controller which prevents it to clean up allocations on nodes properly after failing over. (bsc#1084917) - Fix segfault in slurmctld when a job's node bitmap is NULL during a scheduling cycle. - Remove erroneous unlock in acct_gather_energy/ipmi. - Enable support for hwloc version 2.0.1. - Fix 'srun -q' (--qos) option handling. - Fix socket communication issue that can lead to lost task completion messages, which will cause a permanently stuck srun process. - Avoid node layout fragmentation if running with a fixed CPU count but without Sockets and CoresPerSocket defined. - burst_buffer/cray: Fix datawarp swap default pool overriding jobdw. - Fix incorrect job priority assignment for multi-partition job with different PriorityTier settings on the partitions. - Fix sinfo to print correct node state. - Do not allocate nodes that were marked down due to the node not responding by ResumeTimeout. - task/cray plugin: Search for "mems" cgroup information in the file "cpuset.mems" then fall back to the file "mems". - Fix ipmi profile debug uninitialized variable. - PMIx: Fixed the direct connect inline msg sending. - MYSQL: Fix issue not handling all fields when loading an archive dump. - Allow a job_submit plugin to change the admin_comment field during job_submit_plugin_modify(). - job_submit/lua: Fix access into reservation table. - MySQL: Prevent deadlock caused by archive logic locking reads. - Don't enforce MaxQueryTimeRange when requesting specific jobs. - Modify --test-only logic to properly support jobs submitted to more than one partition. - Prevent slurmctld from abort when attempting to set non-existing qos as def_qos_id. - Add new job dependency type of "afterburstbuffer". The pending job will be delayed until the first job completes execution and it's burst buffer stage-out is completed. - Reorder proctrack/task plugin load in the slurmstepd to match that of slurmd and avoid race condition calling task before proctrack can introduce. - Prevent reboot of a busy KNL node when requesting inactive features. - Fix to reinitialize previously adjusted job members to their original value when validating the job memory in multi-partition requests. - Fix _step_signal() from always returning SLURM_SUCCESS. - Combine active and available node feature change logs on one line rather than one line per node for performance reasons. - Prevent occasionally leaking freezer cgroups. - Fix potential segfault when closing the mpi/pmi2 plugin. - Fix issues with --exclusive=[user|mcs] to work correctly with preemption or when job requests a specific list of hosts. - mpi/pmix: Fixed the collectives canceling. - SlurmDBD: Improve error message handling on archive load failure. - Fix incorrect locking when deleting reservations. - Fix incorrect locking when setting up the power save module. - Fix setting format output length for squeue when showing array jobs. - Add xstrstr function. - Fix printing out of --hint options in sbatch, salloc --help. - Prevent possible divide by zero in _validate_time_limit(). - Add Delegate=yes to the slurmd.service file to prevent systemd from interfering with the jobs' cgroup hierarchies. - Change the backlog argument to the listen() syscall within srun to 4096 to match elsewhere in the code, and avoid communication problems at scale. - Recommend slurm-munge for slurm-slurmdbd. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15: zypper in -t patch SUSE-SLE-Module-HPC-15-2018-1898=1 Package List: - SUSE Linux Enterprise Module for HPC 15 (aarch64 x86_64): libpmi0-17.11.9-6.9.1 libpmi0-debuginfo-17.11.9-6.9.1 libslurm32-17.11.9-6.9.1 libslurm32-debuginfo-17.11.9-6.9.1 perl-slurm-17.11.9-6.9.1 perl-slurm-debuginfo-17.11.9-6.9.1 slurm-17.11.9-6.9.1 slurm-auth-none-17.11.9-6.9.1 slurm-auth-none-debuginfo-17.11.9-6.9.1 slurm-config-17.11.9-6.9.1 slurm-debuginfo-17.11.9-6.9.1 slurm-debugsource-17.11.9-6.9.1 slurm-devel-17.11.9-6.9.1 slurm-doc-17.11.9-6.9.1 slurm-lua-17.11.9-6.9.1 slurm-lua-debuginfo-17.11.9-6.9.1 slurm-munge-17.11.9-6.9.1 slurm-munge-debuginfo-17.11.9-6.9.1 slurm-node-17.11.9-6.9.1 slurm-node-debuginfo-17.11.9-6.9.1 slurm-pam_slurm-17.11.9-6.9.1 slurm-pam_slurm-debuginfo-17.11.9-6.9.1 slurm-plugins-17.11.9-6.9.1 slurm-plugins-debuginfo-17.11.9-6.9.1 slurm-slurmdbd-17.11.9-6.9.1 slurm-slurmdbd-debuginfo-17.11.9-6.9.1 slurm-sql-17.11.9-6.9.1 slurm-sql-debuginfo-17.11.9-6.9.1 slurm-torque-17.11.9-6.9.1 slurm-torque-debuginfo-17.11.9-6.9.1 References: https://bugzilla.suse.com/1084917 https://bugzilla.suse.com/1103561 From sle-updates at lists.suse.com Thu Sep 13 13:08:39 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 21:08:39 +0200 (CEST) Subject: SUSE-RU-2018:2707-1: moderate: Recommended update for python3-gcemetadata Message-ID: <20180913190839.A1077FD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for python3-gcemetadata ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2707-1 Rating: moderate References: #1097505 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python3-gcemetadata fixes the following issues: - Support instances with multiple Nics. (bsc#1097505) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2018-1897=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-gcemetadata-1.0.1-3.3.7 References: https://bugzilla.suse.com/1097505 From sle-updates at lists.suse.com Thu Sep 13 13:09:11 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 13 Sep 2018 21:09:11 +0200 (CEST) Subject: SUSE-RU-2018:2708-1: moderate: Recommended update for gnome-shell, gnome-shell-extensions Message-ID: <20180913190911.B81AAFD2C@maintenance.suse.de> SUSE Recommended Update: Recommended update for gnome-shell, gnome-shell-extensions ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2708-1 Rating: moderate References: #1017412 #1046570 #1102648 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for gnome-shell and gnome-shell-extensions provides the following fix: - Fix pixbuf refcount memory leaks on async operations. (bsc#1017412) - Fix a problem that was making only half of the panel visible in some cases. (bsc#1046570) - Hide authentication dialogs while screen is locked (bsc#1102648) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1899=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1899=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1899=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1899=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): gnome-shell-calendar-3.20.4-77.17.1 gnome-shell-calendar-debuginfo-3.20.4-77.17.1 gnome-shell-debuginfo-3.20.4-77.17.1 gnome-shell-debugsource-3.20.4-77.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): gnome-shell-debuginfo-3.20.4-77.17.1 gnome-shell-debugsource-3.20.4-77.17.1 gnome-shell-devel-3.20.4-77.17.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): gnome-shell-3.20.4-77.17.1 gnome-shell-browser-plugin-3.20.4-77.17.1 gnome-shell-browser-plugin-debuginfo-3.20.4-77.17.1 gnome-shell-debuginfo-3.20.4-77.17.1 gnome-shell-debugsource-3.20.4-77.17.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): gnome-shell-classic-3.20.1-24.27.44 gnome-shell-extensions-common-3.20.1-24.27.44 gnome-shell-extensions-common-lang-3.20.1-24.27.44 gnome-shell-lang-3.20.4-77.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): gnome-shell-3.20.4-77.17.1 gnome-shell-browser-plugin-3.20.4-77.17.1 gnome-shell-browser-plugin-debuginfo-3.20.4-77.17.1 gnome-shell-calendar-3.20.4-77.17.1 gnome-shell-calendar-debuginfo-3.20.4-77.17.1 gnome-shell-debuginfo-3.20.4-77.17.1 gnome-shell-debugsource-3.20.4-77.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): gnome-shell-classic-3.20.1-24.27.44 gnome-shell-extensions-common-3.20.1-24.27.44 gnome-shell-extensions-common-lang-3.20.1-24.27.44 gnome-shell-lang-3.20.4-77.17.1 References: https://bugzilla.suse.com/1017412 https://bugzilla.suse.com/1046570 https://bugzilla.suse.com/1102648 From sle-updates at lists.suse.com Thu Sep 13 19:07:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 03:07:57 +0200 (CEST) Subject: SUSE-SU-2018:2709-1: important: Security update for spice-gtk Message-ID: <20180914010757.2883EFD2D@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2709-1 Rating: important References: #1101295 #1101420 #1104448 Cross-References: CVE-2018-10873 CVE-2018-10893 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for spice-gtk fixes the following issues: Security issues fixed: - CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448) - CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295) Other bugs fixed: - Add setuid bit to spice-client-glib-usb-acl-helper (bsc#1101420) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1900=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1900=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): spice-gtk-debuginfo-0.34-3.3.1 spice-gtk-debugsource-0.34-3.3.1 spice-gtk-devel-0.34-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.34-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.34-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libspice-client-glib-2_0-8-0.34-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.34-3.3.1 libspice-client-glib-helper-0.34-3.3.1 libspice-client-glib-helper-debuginfo-0.34-3.3.1 libspice-client-gtk-3_0-5-0.34-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.34-3.3.1 libspice-controller0-0.34-3.3.1 libspice-controller0-debuginfo-0.34-3.3.1 spice-gtk-debuginfo-0.34-3.3.1 spice-gtk-debugsource-0.34-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-10873.html https://www.suse.com/security/cve/CVE-2018-10893.html https://bugzilla.suse.com/1101295 https://bugzilla.suse.com/1101420 https://bugzilla.suse.com/1104448 From sle-updates at lists.suse.com Fri Sep 14 10:09:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 18:09:03 +0200 (CEST) Subject: SUSE-RU-2018:2713-1: moderate: Recommended update for vncmanager Message-ID: <20180914160903.58524FD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for vncmanager ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2713-1 Rating: moderate References: #1103552 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for vncmanager fixes the following issues: - Declare the service as part of xvnc.target so it can be used as dependency for xvnc-novnc.service. (bsc#1103552) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1901=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): vncmanager-1.0.2-4.3.1 vncmanager-debuginfo-1.0.2-4.3.1 vncmanager-debugsource-1.0.2-4.3.1 References: https://bugzilla.suse.com/1103552 From sle-updates at lists.suse.com Fri Sep 14 10:09:33 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 18:09:33 +0200 (CEST) Subject: SUSE-SU-2018:2714-1: moderate: Security update for curl Message-ID: <20180914160933.75CA4FCF0@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2714-1 Rating: moderate References: #1086367 #1106019 Cross-References: CVE-2018-14618 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1904=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): curl-7.60.0-3.9.1 curl-debuginfo-7.60.0-3.9.1 curl-debugsource-7.60.0-3.9.1 libcurl-devel-7.60.0-3.9.1 libcurl4-7.60.0-3.9.1 libcurl4-debuginfo-7.60.0-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libcurl4-32bit-7.60.0-3.9.1 libcurl4-32bit-debuginfo-7.60.0-3.9.1 References: https://www.suse.com/security/cve/CVE-2018-14618.html https://bugzilla.suse.com/1086367 https://bugzilla.suse.com/1106019 From sle-updates at lists.suse.com Fri Sep 14 10:10:19 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 18:10:19 +0200 (CEST) Subject: SUSE-SU-2018:2715-1: moderate: Security update for curl Message-ID: <20180914161019.2B900FD03@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2715-1 Rating: moderate References: #1089533 #1106019 Cross-References: CVE-2018-14618 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Fixed erroneous debug message when paired with OpenSSL (bsc#1089533) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1903=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1903=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1903=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1903=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl-devel-7.37.0-37.26.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): curl-7.37.0-37.26.1 curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl4-7.37.0-37.26.1 libcurl4-debuginfo-7.37.0-37.26.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libcurl4-32bit-7.37.0-37.26.1 libcurl4-debuginfo-32bit-7.37.0-37.26.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): curl-7.37.0-37.26.1 curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl4-32bit-7.37.0-37.26.1 libcurl4-7.37.0-37.26.1 libcurl4-debuginfo-32bit-7.37.0-37.26.1 libcurl4-debuginfo-7.37.0-37.26.1 - SUSE CaaS Platform ALL (x86_64): curl-7.37.0-37.26.1 curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl4-7.37.0-37.26.1 libcurl4-debuginfo-7.37.0-37.26.1 - SUSE CaaS Platform 3.0 (x86_64): curl-7.37.0-37.26.1 curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl4-7.37.0-37.26.1 libcurl4-debuginfo-7.37.0-37.26.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): curl-7.37.0-37.26.1 curl-debuginfo-7.37.0-37.26.1 curl-debugsource-7.37.0-37.26.1 libcurl4-7.37.0-37.26.1 libcurl4-debuginfo-7.37.0-37.26.1 References: https://www.suse.com/security/cve/CVE-2018-14618.html https://bugzilla.suse.com/1089533 https://bugzilla.suse.com/1106019 From sle-updates at lists.suse.com Fri Sep 14 10:11:00 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 18:11:00 +0200 (CEST) Subject: SUSE-SU-2018:2716-1: important: Security update for libzypp, zypper Message-ID: <20180914161100.A493FFCF0@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2716-1 Rating: important References: #1036304 #1045735 #1049825 #1070851 #1076192 #1079334 #1088705 #1091624 #1092413 #1096803 #1099847 #1100028 #1101349 #1102429 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Enterprise Storage 4 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves two vulnerabilities and has 12 fixes is now available. Description: This update for libzypp, zypper provides the following fixes: Update libzypp to version 16.17.20 Security issues fixed: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45 Security issue fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - do not recommend cron (bsc#1079334) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1905=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1905=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1905=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1905=1 - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1905=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 - SUSE OpenStack Cloud 7 (noarch): zypper-log-1.13.45-18.33.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): zypper-log-1.13.45-18.33.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): zypper-log-1.13.45-18.33.1 - SUSE Enterprise Storage 4 (noarch): zypper-log-1.13.45-18.33.1 - SUSE Enterprise Storage 4 (x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1049825 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1079334 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 From sle-updates at lists.suse.com Fri Sep 14 10:13:45 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 18:13:45 +0200 (CEST) Subject: SUSE-SU-2018:2717-1: moderate: Security update for curl Message-ID: <20180914161345.2950CFD03@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2717-1 Rating: moderate References: #1106019 Cross-References: CVE-2018-14618 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-curl-13776=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-curl-13776=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-curl-13776=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-curl-13776=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): libcurl-devel-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): curl-7.37.0-70.33.1 libcurl4-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libcurl4-32bit-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libcurl4-x86-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): curl-openssl1-7.37.0-70.33.1 libcurl4-openssl1-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libcurl4-openssl1-32bit-7.37.0-70.33.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libcurl4-openssl1-x86-7.37.0-70.33.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): curl-debuginfo-7.37.0-70.33.1 curl-debugsource-7.37.0-70.33.1 References: https://www.suse.com/security/cve/CVE-2018-14618.html https://bugzilla.suse.com/1106019 From sle-updates at lists.suse.com Fri Sep 14 13:08:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 21:08:03 +0200 (CEST) Subject: SUSE-RU-2018:2718-1: moderate: Recommended update for snapper Message-ID: <20180914190803.89A77FD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for snapper ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2718-1 Rating: moderate References: #1051922 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for snapper fixes the following issues: - fixed logging during shutdown of snapperd to avoid core dumps. (bsc#1051922) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1907=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1907=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1907=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libsnapper-devel-0.5.0-3.5.1 snapper-debuginfo-0.5.0-3.5.1 snapper-debugsource-0.5.0-3.5.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libsnapper4-0.5.0-3.5.1 libsnapper4-debuginfo-0.5.0-3.5.1 pam_snapper-0.5.0-3.5.1 pam_snapper-debuginfo-0.5.0-3.5.1 snapper-0.5.0-3.5.1 snapper-debuginfo-0.5.0-3.5.1 snapper-debugsource-0.5.0-3.5.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): snapper-zypp-plugin-0.5.0-3.5.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libsnapper4-0.5.0-3.5.1 libsnapper4-debuginfo-0.5.0-3.5.1 pam_snapper-0.5.0-3.5.1 pam_snapper-debuginfo-0.5.0-3.5.1 snapper-0.5.0-3.5.1 snapper-debuginfo-0.5.0-3.5.1 snapper-debugsource-0.5.0-3.5.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): snapper-zypp-plugin-0.5.0-3.5.1 - SUSE CaaS Platform ALL (x86_64): libsnapper4-0.5.0-3.5.1 libsnapper4-debuginfo-0.5.0-3.5.1 snapper-0.5.0-3.5.1 snapper-debuginfo-0.5.0-3.5.1 snapper-debugsource-0.5.0-3.5.1 - SUSE CaaS Platform 3.0 (x86_64): libsnapper4-0.5.0-3.5.1 libsnapper4-debuginfo-0.5.0-3.5.1 snapper-0.5.0-3.5.1 snapper-debuginfo-0.5.0-3.5.1 snapper-debugsource-0.5.0-3.5.1 References: https://bugzilla.suse.com/1051922 From sle-updates at lists.suse.com Fri Sep 14 13:08:35 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 14 Sep 2018 21:08:35 +0200 (CEST) Subject: SUSE-SU-2018:2719-1: important: Security update for openssh-openssl1 Message-ID: <20180914190835.77CD7FCF0@maintenance.suse.de> SUSE Security Update: Security update for openssh-openssl1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2719-1 Rating: important References: #1016370 #1017099 #1023275 #1053972 #1065000 #1069509 #1076957 Cross-References: CVE-2008-1483 CVE-2016-10012 CVE-2016-10708 CVE-2017-15906 Affected Products: SUSE Linux Enterprise Server 11-SECURITY ______________________________________________________________________________ An update that solves four vulnerabilities and has three fixes is now available. Description: This update for openssh-openssl1 fixes the following issues: These security issues were fixed: - CVE-2016-10708: Prevent NULL pointer dereference via an out-of-sequence NEWKEYS message allowed remote attackers to cause a denial of service (bsc#1076957). - CVE-2017-15906: The process_open function did not properly prevent write operations in readonly mode, which allowed attackers to create zero-length files (bsc#1065000). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might have allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2008-1483: Prevent local users from hijacking forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port. This problem was reontroduced by another patch and was previously fixed by another update (bsc#1069509). These non-security issues were fixed: - Remove duplicate KEX method (bsc#1053972) - New switch for printing diagnostic messages in sftp client's batch mode (bsc#1023275) - Enable case-insensitive hostname matching (bsc#1017099) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openssh-openssl1-13777=1 Package List: - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): openssh-openssl1-6.6p1-19.3.1 openssh-openssl1-helpers-6.6p1-19.3.1 References: https://www.suse.com/security/cve/CVE-2008-1483.html https://www.suse.com/security/cve/CVE-2016-10012.html https://www.suse.com/security/cve/CVE-2016-10708.html https://www.suse.com/security/cve/CVE-2017-15906.html https://bugzilla.suse.com/1016370 https://bugzilla.suse.com/1017099 https://bugzilla.suse.com/1023275 https://bugzilla.suse.com/1053972 https://bugzilla.suse.com/1065000 https://bugzilla.suse.com/1069509 https://bugzilla.suse.com/1076957 From sle-updates at lists.suse.com Mon Sep 17 10:08:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 17 Sep 2018 18:08:09 +0200 (CEST) Subject: SUSE-RU-2018:2743-1: moderate: Recommended update for python3-susepubliccloudinfo Message-ID: <20180917160809.78170FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python3-susepubliccloudinfo ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2743-1 Rating: moderate References: #1103684 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python3-susepubliccloudinfo fixes the following issues: - Avoid traceback on improper query options. (bsc#1103684) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2018-1911=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-susepubliccloudinfo-1.0.4-3.3.1 References: https://bugzilla.suse.com/1103684 From sle-updates at lists.suse.com Mon Sep 17 10:08:40 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 17 Sep 2018 18:08:40 +0200 (CEST) Subject: SUSE-RU-2018:2744-1: important: Recommended update for caasp-tools, transactional-update and zypper-migration-plugin Message-ID: <20180917160840.D250EFCCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for caasp-tools, transactional-update and zypper-migration-plugin ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2744-1 Rating: important References: #1098280 #1105992 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update enables non interactive migration for transactional-update. Additionally, the following issue has been fixed: - Fix parsing XML-output with zypper version 1.11.70. (bsc#1105992) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): transactional-update-1.29-5.5.1 transactional-update-debuginfo-1.29-5.5.1 transactional-update-debugsource-1.29-5.5.1 - SUSE CaaS Platform 3.0 (noarch): caasp-tools-0.24-10.3.2 zypper-migration-plugin-0.11.1520597355.bcf74ad-3.3.2 References: https://bugzilla.suse.com/1098280 https://bugzilla.suse.com/1105992 From sle-updates at lists.suse.com Mon Sep 17 10:09:19 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 17 Sep 2018 18:09:19 +0200 (CEST) Subject: SUSE-RU-2018:2745-1: important: Recommended update for transactional-update Message-ID: <20180917160919.BA187FCCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for transactional-update ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2745-1 Rating: important References: #1098280 #1105992 Affected Products: SUSE CaaS Platform ALL ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for transactional-update fixes the following issues: - Fix parsing XML-output with zypper version 1.11.70. (bsc#1105992) - Require correct version of zypper-migration-plugin. - Adjust for latest zypper-migration-plugin enhancements (bsc#1098280) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform ALL (x86_64): transactional-update-1.29-3.16.1 References: https://bugzilla.suse.com/1098280 https://bugzilla.suse.com/1105992 From sle-updates at lists.suse.com Mon Sep 17 10:09:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 17 Sep 2018 18:09:59 +0200 (CEST) Subject: SUSE-RU-2018:2746-1: moderate: Recommended update for rpmlint Message-ID: <20180917160959.3DAEDFCCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2746-1 Rating: moderate References: #1049694 #1104061 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for rpmlint fixes the following issues: - Register new openvswitch uid and gid (bsc#1104061) - Corrected tpm2-abrmd. The D-Bus activation file is named differently than the configuration file. (bsc#1049694) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1910=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): rpmlint-mini-1.8-2.9.3 rpmlint-mini-debuginfo-1.8-2.9.3 rpmlint-mini-debugsource-1.8-2.9.3 - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): rpmlint-1.5-41.8.1 References: https://bugzilla.suse.com/1049694 https://bugzilla.suse.com/1104061 From sle-updates at lists.suse.com Mon Sep 17 13:07:55 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 17 Sep 2018 21:07:55 +0200 (CEST) Subject: SUSE-RU-2018:2747-1: important: Recommended update for python Message-ID: <20180917190755.D72BEFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2747-1 Rating: important References: #1108253 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python fixes the following issues: A recent maintenance update moved the pyconfig.h header file from python-base to python-devel package which caused breakage of some applications. This update restores the previous state. (bsc#1108253) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-python-13778=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-python-13778=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-python-13778=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-python-13778=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-python-13778=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-python-13778=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): python-devel-2.6.9-40.18.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): python-demo-2.6.9-40.18.1 python-gdbm-2.6.9-40.18.1 python-idle-2.6.9-40.18.1 python-tk-2.6.9-40.18.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (x86_64): python-32bit-2.6.9-40.18.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): python-doc-2.6-8.40.18.1 python-doc-pdf-2.6-8.40.18.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libpython2_6-1_0-2.6.9-40.18.1 python-2.6.9-40.18.1 python-base-2.6.9-40.18.1 python-curses-2.6.9-40.18.1 python-demo-2.6.9-40.18.1 python-gdbm-2.6.9-40.18.1 python-idle-2.6.9-40.18.1 python-tk-2.6.9-40.18.1 python-xml-2.6.9-40.18.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): libpython2_6-1_0-32bit-2.6.9-40.18.1 python-32bit-2.6.9-40.18.1 python-base-32bit-2.6.9-40.18.1 - SUSE Linux Enterprise Server 11-SP4 (noarch): python-doc-2.6-8.40.18.1 python-doc-pdf-2.6-8.40.18.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): libpython2_6-1_0-x86-2.6.9-40.18.1 python-base-x86-2.6.9-40.18.1 python-x86-2.6.9-40.18.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): libpython2_6-1_0-2.6.9-40.18.1 python-2.6.9-40.18.1 python-base-2.6.9-40.18.1 python-curses-2.6.9-40.18.1 python-demo-2.6.9-40.18.1 python-gdbm-2.6.9-40.18.1 python-idle-2.6.9-40.18.1 python-tk-2.6.9-40.18.1 python-xml-2.6.9-40.18.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): libpython2_6-1_0-32bit-2.6.9-40.18.1 python-32bit-2.6.9-40.18.1 python-base-32bit-2.6.9-40.18.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (noarch): python-doc-2.6-8.40.18.1 python-doc-pdf-2.6-8.40.18.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): python-doc-2.6-8.40.18.1 python-doc-pdf-2.6-8.40.18.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libpython2_6-1_0-2.6.9-40.18.1 python-2.6.9-40.18.1 python-base-2.6.9-40.18.1 python-curses-2.6.9-40.18.1 python-demo-2.6.9-40.18.1 python-gdbm-2.6.9-40.18.1 python-idle-2.6.9-40.18.1 python-tk-2.6.9-40.18.1 python-xml-2.6.9-40.18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): python-base-debuginfo-2.6.9-40.18.1 python-base-debugsource-2.6.9-40.18.1 python-debuginfo-2.6.9-40.18.1 python-debugsource-2.6.9-40.18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.18.1 python-debuginfo-32bit-2.6.9-40.18.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): python-base-debuginfo-x86-2.6.9-40.18.1 python-debuginfo-x86-2.6.9-40.18.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): python-base-debuginfo-2.6.9-40.18.1 python-base-debugsource-2.6.9-40.18.1 python-debuginfo-2.6.9-40.18.1 python-debugsource-2.6.9-40.18.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): python-base-debuginfo-32bit-2.6.9-40.18.1 python-debuginfo-32bit-2.6.9-40.18.1 References: https://bugzilla.suse.com/1108253 From sle-updates at lists.suse.com Tue Sep 18 10:08:05 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 18 Sep 2018 18:08:05 +0200 (CEST) Subject: SUSE-RU-2018:2748-1: moderate: Recommended update for pacemaker Message-ID: <20180918160805.AD89DFD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2748-1 Rating: moderate References: #1009076 #1022807 #1028138 #1035822 #1042054 #1053463 #1054389 #1058844 #1059187 #1066710 #1069468 #1070347 #1074039 #1082883 #1090538 #950128 #980341 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has 17 recommended fixes can now be installed. Description: This update for pacemaker provides the following fixes: - attrd: Accept connections only after CIB connection is active. - attrd,crmd: Erase attributes at attrd start-up, not first join. - attrd: Ensure node name is broadcast at start-up. - attrd: Make CIB connection function self-contained. - attrd,stonithd: More efficient regular expression parsing. - attrd: Synchronize attributes held only on own node. - attrd,tools: Avoid memory leaks from use of crm_itoa(). - cib: Broadcasts of cib changes should always pass ACLs check. (bsc#1042054) - crmd: Abort transition whenever the quorum is lost. - crmd: Ack pending operations that were cancelled due to rsc deletion. (bsc#1035822) - crmd: Assert when operation can't be created. - crmd: Write faked failures to CIB whenever possible. - crmd: Do not assert if LRM query fails. - crmd: Do not core dump if remote connection does not exist. - crmd: DC should update stonith fail count before aborting transition. - crmd: Do not abort for v2 diff LRM refresh if actions are pending. - crmd: Eliminate size restriction on node state xpath. - crmd: Hard error if remote start fails due to missing key. - crmd: Improve lrmd failure handling. - crmd,libcrmcommon,libcluster,tools: Handle PID as string properly. - crmd,liblrmd,libcrmcommon: Improve remote node disconnection logs. - crmd: Match only executed down events. - crmd: Quorum gain should always cause new transition. - crmd: Return rich error codes from get_lrm_resource(). - crmd: Scale all cib operation timeouts. - crmd: Scale timeouts with the number of remotes too. - crmd: Validate CIB diffs better. - crm_mon: Make CGI bail out on suspicious arguments. - crm_mon: Overcome crm_system_name no longer influenced with argv. - crm_resource: Ensure waiting for all messages before exiting. - crm_resource: Prevent disconnection from crmd during cleanup. - cts: Adjust pacemaker service on startup to prevent triggering StopWhenUnneeded of corosync service. - Doc: Add documentation for new pcmk_delay_base. (bsc#1074039) - extra: Correct ClusterMon metadata. - fencing: Do not print events twice when stonith_admin --verbose is used. - fencing: Fix a memory leak in stonith_admin --env. - iso8601: strftime needs a fully populated struct tm. (bsc#1058844) - libcib: Always use current values when unpacking config. - libcib: Correctly search for v2 patchset changes. - libcib: Ensure xpath result is not empty. - libcib: Get remoteness correctly from node status. - libcluster,libcrmcommon: Improve BZ2 error messages. - libcrmcluster: Improve error checking when updating node name. - libcrmcluster: Use crm_strdup_printf() instead of calloc(). - libcrmcommon: Make sure async connection callback uses negative error codes. - libcrmcommon: Avoid memory leak when the schema transform is not found. - libcrmcommon: Fix a possible infinite loop in buffer_print. - libcrmcommon: Handle schema versions properly. - libcrmcommon: Improve user lookup messages. - libcrmcommon,liblrmd: Improve remote connection messages. - libcrmcommon,liblrmd,lrmd: Improve messages for failed remote sends. - libcrmcommon,liblrmd,lrmd: Validate PCMK_remote_port. - libcrmcommon,liblrmd: Report meaningful async connection errors. - libcrmcommon: Lower watchdog messages when default. - libcrmcommon,lrmd: Use meaningful error codes when sending remote messages. - libcrmcommon: Return meaningful error codes to connection callbacks. - libcrmcommon,tools: Improve XML write error handling. - libcrmservice: Prevent an infinite loop on a bad DBus reply. - libcrmservice: Avoid memory leak on DBus error. - libcrmservice: Follow LSB standard for header block more strictly. - libcrmservice,pacemakerd: Improve privilege dropping. - libcrmservice: Parse LSB long description correctly. - libcrmservices: Avoid assert for HB resource with no parameters. - liblrmd: Make sure the operation of a remote resource returns if the setup of the key fails. (bsc#1053463) - libpe_status: Always log startup-fencing value. - libpe_status: Fix precedence of operation in meta-attributes. - libpe_status: Limit resource type check to primitives. - libpe_status: Make sure monitors are rescheduled, not reloaded. - libpe_status: Properly detect when nodes should suicide. - libpe_status: Recover after failed demote when appropriate. - libpe_status: Use correct default timeout for probes. - libpe_status: Validate no-quorum-policy=suicide correctly. - libservices: Handle systemd service reloading as OK. (bsc#1059187) - logging: Ensure blackbox gets generated on arithmetic error. - lrmd: Always use most recent remote proxy. - lrmd: Do not reject protocol 1.0 clients. (bsc#1009076) - lrmd: Prevent double free after unregistering stonith device for monitoring. (bsc#1035822) - lrmd: Tweak TLS listener messages. - pacemaker_remote: Warn if TLS key can't be read at start-up. - pacemaker.service: Recommend not to limit tasks. (bsc#1028138, bsc#1066710) - PE: Allow all resources to stop prior to probes completing. - PE: Make sure bare metal remotes are probed as now they can run resources. - PE: Correctly implement pe_order_implies_first_printed. - PE: Detailed resource information should include connection resource state. - PE: Do not re-add a node's default score for each location constraint. - PE: Ensure stop operations occur after stopped remote connections have been brought up. - PE: Ensure unrecoverable remote nodes are fenced even if no resources can run on them. - PE: Exclude resources and nodes from the symmetric_default constraint in some circumstances. - PE: Flag resources that are acting as remote nodes. - PE: Ignore optional unfencing events and report the fencing type. - PE: Improved logging of reasons for stop/restart actions. - pengine: Avoid fence loop for remote nodes. - pengine: Fix a null pointer dereference when unpacking tickets. - pengine: Detect proper clone name at startup. - pengine: Do not ignore permanent master scores at startup. - pengine: Do not keep unique instances on same node. - pengine: Schedule reload and restart in separate transition. - pengine: Handle resource migrating behind a migrating remote connection. - pengine: If ignoring failure, also ignore migration-threshold. - pengine: Improve messages when assigning resources to nodes. - pengine: Make sure calculated resource scores are consistent on different architectures. (bsc#1054389) - pengine: Fix a memory leak when writing graph to file. - pengine: Re-enable unrecoverable remote fencing. - pengine: Reset loss-policy from fence to stop if no fencing. - pengine,tools,libpe_status: Avoid unnecessary use of pe_find_current. - pengine: Use newer Pacemaker Remote terminology. - pengine: Validate more function arguments. - pengine: Fix swapped warning message arguments leading to segfault. (bsc#1090538) - PE: Only allowed nodes need to be considered when ordering resource startup after all recovery. - PE: Only re-trigger unfencing on nodes that ran operations with the old parameters. - PE: Remote connection resources are safe to require only quorum. - PE: Resources are allowed to stop before their state is known everywhere. - PE: Restore the ability to send the transition graph via the disk if it gets too big. - PE: Unfencing: Correctly detect changes to device definitions. - portability: The difference of time_t values is given by difftime(). - RA: ClusterMon: Correctly handle "update" parameter. - RA: NodeUtilization RA is now shipped by resource-agents package. (bsc#1070347) - remote: Allow cluster and remote LRM API versions to diverge. (bsc#1009076) - spec: Make sure shadow package is installed before adding user and group. - spec: Prevent overwriting existing sysconfig files by conditionally running %fillup_only. (bsc#1022807, bsc#980341) - stonith-ng: Add pcmk_delay_base as static base-delay. (bsc#1074039) - stonith-ng: Advertise pcmk_on_action via metadata. - stonith-ng: Avoid double-free of pending-ops in free_device. - stonith-ng: Make fencing-device reappear properly after reenabling. - systemd: Add TasksMax comment to pacemaker_remote unit. (bsc#1028138, bsc#1066710) - systemd unit files: Enable TasksMax=infinity. (bsc#1028138, bsc#1066710) - systemd unit files: Restore DBus dependency. - TE: Don't bump counters when action or synapse is invalid. - tools: Add version options for cibsecret. - tools: Allow crm_resource to be called without arguments. - tools: allow crm_resource to operate on anonymous clones in unknown states. - tools: Do not fail if already at the latest schema in cibadmin --upgrade. - tools: Differentiate trace log level for RAs. - tools: Do not expect reply to failed send. - tools: Ensure the crm_resource data set is initialized. - tools: Ensure that crm_resource works if no command is specified. - tools: Implement clean-up dry-run correctly. - tools: Improve crm_master and crm_standby option handling. - tools: Improve crm_resource help. (bsc#950128) - tools: Add missing break statement in attrd_updater. - tools: Re-enable crm_resource --lifetime option. (bsc#950128) - tools: Set meta_timeout env when crm_resource --force-* executes RA. - tools: Set the correct OCF_RESOURCE_INSTANCE env when crm_resource --force-* executes RA. - tools: Fix a use-after-free error in crm_diff. - tools: Warn if crm_resource --wait is called in mixed-version cluster. - Prevent notify actions from causing --wait to hang. - Install /etc/pacemaker directory for storing authkey file. (bsc#1082883) - Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1917=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1917=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libpacemaker-devel-1.1.16-6.5.1 pacemaker-cts-1.1.16-6.5.1 pacemaker-cts-debuginfo-1.1.16-6.5.1 pacemaker-debuginfo-1.1.16-6.5.1 pacemaker-debugsource-1.1.16-6.5.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): libpacemaker3-1.1.16-6.5.1 libpacemaker3-debuginfo-1.1.16-6.5.1 pacemaker-1.1.16-6.5.1 pacemaker-cli-1.1.16-6.5.1 pacemaker-cli-debuginfo-1.1.16-6.5.1 pacemaker-cts-1.1.16-6.5.1 pacemaker-cts-debuginfo-1.1.16-6.5.1 pacemaker-debuginfo-1.1.16-6.5.1 pacemaker-debugsource-1.1.16-6.5.1 pacemaker-remote-1.1.16-6.5.1 pacemaker-remote-debuginfo-1.1.16-6.5.1 References: https://bugzilla.suse.com/1009076 https://bugzilla.suse.com/1022807 https://bugzilla.suse.com/1028138 https://bugzilla.suse.com/1035822 https://bugzilla.suse.com/1042054 https://bugzilla.suse.com/1053463 https://bugzilla.suse.com/1054389 https://bugzilla.suse.com/1058844 https://bugzilla.suse.com/1059187 https://bugzilla.suse.com/1066710 https://bugzilla.suse.com/1069468 https://bugzilla.suse.com/1070347 https://bugzilla.suse.com/1074039 https://bugzilla.suse.com/1082883 https://bugzilla.suse.com/1090538 https://bugzilla.suse.com/950128 https://bugzilla.suse.com/980341 From sle-updates at lists.suse.com Tue Sep 18 10:12:24 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 18 Sep 2018 18:12:24 +0200 (CEST) Subject: SUSE-RU-2018:2749-1: moderate: Recommended update for sles12sp3-openldap-image Message-ID: <20180918161224.1488FFD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for sles12sp3-openldap-image ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2749-1 Rating: moderate References: #1092495 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for sles12sp3-openldap-image fixes the following issues: - ldapsearch without authentication allows listing all objects and attributes (bsc#1092495) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): sles12-openldap-image-3.0.1-4.3.2 References: https://bugzilla.suse.com/1092495 From sle-updates at lists.suse.com Tue Sep 18 10:13:01 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 18 Sep 2018 18:13:01 +0200 (CEST) Subject: SUSE-RU-2018:2750-1: moderate: Recommended update for crash Message-ID: <20180918161301.AE2AFFD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for crash ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2750-1 Rating: moderate References: #1092101 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for crash fixes the following issues: - Reimplement IDR facility to use radix trees in Kernel 4.11. (bsc#1092101) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1919=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): crash-7.2.1-3.5.1 crash-debuginfo-7.2.1-3.5.1 crash-debugsource-7.2.1-3.5.1 crash-devel-7.2.1-3.5.1 crash-kmp-default-7.2.1_k4.12.14_25.13-3.5.1 crash-kmp-default-debuginfo-7.2.1_k4.12.14_25.13-3.5.1 References: https://bugzilla.suse.com/1092101 From sle-updates at lists.suse.com Tue Sep 18 13:07:48 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 18 Sep 2018 21:07:48 +0200 (CEST) Subject: SUSE-RU-2018:2751-1: moderate: Recommended update for yast2-snapper Message-ID: <20180918190748.7198DFCB2@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-snapper ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2751-1 Rating: moderate References: #956955 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-snapper fixes the following issues: - Fixes a bug where restoring of a file was not possible (bsc#956955) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1920=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1920=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): yast2-snapper-3.2.1-3.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): yast2-snapper-3.2.1-3.3.1 References: https://bugzilla.suse.com/956955 From sle-updates at lists.suse.com Wed Sep 19 10:07:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 19 Sep 2018 18:07:59 +0200 (CEST) Subject: SUSE-SU-2018:2752-1: moderate: Security update for webkit2gtk3 Message-ID: <20180919160759.21123FCB2@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2752-1 Rating: moderate References: #1101999 #1104169 Cross-References: CVE-2018-12911 CVE-2018-4261 CVE-2018-4262 CVE-2018-4263 CVE-2018-4264 CVE-2018-4265 CVE-2018-4266 CVE-2018-4267 CVE-2018-4270 CVE-2018-4271 CVE-2018-4272 CVE-2018-4273 CVE-2018-4278 CVE-2018-4284 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for webkit2gtk3 to version 2.20.5 fixes the following issues: Security issue fixed: - CVE-2018-12911: Fix off-by-one in xdg_mime_get_simple_globs (bsc#1101999). - CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264, CVE-2018-4265, CVE-2018-4267, CVE-2018-4272, CVE-2018-4284: Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. - CVE-2018-4266: A malicious website may be able to cause a denial of service. A race condition was addressed with additional validation. - CVE-2018-4270, CVE-2018-4271, CVE-2018-4273: Processing maliciously crafted web content may lead to an unexpected application crash. A memory corruption issue was addressed with improved input validation. - CVE-2018-4278: A malicious website may exfiltrate audio data cross-origin. Sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking. Other bugs fixed: - Fix rendering artifacts in some web sites due to a bug introduced in 2.20.4. - Fix a crash when leaving accelerated compositing mode. - Fix non-deterministic build failure due to missing JavaScriptCore/JSContextRef.h. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1921=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1921=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.20.5-3.8.1 typelib-1_0-WebKit2-4_0-2.20.5-3.8.1 typelib-1_0-WebKit2WebExtension-4_0-2.20.5-3.8.1 webkit2gtk3-debugsource-2.20.5-3.8.1 webkit2gtk3-devel-2.20.5-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.20.5-3.8.1 libjavascriptcoregtk-4_0-18-debuginfo-2.20.5-3.8.1 libwebkit2gtk-4_0-37-2.20.5-3.8.1 libwebkit2gtk-4_0-37-debuginfo-2.20.5-3.8.1 webkit2gtk-4_0-injected-bundles-2.20.5-3.8.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.20.5-3.8.1 webkit2gtk3-debugsource-2.20.5-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libwebkit2gtk3-lang-2.20.5-3.8.1 References: https://www.suse.com/security/cve/CVE-2018-12911.html https://www.suse.com/security/cve/CVE-2018-4261.html https://www.suse.com/security/cve/CVE-2018-4262.html https://www.suse.com/security/cve/CVE-2018-4263.html https://www.suse.com/security/cve/CVE-2018-4264.html https://www.suse.com/security/cve/CVE-2018-4265.html https://www.suse.com/security/cve/CVE-2018-4266.html https://www.suse.com/security/cve/CVE-2018-4267.html https://www.suse.com/security/cve/CVE-2018-4270.html https://www.suse.com/security/cve/CVE-2018-4271.html https://www.suse.com/security/cve/CVE-2018-4272.html https://www.suse.com/security/cve/CVE-2018-4273.html https://www.suse.com/security/cve/CVE-2018-4278.html https://www.suse.com/security/cve/CVE-2018-4284.html https://bugzilla.suse.com/1101999 https://bugzilla.suse.com/1104169 From sle-updates at lists.suse.com Wed Sep 19 19:08:01 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:08:01 +0200 (CEST) Subject: SUSE-RU-2018:2755-1: moderate: Recommended update for resource-agents Message-ID: <20180920010801.5B174FD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2755-1 Rating: moderate References: #1092384 #1096744 #1101668 #1102935 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for resource-agents provides the following fixes: - Implements the reload operation on the SAPInstance RA. (bsc#1096744) - Include the enq_server and enq_replicator on the default service list to be monitored for the new S/4 HANA Enq. Services 2. (bsc#1092384) - Improved SAPInstance START profile detection, avoiding the need of setting the START_PROFILE parameter. (bsc#1096744) - CTDB: Fix initial probe. (bsc#1102935) - CTDB: Fix incorrect db corruption reports. (bsc#1101668, bsc#1102935) - CTDB: Fix OCF_RESKEY_ctdb_recovery_lock validation. (bsc#1102935) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1922=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): ldirectord-4.0.1+git.1495055229.643177f1-2.18.1 resource-agents-4.0.1+git.1495055229.643177f1-2.18.1 resource-agents-debuginfo-4.0.1+git.1495055229.643177f1-2.18.1 resource-agents-debugsource-4.0.1+git.1495055229.643177f1-2.18.1 - SUSE Linux Enterprise High Availability 12-SP3 (noarch): monitoring-plugins-metadata-4.0.1+git.1495055229.643177f1-2.18.1 References: https://bugzilla.suse.com/1092384 https://bugzilla.suse.com/1096744 https://bugzilla.suse.com/1101668 https://bugzilla.suse.com/1102935 From sle-updates at lists.suse.com Wed Sep 19 19:09:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:09:09 +0200 (CEST) Subject: SUSE-RU-2018:2756-1: moderate: Recommended update for the SLE Module Development Tools release Message-ID: <20180920010909.A3D01FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for the SLE Module Development Tools release ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2756-1 Rating: moderate References: #1097116 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for sle-module-development-tools-release fixes the following issues: - Correctly obsolete SLE SDK and Toolchain Module. (bsc#1097116) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1926=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): sle-module-development-tools-release-15-114.4.1 References: https://bugzilla.suse.com/1097116 From sle-updates at lists.suse.com Wed Sep 19 19:09:42 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:09:42 +0200 (CEST) Subject: SUSE-RU-2018:2757-1: moderate: Recommended update for resource-agents Message-ID: <20180920010942.1457DFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2757-1 Rating: moderate References: #1074014 #1092384 #1096744 Affected Products: SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for resource-agents provides the following fixes: - Implements the reload operation on the SAPInstance RA. (bsc#1096744) - Include the enq_server and enq_replicator on the default service list to be monitored for the new S/4 HANA Enq. Services 2. (bsc#1092384) - Improved SAPInstance START profile detection, avoiding the need of setting the START_PROFILE parameter. (bsc#1096744) - Refactor systemd detection - systemd: Add resource-agents-deps target. - VirtualDomain: Properly migrate VMs on node shutdown. (bsc#1074014) - VirtualDomain: Fix warning messages in log. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-1923=1 Package List: - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): ldirectord-3.9.7+git.1461938976.cb7c36a-14.16.1 monitoring-plugins-metadata-3.9.7+git.1461938976.cb7c36a-14.16.1 resource-agents-3.9.7+git.1461938976.cb7c36a-14.16.1 resource-agents-debuginfo-3.9.7+git.1461938976.cb7c36a-14.16.1 resource-agents-debugsource-3.9.7+git.1461938976.cb7c36a-14.16.1 References: https://bugzilla.suse.com/1074014 https://bugzilla.suse.com/1092384 https://bugzilla.suse.com/1096744 From sle-updates at lists.suse.com Wed Sep 19 19:10:48 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:10:48 +0200 (CEST) Subject: SUSE-RU-2018:2758-1: moderate: Recommended update for python-M2Crypto Message-ID: <20180920011048.E1B16FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-M2Crypto ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2758-1 Rating: moderate References: #1072973 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-M2Crypto provides version 0.29.0 and brings many fixes and improvements. For a detailed description, please refer to the changelog. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1927=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1927=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1927=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1927=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1927=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1927=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 python3-M2Crypto-0.29.0-23.3.5 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 python3-M2Crypto-0.29.0-23.3.5 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 python3-M2Crypto-0.29.0-23.3.5 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 python3-M2Crypto-0.29.0-23.3.5 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 - SUSE Enterprise Storage 4 (x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 python3-M2Crypto-0.29.0-23.3.5 - SUSE CaaS Platform 3.0 (x86_64): python-M2Crypto-0.29.0-23.3.5 python-M2Crypto-debuginfo-0.29.0-23.3.5 python-M2Crypto-debugsource-0.29.0-23.3.5 References: https://bugzilla.suse.com/1072973 From sle-updates at lists.suse.com Wed Sep 19 19:11:27 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:11:27 +0200 (CEST) Subject: SUSE-RU-2018:2759-1: moderate: Recommended update for gnome-control-center Message-ID: <20180920011127.E0860FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for gnome-control-center ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2759-1 Rating: moderate References: #1078968 #1079320 Affected Products: SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for gnome-control-center fixes the following issues: - Bugfix: Only manage Wi-Fi devices managed by NetworkManager (bsc#1079320) - user-accounts: Remove implicit language setting when a new user navigating the user panel at the first time. (bsc#1078968) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2018-1925=1 - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1925=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (x86_64): gnome-control-center-color-3.26.2-7.5.1 gnome-control-center-debuginfo-3.26.2-7.5.1 gnome-control-center-debugsource-3.26.2-7.5.1 gnome-control-center-goa-3.26.2-7.5.1 gnome-control-center-user-faces-3.26.2-7.5.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): gnome-control-center-3.26.2-7.5.1 gnome-control-center-debuginfo-3.26.2-7.5.1 gnome-control-center-debugsource-3.26.2-7.5.1 gnome-control-center-devel-3.26.2-7.5.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (noarch): gnome-control-center-lang-3.26.2-7.5.1 References: https://bugzilla.suse.com/1078968 https://bugzilla.suse.com/1079320 From sle-updates at lists.suse.com Wed Sep 19 19:12:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 03:12:20 +0200 (CEST) Subject: SUSE-RU-2018:2760-1: moderate: Recommended update for systemd-rpm-macros Message-ID: <20180920011220.7202FFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for systemd-rpm-macros ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2760-1 Rating: moderate References: #1104176 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for systemd-rpm-macros fixes the following issues: - Make sure %systemd_post() is called during package removal, and also make it more useful by restoring its original implementation. (bsc#1104176) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1924=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1924=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1924=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1924=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1924=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1924=1 Package List: - SUSE OpenStack Cloud 7 (noarch): systemd-rpm-macros-3-10.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): systemd-rpm-macros-3-10.9.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): systemd-rpm-macros-3-10.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): systemd-rpm-macros-3-10.9.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): systemd-rpm-macros-3-10.9.1 - SUSE Enterprise Storage 4 (noarch): systemd-rpm-macros-3-10.9.1 References: https://bugzilla.suse.com/1104176 From sle-updates at lists.suse.com Thu Sep 20 04:11:33 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 12:11:33 +0200 (CEST) Subject: SUSE-SU-2018:2761-1: moderate: Security update for OpenStack Message-ID: <20180920101133.7AA02FCB2@maintenance.suse.de> SUSE Security Update: Security update for OpenStack ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2761-1 Rating: moderate References: #1084362 #1102151 Cross-References: CVE-2018-14432 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for OpenStack fixes the following issues: The following security issue with openstack-keystone has been fixed: - CVE-2018-14432: Reduce duplication in federated authentication APIs. (bsc#1102151) Additionally, the following non-security issues have been fixed: aodh: - Support same projects in different domain. barbican: - Add zuulv3 to Pike. cinder: - Empty option value maybe cause Unity driver failed to initialize. - GoodnessWeigher schedules non-type volumes. - Fix quota error when deleting temporary volume. - Fix cinder quota-usage error. - Unity: Return logged-out initiators. - Correct S-Series to DS-Series systems. - Update storage backends supported for Lenovo. - Unity: Add support of removing empty host. - NetApp: Fix to support SVM scoped permissions. - NetApp ONTAP iSCSI: Force exception on online extend. - NetApp ONTAP: Set new sub-lun clone limit for ONTAP driver. dashboard: - Make @memoize thread-aware. designate: - Add provides to handle installation of mdns and producer seamlessly. - Fix service files. - Install a default pools.yaml. glance: - doc: Modify the description for the command. - Make ImageTarget behave like a dictionary. - Add barbican-tempest experimental job. heat: - Fixing unicode issue when to\_dict is called on py2.7 env. - Ignore NotFound error in prepare\_for\_replace. - Reset resource replaced\_by field for rollback. - Ignore RESOLVE translation errors when translating before\_props. - Ignore errors in purging events. heat-templates: - Deprecate hooks in heat-templates. horizon-plugin-designate-ui: - Install all designate panels that are available. horizon-plugin-freezer-ui: - Avoid using deprecated opt in Web-UI. horizon-plugin-gbp-ui: - Fix patching of create instance dialog. neutron-lbaas-dashboard: - Remove custom zuul jobs. horizon-plugin-trove-ui: - Update UPPER\_CONSTRAINTS\_FILE for stable/pike. ironic: - Fix error when deleting a non-existent port. - Tear down console during unprovisioning. manila: - Fix ZFSOnLinux doc about manage ops. - DB Migration: Fix downgrade. - Fix share-service VM restart problem. - Added Handling Newer Quobyte API Error Codes. - NetApp ONTAP: Fix delete-share for vsadmin users. - Remove confusing DB deprecation messages. - Add missing Requires: for python-tooz neutron: - Skip MTU check during deletion of Networks. - HA L3 agent restart only standby agents. - Retry dhcp\_release on failures. - Reduce IP address collision during port creating. - Refactor DVR HA migarations DB operations. - Disallow router interface out of subnet IP range. - Fix fwaas v1 configuration doc. - Add list of all working DSCP marks. - Set trusted port only once in iptables firewall driver. - Fix UT BridgeLibTest when IPv6 is disabled. neutron-fwaas: - DVR-FWaaS: Fix DVR FWaaS rules for fipnamespace. neutron-lbaas: - Get providers directly from ORM to make startup take half as long. - Cap haproxy log level severity. - Fix sphinx-docs job for stable branch. neutron-vpnaas: - Fix sphinx-docs job for stable branch and pep8 issues. neutron-zvm-agent: - Backport zCC backend networking-zvm. nova: - libvirt: Add method to configure migration speed. - Make host\_aggregate\_map dictionary case-insensitive. - Fix unbound local when saving an unchanged RequestSpec. - Cleanup mapping/reqspec after archive instance. - Default embedded instance.flavor.disabled attribute. - Backport tox.ini to switch to stestr. - Cleanup RP and HM records while deleting a compute service. - Delete allocations from API if nova-compute is down. - Block deleting compute services which are hosting instances. - api-ref: Add a note in DELETE /os-services about deleting computes. - Add functional test for deleting a compute service. - Factor out compute service start in ServerMovingTest. - Moving more utils to ProviderUsageBaseTestCase. - Make nova service-list use scatter-gather routine. - libvirt: Slow live-migration to ensure network is ready. - Use instance project/user when creating RequestSpec during resize reschedule. - Mock utils.execute() in qemu-img unit test. - Add policy rule to block image-backed servers with 0 root disk flavor. - Change consecutive build failure limit to a weigher. - Ensure resource class cache when listing usages. - Metadata-API fails to retrieve avz for instances created before Pike. - placement: Fix HTTP error generation. - Add amd-ssbd and amd-no-ssb CPU flags. - Fixed auto-convergence option name in doc. - libvirt: Skip fetching the virtual size of block devices. - libvirt: Handle DiskNotFound during update\_available\_resource. - Avoid showing password in log. - Fix shelving a paused instance. - Document how to disable notifications. - Add ssbd and virt-ssbd flags to cpu\_model\_extra\_flags whitelist. - Stringify instance UUID. nova-virt-zvm: - Backport zvm driver. octavia: - Update introduction documention page. - Use HMAC.hexdigest to avoid non-ascii characters for package data. trove: - Add .stestr.conf to fix tox-py27 stable job. - Fix mysql instance create failed when enable skip-name-resolve. - Failed to build mongo image. - Open the volume\_support of redis. - Remove Mitaka reference in install/dashboard.rst. - Enable longer Keystone token life. - Fix gate issues. python-barbicanclient: - Update time for functional tests. (bsc#1084362) python-keystone-json-assignment: - Speedup project lookup. python-manilaclient: - Fix for use endpoint_type in _discover_client method. - Add search_opts in func list of ManagerWithFind type classes. - Fix share can not be found by name in admin context. python-vmware-nsx: - NSX|V3: Handle port-not-found during get_ports. - NSXAdminV3: Add message on client cert generation. - NSX-V: Add server-ip-address to the supported dhcp options. - NSX|V3: Fix global SG creation duplication. - Fix security groups ext_properties loading. - NSXv3: Add pool-level lock for LB pool member operations. - NSX|v3: Do not retry on DB duplications on section init. - NSXv: Handle listener failures on backend. - Add mock to the requirements. - AdminUtils V3: Do not set nat_pass for NO-NAT rules. - NSX|V3: Wait for another neutron to create default section. - NSX|V3: Cleanup duplicate sections on startup. - V and D: Make security group logging more robust. - NSX|v3: Ensure that 0.0.0.0/# is treated correctly in SG rules. - NSX|V: Fix create/delete subnet race condition. python-vmware-nsxlib: - Fix service ports for egress firewall rule. - Add server-ip-address to the suppoprted dhcp options. - Retry on 503 Service Unavailable. - Remove sha224 from supported client cert hash algs. - Add logging when initializing a default FW section. - Fixed tenacity usage. - Retry is IOError is received. - Handle cluster connection closed by server. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1929=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1929=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1929=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): openstack-aodh-5.1.1~dev5-3.5.3 openstack-aodh-api-5.1.1~dev5-3.5.3 openstack-aodh-doc-5.1.1~dev5-3.5.4 openstack-aodh-evaluator-5.1.1~dev5-3.5.3 openstack-aodh-expirer-5.1.1~dev5-3.5.3 openstack-aodh-listener-5.1.1~dev5-3.5.3 openstack-aodh-notifier-5.1.1~dev5-3.5.3 openstack-barbican-5.0.1~dev11-3.8.3 openstack-barbican-api-5.0.1~dev11-3.8.3 openstack-barbican-doc-5.0.1~dev11-3.8.3 openstack-barbican-keystone-listener-5.0.1~dev11-3.8.3 openstack-barbican-retry-5.0.1~dev11-3.8.3 openstack-barbican-worker-5.0.1~dev11-3.8.3 openstack-cinder-11.1.2~dev14-3.6.3 openstack-cinder-api-11.1.2~dev14-3.6.3 openstack-cinder-backup-11.1.2~dev14-3.6.3 openstack-cinder-doc-11.1.2~dev14-3.6.4 openstack-cinder-scheduler-11.1.2~dev14-3.6.3 openstack-cinder-volume-11.1.2~dev14-3.6.3 openstack-dashboard-12.0.4~dev1-3.8.3 openstack-designate-5.0.2~dev5-3.5.3 openstack-designate-agent-5.0.2~dev5-3.5.3 openstack-designate-api-5.0.2~dev5-3.5.3 openstack-designate-central-5.0.2~dev5-3.5.3 openstack-designate-doc-5.0.2~dev5-3.5.3 openstack-designate-producer-5.0.2~dev5-3.5.3 openstack-designate-sink-5.0.2~dev5-3.5.3 openstack-designate-worker-5.0.2~dev5-3.5.3 openstack-glance-15.0.2~dev4-3.3.3 openstack-glance-api-15.0.2~dev4-3.3.3 openstack-glance-doc-15.0.2~dev4-3.3.3 openstack-glance-registry-15.0.2~dev4-3.3.3 openstack-heat-9.0.5~dev11-3.6.3 openstack-heat-api-9.0.5~dev11-3.6.3 openstack-heat-api-cfn-9.0.5~dev11-3.6.3 openstack-heat-api-cloudwatch-9.0.5~dev11-3.6.3 openstack-heat-doc-9.0.5~dev11-3.6.4 openstack-heat-engine-9.0.5~dev11-3.6.3 openstack-heat-plugin-heat_docker-9.0.5~dev11-3.6.3 openstack-heat-templates-0.0.0+git.1525957319.6b5a7cd-3.3.3 openstack-heat-test-9.0.5~dev11-3.6.3 openstack-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 openstack-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 openstack-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 openstack-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 openstack-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 openstack-ironic-9.1.5~dev7-3.6.3 openstack-ironic-api-9.1.5~dev7-3.6.3 openstack-ironic-conductor-9.1.5~dev7-3.6.3 openstack-ironic-doc-9.1.5~dev7-3.6.3 openstack-keystone-12.0.1~dev19-5.8.3 openstack-keystone-doc-12.0.1~dev19-5.8.3 openstack-manila-5.0.2~dev55-3.6.3 openstack-manila-api-5.0.2~dev55-3.6.3 openstack-manila-data-5.0.2~dev55-3.6.3 openstack-manila-doc-5.0.2~dev55-3.6.4 openstack-manila-scheduler-5.0.2~dev55-3.6.3 openstack-manila-share-5.0.2~dev55-3.6.3 openstack-neutron-11.0.6~dev63-3.6.3 openstack-neutron-dhcp-agent-11.0.6~dev63-3.6.3 openstack-neutron-doc-11.0.6~dev63-3.6.3 openstack-neutron-fwaas-11.0.2~dev7-3.5.3 openstack-neutron-fwaas-doc-11.0.2~dev7-3.5.3 openstack-neutron-ha-tool-11.0.6~dev63-3.6.3 openstack-neutron-l3-agent-11.0.6~dev63-3.6.3 openstack-neutron-lbaas-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-agent-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-doc-11.0.4~dev4-3.3.3 openstack-neutron-linuxbridge-agent-11.0.6~dev63-3.6.3 openstack-neutron-macvtap-agent-11.0.6~dev63-3.6.3 openstack-neutron-metadata-agent-11.0.6~dev63-3.6.3 openstack-neutron-metering-agent-11.0.6~dev63-3.6.3 openstack-neutron-openvswitch-agent-11.0.6~dev63-3.6.3 openstack-neutron-server-11.0.6~dev63-3.6.3 openstack-neutron-vpn-agent-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-doc-11.0.1~dev1-3.3.3 openstack-neutron-vyatta-agent-11.0.1~dev1-3.3.3 openstack-neutron-zvm-agent-8.0.1~dev12-4.3.3 openstack-nova-16.1.5~dev49-3.8.4 openstack-nova-api-16.1.5~dev49-3.8.4 openstack-nova-cells-16.1.5~dev49-3.8.4 openstack-nova-compute-16.1.5~dev49-3.8.4 openstack-nova-conductor-16.1.5~dev49-3.8.4 openstack-nova-console-16.1.5~dev49-3.8.4 openstack-nova-consoleauth-16.1.5~dev49-3.8.4 openstack-nova-doc-16.1.5~dev49-3.8.4 openstack-nova-novncproxy-16.1.5~dev49-3.8.4 openstack-nova-placement-api-16.1.5~dev49-3.8.4 openstack-nova-scheduler-16.1.5~dev49-3.8.4 openstack-nova-serialproxy-16.1.5~dev49-3.8.4 openstack-nova-virt-zvm-8.0.1~dev56-3.3.4 openstack-nova-vncproxy-16.1.5~dev49-3.8.4 openstack-octavia-1.0.3~dev21-4.6.3 openstack-octavia-amphora-agent-1.0.3~dev21-4.6.3 openstack-octavia-api-1.0.3~dev21-4.6.3 openstack-octavia-health-manager-1.0.3~dev21-4.6.3 openstack-octavia-housekeeping-1.0.3~dev21-4.6.3 openstack-octavia-worker-1.0.3~dev21-4.6.3 openstack-trove-8.0.1~dev11-3.3.3 openstack-trove-api-8.0.1~dev11-3.3.3 openstack-trove-conductor-8.0.1~dev11-3.3.3 openstack-trove-doc-8.0.1~dev11-3.3.3 openstack-trove-guestagent-8.0.1~dev11-3.3.3 openstack-trove-taskmanager-8.0.1~dev11-3.3.3 python-aodh-5.1.1~dev5-3.5.3 python-barbican-5.0.1~dev11-3.8.3 python-barbicanclient-4.5.2-4.3.2 python-barbicanclient-doc-4.5.2-4.3.2 python-cinder-11.1.2~dev14-3.6.3 python-designate-5.0.2~dev5-3.5.3 python-glance-15.0.2~dev4-3.3.3 python-heat-9.0.5~dev11-3.6.3 python-horizon-12.0.4~dev1-3.8.3 python-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 python-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 python-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 python-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 python-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 python-ironic-9.1.5~dev7-3.6.3 python-keystone-12.0.1~dev19-5.8.3 python-keystone-json-assignment-0.0.2-3.3.2 python-manila-5.0.2~dev55-3.6.3 python-manilaclient-1.17.3-3.3.2 python-manilaclient-doc-1.17.3-3.3.2 python-neutron-11.0.6~dev63-3.6.3 python-neutron-fwaas-11.0.2~dev7-3.5.3 python-neutron-lbaas-11.0.4~dev4-3.3.4 python-neutron-vpnaas-11.0.1~dev1-3.3.3 python-nova-16.1.5~dev49-3.8.4 python-octavia-1.0.3~dev21-4.6.3 python-trove-8.0.1~dev11-3.3.3 python-vmware-nsx-11.0.3~dev16-3.3.2 python-vmware-nsxlib-11.0.4~dev7-3.3.2 - SUSE OpenStack Cloud 8 (noarch): openstack-aodh-5.1.1~dev5-3.5.3 openstack-aodh-api-5.1.1~dev5-3.5.3 openstack-aodh-doc-5.1.1~dev5-3.5.4 openstack-aodh-evaluator-5.1.1~dev5-3.5.3 openstack-aodh-expirer-5.1.1~dev5-3.5.3 openstack-aodh-listener-5.1.1~dev5-3.5.3 openstack-aodh-notifier-5.1.1~dev5-3.5.3 openstack-barbican-5.0.1~dev11-3.8.3 openstack-barbican-api-5.0.1~dev11-3.8.3 openstack-barbican-doc-5.0.1~dev11-3.8.3 openstack-barbican-keystone-listener-5.0.1~dev11-3.8.3 openstack-barbican-retry-5.0.1~dev11-3.8.3 openstack-barbican-worker-5.0.1~dev11-3.8.3 openstack-cinder-11.1.2~dev14-3.6.3 openstack-cinder-api-11.1.2~dev14-3.6.3 openstack-cinder-backup-11.1.2~dev14-3.6.3 openstack-cinder-doc-11.1.2~dev14-3.6.4 openstack-cinder-scheduler-11.1.2~dev14-3.6.3 openstack-cinder-volume-11.1.2~dev14-3.6.3 openstack-dashboard-12.0.4~dev1-3.8.3 openstack-designate-5.0.2~dev5-3.5.3 openstack-designate-agent-5.0.2~dev5-3.5.3 openstack-designate-api-5.0.2~dev5-3.5.3 openstack-designate-central-5.0.2~dev5-3.5.3 openstack-designate-doc-5.0.2~dev5-3.5.3 openstack-designate-producer-5.0.2~dev5-3.5.3 openstack-designate-sink-5.0.2~dev5-3.5.3 openstack-designate-worker-5.0.2~dev5-3.5.3 openstack-glance-15.0.2~dev4-3.3.3 openstack-glance-api-15.0.2~dev4-3.3.3 openstack-glance-doc-15.0.2~dev4-3.3.3 openstack-glance-registry-15.0.2~dev4-3.3.3 openstack-heat-9.0.5~dev11-3.6.3 openstack-heat-api-9.0.5~dev11-3.6.3 openstack-heat-api-cfn-9.0.5~dev11-3.6.3 openstack-heat-api-cloudwatch-9.0.5~dev11-3.6.3 openstack-heat-doc-9.0.5~dev11-3.6.4 openstack-heat-engine-9.0.5~dev11-3.6.3 openstack-heat-plugin-heat_docker-9.0.5~dev11-3.6.3 openstack-heat-templates-0.0.0+git.1525957319.6b5a7cd-3.3.3 openstack-heat-test-9.0.5~dev11-3.6.3 openstack-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 openstack-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 openstack-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 openstack-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 openstack-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 openstack-ironic-9.1.5~dev7-3.6.3 openstack-ironic-api-9.1.5~dev7-3.6.3 openstack-ironic-conductor-9.1.5~dev7-3.6.3 openstack-ironic-doc-9.1.5~dev7-3.6.3 openstack-keystone-12.0.1~dev19-5.8.3 openstack-keystone-doc-12.0.1~dev19-5.8.3 openstack-manila-5.0.2~dev55-3.6.3 openstack-manila-api-5.0.2~dev55-3.6.3 openstack-manila-data-5.0.2~dev55-3.6.3 openstack-manila-doc-5.0.2~dev55-3.6.4 openstack-manila-scheduler-5.0.2~dev55-3.6.3 openstack-manila-share-5.0.2~dev55-3.6.3 openstack-neutron-11.0.6~dev63-3.6.3 openstack-neutron-dhcp-agent-11.0.6~dev63-3.6.3 openstack-neutron-doc-11.0.6~dev63-3.6.3 openstack-neutron-fwaas-11.0.2~dev7-3.5.3 openstack-neutron-fwaas-doc-11.0.2~dev7-3.5.3 openstack-neutron-ha-tool-11.0.6~dev63-3.6.3 openstack-neutron-l3-agent-11.0.6~dev63-3.6.3 openstack-neutron-lbaas-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-agent-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-doc-11.0.4~dev4-3.3.3 openstack-neutron-linuxbridge-agent-11.0.6~dev63-3.6.3 openstack-neutron-macvtap-agent-11.0.6~dev63-3.6.3 openstack-neutron-metadata-agent-11.0.6~dev63-3.6.3 openstack-neutron-metering-agent-11.0.6~dev63-3.6.3 openstack-neutron-openvswitch-agent-11.0.6~dev63-3.6.3 openstack-neutron-server-11.0.6~dev63-3.6.3 openstack-neutron-vpn-agent-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-doc-11.0.1~dev1-3.3.3 openstack-neutron-vyatta-agent-11.0.1~dev1-3.3.3 openstack-neutron-zvm-agent-8.0.1~dev12-4.3.3 openstack-nova-16.1.5~dev49-3.8.4 openstack-nova-api-16.1.5~dev49-3.8.4 openstack-nova-cells-16.1.5~dev49-3.8.4 openstack-nova-compute-16.1.5~dev49-3.8.4 openstack-nova-conductor-16.1.5~dev49-3.8.4 openstack-nova-console-16.1.5~dev49-3.8.4 openstack-nova-consoleauth-16.1.5~dev49-3.8.4 openstack-nova-doc-16.1.5~dev49-3.8.4 openstack-nova-novncproxy-16.1.5~dev49-3.8.4 openstack-nova-placement-api-16.1.5~dev49-3.8.4 openstack-nova-scheduler-16.1.5~dev49-3.8.4 openstack-nova-serialproxy-16.1.5~dev49-3.8.4 openstack-nova-virt-zvm-8.0.1~dev56-3.3.4 openstack-nova-vncproxy-16.1.5~dev49-3.8.4 openstack-octavia-1.0.3~dev21-4.6.3 openstack-octavia-amphora-agent-1.0.3~dev21-4.6.3 openstack-octavia-api-1.0.3~dev21-4.6.3 openstack-octavia-health-manager-1.0.3~dev21-4.6.3 openstack-octavia-housekeeping-1.0.3~dev21-4.6.3 openstack-octavia-worker-1.0.3~dev21-4.6.3 openstack-trove-8.0.1~dev11-3.3.3 openstack-trove-api-8.0.1~dev11-3.3.3 openstack-trove-conductor-8.0.1~dev11-3.3.3 openstack-trove-doc-8.0.1~dev11-3.3.3 openstack-trove-guestagent-8.0.1~dev11-3.3.3 openstack-trove-taskmanager-8.0.1~dev11-3.3.3 python-aodh-5.1.1~dev5-3.5.3 python-barbican-5.0.1~dev11-3.8.3 python-barbicanclient-4.5.2-4.3.2 python-barbicanclient-doc-4.5.2-4.3.2 python-cinder-11.1.2~dev14-3.6.3 python-designate-5.0.2~dev5-3.5.3 python-glance-15.0.2~dev4-3.3.3 python-heat-9.0.5~dev11-3.6.3 python-horizon-12.0.4~dev1-3.8.3 python-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 python-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 python-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 python-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 python-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 python-ironic-9.1.5~dev7-3.6.3 python-keystone-12.0.1~dev19-5.8.3 python-keystone-json-assignment-0.0.2-3.3.2 python-manila-5.0.2~dev55-3.6.3 python-manilaclient-1.17.3-3.3.2 python-manilaclient-doc-1.17.3-3.3.2 python-neutron-11.0.6~dev63-3.6.3 python-neutron-fwaas-11.0.2~dev7-3.5.3 python-neutron-lbaas-11.0.4~dev4-3.3.4 python-neutron-vpnaas-11.0.1~dev1-3.3.3 python-nova-16.1.5~dev49-3.8.4 python-octavia-1.0.3~dev21-4.6.3 python-trove-8.0.1~dev11-3.3.3 python-vmware-nsx-11.0.3~dev16-3.3.2 python-vmware-nsxlib-11.0.4~dev7-3.3.2 venv-openstack-aodh-x86_64-5.0.1-12.4.1 venv-openstack-barbican-x86_64-5.0.1-12.5.1 venv-openstack-cinder-x86_64-11.0.2-14.5.1 venv-openstack-designate-x86_64-5.0.1-12.3.1 venv-openstack-glance-x86_64-15.0.1-12.3.1 venv-openstack-heat-x86_64-9.0.1-12.5.1 venv-openstack-horizon-x86_64-11.0.2-14.6.1 venv-openstack-ironic-x86_64-9.1.3-12.5.1 venv-openstack-keystone-x86_64-12.0.1-11.5.1 venv-openstack-magnum-x86_64-5.0.2-11.4.1 venv-openstack-manila-x86_64-5.0.2-12.5.1 venv-openstack-neutron-x86_64-11.0.2-13.8.1 venv-openstack-nova-x86_64-16.0.3-11.6.1 venv-openstack-octavia-x86_64-1.0.2-12.5.1 venv-openstack-sahara-x86_64-7.0.1-11.4.1 venv-openstack-trove-x86_64-8.0.0.0-11.4.1 - HPE Helion Openstack 8 (noarch): openstack-aodh-5.1.1~dev5-3.5.3 openstack-aodh-api-5.1.1~dev5-3.5.3 openstack-aodh-doc-5.1.1~dev5-3.5.4 openstack-aodh-evaluator-5.1.1~dev5-3.5.3 openstack-aodh-expirer-5.1.1~dev5-3.5.3 openstack-aodh-listener-5.1.1~dev5-3.5.3 openstack-aodh-notifier-5.1.1~dev5-3.5.3 openstack-barbican-5.0.1~dev11-3.8.3 openstack-barbican-api-5.0.1~dev11-3.8.3 openstack-barbican-doc-5.0.1~dev11-3.8.3 openstack-barbican-keystone-listener-5.0.1~dev11-3.8.3 openstack-barbican-retry-5.0.1~dev11-3.8.3 openstack-barbican-worker-5.0.1~dev11-3.8.3 openstack-cinder-11.1.2~dev14-3.6.3 openstack-cinder-api-11.1.2~dev14-3.6.3 openstack-cinder-backup-11.1.2~dev14-3.6.3 openstack-cinder-doc-11.1.2~dev14-3.6.4 openstack-cinder-scheduler-11.1.2~dev14-3.6.3 openstack-cinder-volume-11.1.2~dev14-3.6.3 openstack-dashboard-12.0.4~dev1-3.8.3 openstack-designate-5.0.2~dev5-3.5.3 openstack-designate-agent-5.0.2~dev5-3.5.3 openstack-designate-api-5.0.2~dev5-3.5.3 openstack-designate-central-5.0.2~dev5-3.5.3 openstack-designate-doc-5.0.2~dev5-3.5.3 openstack-designate-producer-5.0.2~dev5-3.5.3 openstack-designate-sink-5.0.2~dev5-3.5.3 openstack-designate-worker-5.0.2~dev5-3.5.3 openstack-glance-15.0.2~dev4-3.3.3 openstack-glance-api-15.0.2~dev4-3.3.3 openstack-glance-doc-15.0.2~dev4-3.3.3 openstack-glance-registry-15.0.2~dev4-3.3.3 openstack-heat-9.0.5~dev11-3.6.3 openstack-heat-api-9.0.5~dev11-3.6.3 openstack-heat-api-cfn-9.0.5~dev11-3.6.3 openstack-heat-api-cloudwatch-9.0.5~dev11-3.6.3 openstack-heat-doc-9.0.5~dev11-3.6.4 openstack-heat-engine-9.0.5~dev11-3.6.3 openstack-heat-plugin-heat_docker-9.0.5~dev11-3.6.3 openstack-heat-templates-0.0.0+git.1525957319.6b5a7cd-3.3.3 openstack-heat-test-9.0.5~dev11-3.6.3 openstack-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 openstack-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 openstack-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 openstack-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 openstack-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 openstack-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 openstack-ironic-9.1.5~dev7-3.6.3 openstack-ironic-api-9.1.5~dev7-3.6.3 openstack-ironic-conductor-9.1.5~dev7-3.6.3 openstack-ironic-doc-9.1.5~dev7-3.6.3 openstack-keystone-12.0.1~dev19-5.8.3 openstack-keystone-doc-12.0.1~dev19-5.8.3 openstack-manila-5.0.2~dev55-3.6.3 openstack-manila-api-5.0.2~dev55-3.6.3 openstack-manila-data-5.0.2~dev55-3.6.3 openstack-manila-doc-5.0.2~dev55-3.6.4 openstack-manila-scheduler-5.0.2~dev55-3.6.3 openstack-manila-share-5.0.2~dev55-3.6.3 openstack-neutron-11.0.6~dev63-3.6.3 openstack-neutron-dhcp-agent-11.0.6~dev63-3.6.3 openstack-neutron-doc-11.0.6~dev63-3.6.3 openstack-neutron-fwaas-11.0.2~dev7-3.5.3 openstack-neutron-fwaas-doc-11.0.2~dev7-3.5.3 openstack-neutron-ha-tool-11.0.6~dev63-3.6.3 openstack-neutron-l3-agent-11.0.6~dev63-3.6.3 openstack-neutron-lbaas-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-agent-11.0.4~dev4-3.3.4 openstack-neutron-lbaas-doc-11.0.4~dev4-3.3.3 openstack-neutron-linuxbridge-agent-11.0.6~dev63-3.6.3 openstack-neutron-macvtap-agent-11.0.6~dev63-3.6.3 openstack-neutron-metadata-agent-11.0.6~dev63-3.6.3 openstack-neutron-metering-agent-11.0.6~dev63-3.6.3 openstack-neutron-openvswitch-agent-11.0.6~dev63-3.6.3 openstack-neutron-server-11.0.6~dev63-3.6.3 openstack-neutron-vpn-agent-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-11.0.1~dev1-3.3.3 openstack-neutron-vpnaas-doc-11.0.1~dev1-3.3.3 openstack-neutron-vyatta-agent-11.0.1~dev1-3.3.3 openstack-neutron-zvm-agent-8.0.1~dev12-4.3.3 openstack-nova-16.1.5~dev49-3.8.4 openstack-nova-api-16.1.5~dev49-3.8.4 openstack-nova-cells-16.1.5~dev49-3.8.4 openstack-nova-compute-16.1.5~dev49-3.8.4 openstack-nova-conductor-16.1.5~dev49-3.8.4 openstack-nova-console-16.1.5~dev49-3.8.4 openstack-nova-consoleauth-16.1.5~dev49-3.8.4 openstack-nova-doc-16.1.5~dev49-3.8.4 openstack-nova-novncproxy-16.1.5~dev49-3.8.4 openstack-nova-placement-api-16.1.5~dev49-3.8.4 openstack-nova-scheduler-16.1.5~dev49-3.8.4 openstack-nova-serialproxy-16.1.5~dev49-3.8.4 openstack-nova-virt-zvm-8.0.1~dev56-3.3.4 openstack-nova-vncproxy-16.1.5~dev49-3.8.4 openstack-octavia-1.0.3~dev21-4.6.3 openstack-octavia-amphora-agent-1.0.3~dev21-4.6.3 openstack-octavia-api-1.0.3~dev21-4.6.3 openstack-octavia-health-manager-1.0.3~dev21-4.6.3 openstack-octavia-housekeeping-1.0.3~dev21-4.6.3 openstack-octavia-worker-1.0.3~dev21-4.6.3 openstack-trove-8.0.1~dev11-3.3.3 openstack-trove-api-8.0.1~dev11-3.3.3 openstack-trove-conductor-8.0.1~dev11-3.3.3 openstack-trove-doc-8.0.1~dev11-3.3.3 openstack-trove-guestagent-8.0.1~dev11-3.3.3 openstack-trove-taskmanager-8.0.1~dev11-3.3.3 python-aodh-5.1.1~dev5-3.5.3 python-barbican-5.0.1~dev11-3.8.3 python-barbicanclient-4.5.2-4.3.2 python-barbicanclient-doc-4.5.2-4.3.2 python-cinder-11.1.2~dev14-3.6.3 python-designate-5.0.2~dev5-3.5.3 python-glance-15.0.2~dev4-3.3.3 python-heat-9.0.5~dev11-3.6.3 python-horizon-12.0.4~dev1-3.8.3 python-horizon-plugin-designate-ui-5.0.2~dev5-3.3.5 python-horizon-plugin-freezer-ui-5.0.1~dev6-3.3.5 python-horizon-plugin-gbp-ui-5.0.1~dev21-4.3.3 python-horizon-plugin-manila-ui-2.10.3~dev4-4.5.5 python-horizon-plugin-neutron-lbaas-ui-3.0.3~dev2-3.5.4 python-horizon-plugin-trove-ui-9.0.1~dev7-3.3.5 python-ironic-9.1.5~dev7-3.6.3 python-keystone-12.0.1~dev19-5.8.3 python-keystone-json-assignment-0.0.2-3.3.2 python-manila-5.0.2~dev55-3.6.3 python-manilaclient-1.17.3-3.3.2 python-manilaclient-doc-1.17.3-3.3.2 python-neutron-11.0.6~dev63-3.6.3 python-neutron-fwaas-11.0.2~dev7-3.5.3 python-neutron-lbaas-11.0.4~dev4-3.3.4 python-neutron-vpnaas-11.0.1~dev1-3.3.3 python-nova-16.1.5~dev49-3.8.4 python-octavia-1.0.3~dev21-4.6.3 python-trove-8.0.1~dev11-3.3.3 python-vmware-nsx-11.0.3~dev16-3.3.2 python-vmware-nsxlib-11.0.4~dev7-3.3.2 venv-openstack-aodh-x86_64-5.0.1-12.4.1 venv-openstack-barbican-x86_64-5.0.1-12.5.1 venv-openstack-cinder-x86_64-11.0.2-14.5.1 venv-openstack-designate-x86_64-5.0.1-12.3.1 venv-openstack-glance-x86_64-15.0.1-12.3.1 venv-openstack-heat-x86_64-9.0.1-12.5.1 venv-openstack-horizon-hpe-x86_64-11.0.2-14.6.1 venv-openstack-ironic-x86_64-9.1.3-12.5.1 venv-openstack-keystone-x86_64-12.0.1-11.5.1 venv-openstack-magnum-x86_64-5.0.2-11.4.1 venv-openstack-manila-x86_64-5.0.2-12.5.1 venv-openstack-neutron-x86_64-11.0.2-13.8.1 venv-openstack-nova-x86_64-16.0.3-11.6.1 venv-openstack-octavia-x86_64-1.0.2-12.5.1 venv-openstack-sahara-x86_64-7.0.1-11.4.1 venv-openstack-trove-x86_64-8.0.0.0-11.4.1 References: https://www.suse.com/security/cve/CVE-2018-14432.html https://bugzilla.suse.com/1084362 https://bugzilla.suse.com/1102151 From sle-updates at lists.suse.com Thu Sep 20 04:12:28 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 12:12:28 +0200 (CEST) Subject: SUSE-SU-2018:2762-1: moderate: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui Message-ID: <20180920101228.79AEFFCF0@maintenance.suse.de> SUSE Security Update: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2762-1 Rating: moderate References: #1005886 #1073703 #1081518 #1083093 #1090336 #1093898 #1095420 #1096043 #1096759 #1098369 #1099392 Cross-References: CVE-2016-8611 CVE-2018-3760 Affected Products: SUSE OpenStack Cloud Crowbar 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has 9 fixes is now available. Description: This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues: This security issues was fixed: - CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak. Specially crafted requests could have been be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production (bsc#1098369). - CVE-2016-861: Add rate limiting for glance api (bsc#1005886) These non-security issues were fixed for crowbar: - upgrade: Lock crowbar-ui before admin upgrade - upgrade: Make sure schemas are properly migrated after the upgrade - upgrade: No need for database dump before the upgrade - upgrade: No need to use crowbar-init during the upgrade These non-security issues were fixed for crowbar-core: - upgrade: Remove pre-upgrade constraints from existing locations - upgrade: Show the grep result when checking for not-migrated instances - upgrade: Set clone_stateless_services to false on upgrade - control_lib: fix host allocation check - Fix exception handling in get_log_lines - apache: copytruncate apache logs bsc#1083093 - upgrade: Refresh repos before crowbar-ui update (bsc#1099392) - upgrade: Reset RabbitMQ nodes during upgrade - upgrade: Do not allow cinder-volume on compute nodes - upgrade: Wait until all nova-compute services are up before evacuation - upgrade: Save the information which set of nodes should be upgraded - Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state - upgrade: Add missing brackets checking for nodes - upgrade: Make sure postponed nodes can be skipped when applying proposal - upgrade: When the upgrade is not finished, show a link to wizard - upgrade: Correctly delete remaining upgrade scripts - upgrade: Wait for services shutdown to finish - upgrade: Unlock crowbar-ui after completed upgrade - upgrade: Stop cron before stopping any other service - upgrade: Provide better information after the failure - upgrade: Report missing scripts - upgrade: Better check for upgraded nodes - do not rely on state - upgrade: Improve error messages with lists - upgrade: Check input is a valid node for nodes - upgrade: Delete upgrade scripts really at the end of upgrade - upgrade: Increase the timeout for deleting pacemaker resources - upgrade: Adapt the check for upgraded? value - upgrade: Move step to mark the admin upgrade end - upgrade: Do not finalize nodes that are not upgraded - upgrade: Fix file layout for rails' autoloading (bsc#1096759) - upgrade: Deleting cinder services from database no longer needed - upgrade: Allow postpone and resume of compute nodes upgrade - upgrade: Allow the access to controller actions when upgrade is postponed - upgrade: Finalize upgrade of controller nodes after they are done - upgrade: Added API calls for postponing/resuming compute nodes upgrade - upgrade: Unblock upgrade status API in Cloud8 - upgrade: Do not end admin step while it is still running (bsc#1095420) - upgrade: Adapt ceph-related checks to 7-8 upgrade - upgrade: Allow running schema migrations on upgrade - upgrade: Fix platform retrieval These non-security issues were fixed for crowbar-ha: - pacemaker: allow multiple meta parameters (bsc#1093898) - haproxy: active-active mode, just one VIP These non-security issues were fixed for crowbar-openstack: - Synchronize SSL in the cluster (bsc#1081518) - neutron: add force_metadata attribute - rabbitmq: set client timout to default value - /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf - Do not automatically put manila-share roles to compute nodes - rabbitmq: check for rabbit readiness - rabbitmq: Make sure rabbit is running on cluster - monasca: various monasca-installer improvements - monasca: reduce monasca-installer runs (bsc#1096043) - manila: Correct field name for cluster name - Do not mark [:nova][:db_synced] too early - nova: Do not do partial online migrations, that was Newton specific - monasca: add elasticsearch tunables (bsc#1090336) - copytruncate apache logs instead of creating - rabbitmq: Better dependency check - aodh: Add config for alarm_history_ttl (bsc#1073703) - upgrade: cinder: run live migrations at correct rev These non-security issues were fixed for crowbar-ui: - upgrade: Dummy backend for status testing - upgrade: Refactor postpone nodes upgrade - upgrade: Allow interruption of status wait loop - upgrade: Added ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - upgrade: Add ability to postpone upgrade nodes - Add ability to postpone upgrade - upgrade: Remove openstack precheck - upgrade: Fixed error key for ha_configured - upgrade: Remove CEPH related code - Remove the non-essential database-configuration controller - remove ui typo test - Remove database configuration option - upgrade: Update SUSE-OpenStack-Cloud-8 label - upgrade: Update admin and nodes repo names Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1928=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2 crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2 - SUSE OpenStack Cloud Crowbar 8 (noarch): crowbar-5.0+git.1528696845.81a7b5d0-3.3.1 crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1 crowbar-ha-5.0+git.1530177874.35b9099-3.3.1 crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1 crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2 crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1 References: https://www.suse.com/security/cve/CVE-2016-8611.html https://www.suse.com/security/cve/CVE-2018-3760.html https://bugzilla.suse.com/1005886 https://bugzilla.suse.com/1073703 https://bugzilla.suse.com/1081518 https://bugzilla.suse.com/1083093 https://bugzilla.suse.com/1090336 https://bugzilla.suse.com/1093898 https://bugzilla.suse.com/1095420 https://bugzilla.suse.com/1096043 https://bugzilla.suse.com/1096759 https://bugzilla.suse.com/1098369 https://bugzilla.suse.com/1099392 From sle-updates at lists.suse.com Thu Sep 20 04:15:24 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 12:15:24 +0200 (CEST) Subject: SUSE-SU-2018:2763-1: moderate: Security update for pango Message-ID: <20180920101524.0BC52FCF0@maintenance.suse.de> SUSE Security Update: Security update for pango ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2763-1 Rating: moderate References: #1103877 Cross-References: CVE-2018-15120 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pango fixes the following issues: Security issue fixed: - CVE-2018-15120: Fixed a denial of service when parsing emoji (bsc#1103877) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1931=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1931=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64): libpango-1_0-0-32bit-1.40.14-3.3.1 libpango-1_0-0-32bit-debuginfo-1.40.14-3.3.1 pango-debugsource-1.40.14-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libpango-1_0-0-1.40.14-3.3.1 libpango-1_0-0-debuginfo-1.40.14-3.3.1 pango-debugsource-1.40.14-3.3.1 pango-devel-1.40.14-3.3.1 typelib-1_0-Pango-1_0-1.40.14-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-15120.html https://bugzilla.suse.com/1103877 From sle-updates at lists.suse.com Thu Sep 20 04:16:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 12:16:47 +0200 (CEST) Subject: SUSE-SU-2018:2765-1: moderate: Security update for couchdb Message-ID: <20180920101647.41380FCF0@maintenance.suse.de> SUSE Security Update: Security update for couchdb ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2765-1 Rating: moderate References: #1100973 Cross-References: CVE-2018-8007 Affected Products: SUSE OpenStack Cloud Crowbar 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for couchdb fixes the following security issues: - CVE-2018-8007: Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it was possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API (bsc#1100973) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1930=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): couchdb-1.7.2-3.3.1 couchdb-debuginfo-1.7.2-3.3.1 couchdb-debugsource-1.7.2-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-8007.html https://bugzilla.suse.com/1100973 From sle-updates at lists.suse.com Thu Sep 20 07:07:56 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:07:56 +0200 (CEST) Subject: SUSE-RU-2018:2766-1: moderate: Recommended update for novnc Message-ID: <20180920130756.70D39FD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for novnc ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2766-1 Rating: moderate References: #1052286 #1077940 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for novnc provides version 1.0.0 and fixes the following issues: - Application: + Heavily revamped interface. + Everything is translated. + Automatic reconnect on disconnects. + Better handling of on screen keyboards. + Support for VNC "bell" sound. - Library: + Cleaned up, official and stable API. + Converted to ES6 modules. + Much improved keyboard handling. (bsc#1052286, bsc#1077940) + Support for QEMU's raw keyboard extension. + Support for continuous updates extension. + Proper handling of machines with both touch and mouse/trackpad. + Better handling of mouse wheels. + More responsive and performant panning. + Colour map mode is no longer supported. - Misc: + Add manpage. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1935=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1935=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1935=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): novnc-1.0.0-3.3.1 - SUSE OpenStack Cloud 8 (noarch): novnc-1.0.0-3.3.1 - HPE Helion Openstack 8 (noarch): novnc-1.0.0-3.3.1 References: https://bugzilla.suse.com/1052286 https://bugzilla.suse.com/1077940 From sle-updates at lists.suse.com Thu Sep 20 07:08:39 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:08:39 +0200 (CEST) Subject: SUSE-RU-2018:2767-1: moderate: Recommended update for cri-o Message-ID: <20180920130839.E72A2FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for cri-o ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2767-1 Rating: moderate References: #1100838 Affected Products: SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for cri-o to version v1.9.14 fixes the following issues: - mask /proc/{acpi,keys} (bsc#1100838) - fix race between container create and cadvisor asking for info Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 3.0 (x86_64): cri-o-1.9.14-4.3.10 References: https://bugzilla.suse.com/1100838 From sle-updates at lists.suse.com Thu Sep 20 07:09:10 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:09:10 +0200 (CEST) Subject: SUSE-RU-2018:2768-1: moderate: Recommended update for rubygem-chef Message-ID: <20180920130910.670F1FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for rubygem-chef ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2768-1 Rating: moderate References: #1050173 Affected Products: SUSE OpenStack Cloud Crowbar 8 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for rubygem-chef fixes the following issues: - Add patch catches any exceptions when converting a resource hash object into json. (bsc#1050173) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1936=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-chef-10.32.2-4.3.1 rubygem-chef-10.32.2-4.3.1 References: https://bugzilla.suse.com/1050173 From sle-updates at lists.suse.com Thu Sep 20 07:09:45 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:09:45 +0200 (CEST) Subject: SUSE-RU-2018:2769-1: Recommended update for the OpenStack Cloud 8 documentation Message-ID: <20180920130945.D4D08FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for the OpenStack Cloud 8 documentation ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2769-1 Rating: low References: #1081097 #1097909 #1099205 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for the OpenStack Cloud 8 documentation fixes the following issues: - Updates to migration steps to improve migration safety. - Fix start database procedure in disaster recovery test. (bsc#1081097) - Clarify IPA image section in Installation Guide. - Add disable fw notice. (bsc#1099205) - Add linkend to example configurations. - Improve wording for initial SEED server. (bsc#1097909) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1934=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1934=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1934=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): documentation-suse-openstack-cloud-deployment-8.20180706-1.3.1 documentation-suse-openstack-cloud-supplement-8.20180706-1.3.1 documentation-suse-openstack-cloud-upstream-admin-8.20180706-1.3.1 documentation-suse-openstack-cloud-upstream-user-8.20180706-1.3.1 - SUSE OpenStack Cloud 8 (noarch): documentation-suse-openstack-cloud-installation-8.20180706-1.3.1 documentation-suse-openstack-cloud-operations-8.20180706-1.3.1 documentation-suse-openstack-cloud-opsconsole-8.20180706-1.3.1 documentation-suse-openstack-cloud-planning-8.20180706-1.3.1 documentation-suse-openstack-cloud-security-8.20180706-1.3.1 documentation-suse-openstack-cloud-supplement-8.20180706-1.3.1 documentation-suse-openstack-cloud-upstream-admin-8.20180706-1.3.1 documentation-suse-openstack-cloud-upstream-user-8.20180706-1.3.1 documentation-suse-openstack-cloud-user-8.20180706-1.3.1 - HPE Helion Openstack 8 (noarch): documentation-hpe-helion-openstack-installation-8.20180706-1.3.1 documentation-hpe-helion-openstack-operations-8.20180706-1.3.1 documentation-hpe-helion-openstack-opsconsole-8.20180706-1.3.1 documentation-hpe-helion-openstack-planning-8.20180706-1.3.1 documentation-hpe-helion-openstack-security-8.20180706-1.3.1 documentation-hpe-helion-openstack-user-8.20180706-1.3.1 References: https://bugzilla.suse.com/1081097 https://bugzilla.suse.com/1097909 https://bugzilla.suse.com/1099205 From sle-updates at lists.suse.com Thu Sep 20 07:10:36 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:10:36 +0200 (CEST) Subject: SUSE-RU-2018:2770-1: moderate: Recommended update for fence-agents Message-ID: <20180920131036.7975CFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for fence-agents ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2770-1 Rating: moderate References: #1025149 #1049852 #1074000 #1096412 #1097260 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for fence-agents provides the following fix: - fence_compute: Add support for keystone v3 authentication. (bsc#1074000, bsc#1097260, bsc#1096412) - Downgrade some agent-specific dependencies to recommends (bsc#1025149) - fencing: include timestamps when logging to STDERR and debug file (bsc#1049852) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1938=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): fence-agents-4.0.25+git.1485179354.eb43835-4.8.1 fence-agents-debuginfo-4.0.25+git.1485179354.eb43835-4.8.1 fence-agents-debugsource-4.0.25+git.1485179354.eb43835-4.8.1 References: https://bugzilla.suse.com/1025149 https://bugzilla.suse.com/1049852 https://bugzilla.suse.com/1074000 https://bugzilla.suse.com/1096412 https://bugzilla.suse.com/1097260 From sle-updates at lists.suse.com Thu Sep 20 07:11:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:11:47 +0200 (CEST) Subject: SUSE-SU-2018:2771-1: moderate: Security update for gdm Message-ID: <20180920131147.D0794FCF0@maintenance.suse.de> SUSE Security Update: Security update for gdm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2771-1 Rating: moderate References: #1081947 #1103093 #1103737 Cross-References: CVE-2018-14424 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for gdm provides the following fixes: This security issue was fixed: - CVE-2018-14424: The daemon in GDM did not properly unexport display objects from its D-Bus interface when they are destroyed, which allowed a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or potential code execution (bsc#1103737) These non-security issues were fixed: - Enable pam_keyinit module (bsc#1081947) - Fix a build race in SLE (bsc#1103093) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1939=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): gdm-3.26.2.1-13.9.1 gdm-debuginfo-3.26.2.1-13.9.1 gdm-debugsource-3.26.2.1-13.9.1 gdm-devel-3.26.2.1-13.9.1 libgdm1-3.26.2.1-13.9.1 libgdm1-debuginfo-3.26.2.1-13.9.1 typelib-1_0-Gdm-1_0-3.26.2.1-13.9.1 - SUSE Linux Enterprise Module for Desktop Applications 15 (noarch): gdm-lang-3.26.2.1-13.9.1 gdmflexiserver-3.26.2.1-13.9.1 References: https://www.suse.com/security/cve/CVE-2018-14424.html https://bugzilla.suse.com/1081947 https://bugzilla.suse.com/1103093 https://bugzilla.suse.com/1103737 From sle-updates at lists.suse.com Thu Sep 20 07:12:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:12:41 +0200 (CEST) Subject: SUSE-RU-2018:2772-1: moderate: Recommended update for rubygem-crowbar-client Message-ID: <20180920131241.636DCFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for rubygem-crowbar-client ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2772-1 Rating: moderate References: #1024498 Affected Products: SUSE OpenStack Cloud Crowbar 8 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for rubygem-crowbar-client fixes the following issues: - Fix node show help (bsc#1024498) - Extend the clean restart flags - Add an option to identify the version of product being upgraded - Add support for postpone/resume upgrade actions Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1937=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-crowbar-client-3.6.0-3.3.1 References: https://bugzilla.suse.com/1024498 From sle-updates at lists.suse.com Thu Sep 20 07:13:12 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 20 Sep 2018 15:13:12 +0200 (CEST) Subject: SUSE-RU-2018:2773-1: moderate: Recommended update for ovmf Message-ID: <20180920131312.C3FC8FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2773-1 Rating: moderate References: #1099193 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ovmf fixes the following issues: - Fix the missing EFI variables when SEV is set. (bsc#1099193) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1933=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.6.1 ovmf-tools-2017+git1510945757.b2662641d5-5.6.1 - SUSE Linux Enterprise Module for Server Applications 15 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.6.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.6.1 References: https://bugzilla.suse.com/1099193 From sle-updates at lists.suse.com Thu Sep 20 16:08:37 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 00:08:37 +0200 (CEST) Subject: SUSE-SU-2018:2775-1: important: Security update for the Linux Kernel Message-ID: <20180920220837.74C92FCF0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2775-1 Rating: important References: #1012382 #1015342 #1015343 #1017967 #1019695 #1019699 #1020412 #1021121 #1022604 #1024361 #1024365 #1024376 #1027968 #1030552 #1031492 #1033962 #1042286 #1048317 #1050431 #1053685 #1055014 #1056596 #1062604 #1063646 #1064232 #1065364 #1066223 #1068032 #1068075 #1069138 #1078921 #1080157 #1083663 #1085042 #1085536 #1085539 #1086457 #1087092 #1089066 #1090888 #1091171 #1091860 #1096254 #1096748 #1097105 #1098253 #1098822 #1099597 #1099810 #1099811 #1099813 #1099832 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1099999 #1100000 #1100001 #1100132 #1101822 #1101841 #1102346 #1102486 #1102517 #1102715 #1102797 #1103269 #1103445 #1103717 #1104319 #1104485 #1104494 #1104495 #1104683 #1104897 #1105271 #1105292 #1105322 #1105323 #1105392 #1105396 #1105524 #1105536 #1105769 #1106016 #1106105 #1106185 #1106229 #1106271 #1106275 #1106276 #1106278 #1106281 #1106283 #1106369 #1106509 #1106511 #1106697 #1106929 #1106934 #1106995 #1107060 #1107078 #1107319 #1107320 #1107689 #1107735 #1107966 #963575 #966170 #966172 #969470 #969476 #969477 #970506 Cross-References: CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10938 CVE-2018-1128 CVE-2018-1129 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 CVE-2018-9363 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 98 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001). - CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999). - CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000). - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922). - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689). - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511). - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509). - CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748). - CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748). - CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016). - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517). - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323). - CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292) - CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863). - CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844). - CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813). - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811). - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846). - CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864). - CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849). - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845). The following non-security bugs were fixed: - 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382). - 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382). - 9p: fix multiple NULL-pointer-dereferences (bnc#1012382). - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382). - ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382). - ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382). - ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382). - ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382). - ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382). - ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382). - ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382). - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382). - ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382). - ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382). - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382). - ALSA: memalloc: Do not exceed over the requested size (bnc#1012382). - ALSA: rawmidi: Change resized buffers atomically (bnc#1012382). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810). - ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382). - ALSA: virmidi: Fix too long output trigger loop (bnc#1012382). - ALSA: vx222: Fix invalid endian conversions (bnc#1012382). - ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382). - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382). - ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382). - ARC: Fix CONFIG_SWAP (bnc#1012382). - ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382). - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382). - ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382). - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382). - ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382). - ARM: dts: da850: Fix interrups property for gpio (bnc#1012382). - ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382). - ARM: fix put_user() for gcc-8 (bnc#1012382). - ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382). - ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382). - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382). - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382). - ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver. - ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382). - ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382). - ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382). - ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382). - ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382). - Add reference to bsc#1091171 (bnc#1012382; bsc#1091171). - Bluetooth: avoid killing an already killed socket (bnc#1012382). - Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382). - Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092). - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092). - Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning (bnc#1012382). - Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382). - HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382). - HID: i2c-hid: check if device is there before really probing (bnc#1012382). - HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382). - IB/core: Make testing MR flags for writability a static inline function (bnc#1012382). - IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596). - IB/iser: Do not reduce max_sectors (bsc#1063646). - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'. - IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382). - IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343). - IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382). - Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382). - Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382). - Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382). - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382). - KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382). - KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382). - MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382). - MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382). - MIPS: lib: Provide MIPS64r6 __multi3() for GCC lower than < 7 (bnc#1012382). - NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382). - PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382). - PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382). - PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382). - PCI: pciehp: Fix use-after-free on unplug (bnc#1012382). - PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382). - PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382). - RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477). - RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376). - RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382). - RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343). - Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" (bnc#1012382). - Revert "UBIFS: Fix potential integer overflow in allocation" (bnc#1012382). - Revert "f2fs: handle dirty segments inside refresh_sit_entry" (bsc#1106281). - Revert "mm: page_alloc: skip over regions of invalid pfns where possible" (bnc#1107078). - Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717). - Smack: Mark inode instant in smack_task_to_inode (bnc#1012382). - USB: musb: fix external abort on suspend (bsc#1085536). - USB: option: add support for DW5821e (bnc#1012382). - USB: serial: metro-usb: stop I/O after failed open (bsc#1085539). - USB: serial: sierra: fix potential deadlock at close (bnc#1012382). - Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319). - afs: Fix directory permissions check (bsc#1106283). - arc: fix build errors in arc/include/asm/delay.h (bnc#1012382). - arc: fix type warnings in arc/mm/cache.c (bnc#1012382). - arm64: make secondary_start_kernel() notrace (bnc#1012382). - arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382). - ath: Add regulatory mapping for APL13_WORLD (bnc#1012382). - ath: Add regulatory mapping for APL2_FCCA (bnc#1012382). - ath: Add regulatory mapping for Bahamas (bnc#1012382). - ath: Add regulatory mapping for Bermuda (bnc#1012382). - ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382). - ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382). - ath: Add regulatory mapping for Serbia (bnc#1012382). - ath: Add regulatory mapping for Tanzania (bnc#1012382). - ath: Add regulatory mapping for Uganda (bnc#1012382). - atl1c: reserve min skb headroom (bnc#1012382). - atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066). - audit: allow not equal op for audit by executable (bnc#1012382). - backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929). - backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929). - bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232). - bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232). - bcache: do not check return value of debugfs_create_dir() (bsc#1064232). - bcache: finish incremental GC (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering (bsc#1064232). - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232). - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232). - bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232). - be2net: remove unused old custom busy-poll fields (bsc#1021121 ). - blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663). - block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663). - block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663). - block: do not use interruptible wait anywhere (bnc#1012382). - bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382). - bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382). - bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575). - bnxt_en: Fix for system hang if request_irq fails (bnc#1012382). - bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ). - bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382). - brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382). - brcmfmac: stop watchdog before detach and free everything (bnc#1012382). - bridge: Propagate vlan add failure to user (bnc#1012382). - btrfs: Do not remove block group still has pinned down bytes (bsc#1086457). - btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382). - btrfs: do not leak ret from do_chunk_alloc (bnc#1012382). - btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382). - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf. - btrfs: round down size diff when shrinking/growing device (bsc#1097105). - can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382). - can: mpc5xxx_can: check of_iomap return before use (bnc#1012382). - can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382). - can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382). - can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382). - can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382). - can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382). - can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382). - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382). - ceph: fix incorrect use of strncpy (bsc#1107319). - ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320). - cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382). - cifs: add missing debug entries for kconfig options (bnc#1012382). - cifs: check kmalloc before use (bsc#1012382). - cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382). - clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382). - crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: authenc - do not leak pointers to authenc keys (bnc#1012382). - crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382). - crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382). - crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382). - crypto: vmac - separate tfm and request context (bnc#1012382). - crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317). - cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382). - cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014). - dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382). - disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382). - dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382). - dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382). - dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382). - dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382). - driver core: Partially revert "driver core: correct device's shutdown order" (bnc#1012382). - drivers: net: lmc: fix case value for target abort error (bnc#1012382). - drm/armada: fix colorkey mode property (bnc#1012382). - drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929). - drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382). - drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382). - drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822). - drm/drivers: add support for using the arch wc mapping API. - drm/exynos/dsi: mask frame-done interrupt (bsc#1106929). - drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382). - drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382). - drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382). - drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382). - drm/i915/userptr: reject zero user_size (bsc#1090888). - drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092). - drm/imx: fix typo in ipu_plane_formats (bsc#1106929). - drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382). - drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382). - drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382). - drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769). - drm/radeon: fix mode_valid's return type (bnc#1012382). - drm: Add DP PSR2 sink enable bit (bnc#1012382). - drm: Reject getfb for multi-plane framebuffers (bsc#1106929). - enic: do not call enic_change_mtu in enic_probe - enic: handle mtu change for vf properly (bnc#1012382). - enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382). - esp6: fix memleak on error path in esp6_input - ext4: check for NUL characters in extended attribute's name (bnc#1012382). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382). - ext4: reset error code in ext4_find_entry in fallback (bnc#1012382). - ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229). - f2fs: fix to do not trigger writeback during recovery (bnc#1012382). - fat: fix memory allocation failure handling of match_strdup() (bnc#1012382). - fb: fix lost console when the user unplugs a USB adapter (bnc#1012382). - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929). - fix __legitimize_mnt()/mntput() race (bnc#1012382). - fix mntput/mntput race (bnc#1012382). - fork: unconditionally clear stack on fork (bnc#1012382). - fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382). - fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185). - fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382). - fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921). - fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382). - fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382). - fuse: Fix oops at process_init_reply() (bnc#1012382). - fuse: fix double request_end() (bnc#1012382). - fuse: fix unlocked access to processing queue (bnc#1012382). - fuse: umount should wait for all requests (bnc#1012382). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - getxattr: use correct xattr length (bnc#1012382). - hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552). - hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382). - hwrng: exynos - Disable runtime PM on driver unbind. - i2c: davinci: Avoid zero value of CLKH (bnc#1012382). - i2c: imx: Fix race condition in dma read (bnc#1012382). - i2c: imx: Fix reinit_completion() use (bnc#1012382). - i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382). - i40e: use cpumask_copy instead of direct assignment (bsc#1053685). - i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477). - i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477). - ibmvnic: Include missing return code checks in reset function (bnc#1107966). - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382). - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365). - iio: ad9523: Fix displayed phase (bnc#1012382). - iio: ad9523: Fix return value for ad952x_store() (bnc#1012382). - inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506). - iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105). - iommu/vt-d: Add definitions for PFSID (bnc#1012382). - iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ioremap: Update pgtable free interfaces with addr (bnc#1012382). - ip: hash fragments consistently (bnc#1012382). - ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382). - ipconfig: Correctly initialise ic_nameservers (bnc#1012382). - ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382). - ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382). - ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382). - ipv6: fix useless rol32 call on hash (bnc#1012382). - ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382). - ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962). - iscsi target: fix session creation failure handling (bnc#1012382). - isdn: Disable IIOCDBGVAR (bnc#1012382). - iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477). - iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382). - ixgbe: Be more careful when modifying MAC filters (bnc#1012382). - jfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - jump_label: Add RELEASE barrier after text changes (bsc#1105271). - jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271). - jump_label: Move CPU hotplug locking (bsc#1105271). - jump_label: Provide hotplug context variants (bsc#1105271). - jump_label: Reduce the size of struct static_key (bsc#1105271). - jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271). - jump_label: Split out code under the hotplug lock (bsc#1105271). - jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271). - kABI: protect enum tcp_ca_event (kabi). - kABI: reexport tcp_send_ack (kabi). - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597) - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kasan: do not emit builtin calls when sanitization is off (bnc#1012382). - kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382). - kbuild: verify that $DEPMOD is installed (bnc#1012382). - kernel: improve spectre mitigation (bnc#1106934, LTC#171029). - kprobes/x86: Fix %p uses in error messages (bnc#1012382). - kprobes: Make list and blacklist root user read only (bnc#1012382). - kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897). - kvm: x86: vmx: fix vpid leak (bnc#1012382). - l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382). - lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382). - libata: Fix command retry decision (bnc#1012382). - libceph: check authorizer reply/challenge length before reading (bsc#1096748). - libceph: factor out __ceph_x_decrypt() (bsc#1096748). - libceph: factor out __prepare_write_connect() (bsc#1096748). - libceph: factor out encrypt_authorizer() (bsc#1096748). - libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748). - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748). - llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382). - locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382). - locks: pass inode pointer to locks_free_lock_context (bsc at 1099832). - locks: prink more detail when there are leaked locks (bsc#1099832). - locks: restore a warn for leaked locks on close (bsc#1099832). - m68k: fix "bad page state" oops on ColdFire boot (bnc#1012382). - mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382). - md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382). - md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382). - media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382). - media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382). - media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431). - media: s5p-jpeg: fix number of components macro (bsc#1050431). - media: saa7164: Fix driver name in debug output (bnc#1012382). - media: si470x: fix __be16 annotations (bnc#1012382). - media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382). - media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382). - media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382). - memory: tegra: Apply interrupts mask per SoC (bnc#1012382). - memory: tegra: Do not handle spurious interrupts (bnc#1012382). - mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382). - microblaze: Fix simpleImage format generation (bnc#1012382). - mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697). - mm/memory.c: check return value of ioremap_prot (bnc#1012382). - mm/slub.c: add __printf verification to slab_err() (bnc#1012382). - mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382). - mm: Add vm_insert_pfn_prot() (bnc#1012382). - mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382). - mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382). - mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382). - mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382). - mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382). - mtd: ubi: wl: Fix error return code in ubi_wl_init(). - mwifiex: correct histogram data with appropriate index (bnc#1012382). - mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382). - net/9p/client.c: version pointer uninitialized (bnc#1012382). - net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382). - net/ethernet/freescale/fman: fix cross-build error (bnc#1012382). - net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382). - net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382). - net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343). - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172). - net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172). - net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172). - net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343). - net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343). - net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343). - net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172). - net: 6lowpan: fix reserved space for single frames (bnc#1012382). - net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382). - net: add skb_condense() helper (bsc#1089066). - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066). - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066). - net: axienet: Fix double deregister of mdio (bnc#1012382). - net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382). - net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382). - net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382). - net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968). - net: fix amd-xgbe flow-control issue (bnc#1012382). - net: hamradio: use eth_broadcast_addr (bnc#1012382). - net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382). - net: lan78xx: fix rx handling before first packet is send (bnc#1012382). - net: mac802154: tx: expand tailroom if necessary (bnc#1012382). - net: phy: fix flag masking in __set_phy_supported (bnc#1012382). - net: prevent ISA drivers from building on PPC32 (bnc#1012382). - net: propagate dev_get_valid_name return code (bnc#1012382). - net: qca_spi: Avoid packet drop during initial sync (bnc#1012382). - net: qca_spi: Fix log level if probe fails (bnc#1012382). - net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382). - net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382). - net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382). - net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253). - net_sched: Fix missing res info when create new tc_index filter (bnc#1012382). - net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382). - netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382). - netfilter: ipset: List timing out entries with "timeout 1" instead of zero (bnc#1012382). - netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382). - netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797). - netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797). - netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382). - netlink: Do not shift on 64 for ngroups (bnc#1012382). - netlink: Do not shift with UB on nlk->ngroups (bnc#1012382). - netlink: Do not subscribe to non-existent groups (bnc#1012382). - netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382). - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286). - nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382). - nl80211: Add a missing break in parse_station_flags (bnc#1012382). - nohz: Fix local_timer_softirq_pending() (bnc#1012382). - nvme-fc: release io queues to allow fast fail (bsc#1102486). - nvme: if_ready checks to fail io to deleting controller (bsc#1102486). - nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486). - nvmet-fc: fix target sgl list on large transfers (bsc#1102486). - osf_getdomainname(): use copy_to_user() (bnc#1012382). - ovl: Do d_type check only if work dir creation was successful (bnc#1012382). - ovl: Ensure upper filesystem supports d_type (bnc#1012382). - ovl: warn instead of error if d_type is not supported (bnc#1012382). - packet: refine ring v3 block size test to hold one frame (bnc#1012382). - packet: reset network header if packet shorter than ll reserved space (bnc#1012382). - parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382). - parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382). - parisc: Remove ordered stores from syscall.S (bnc#1012382). - parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382). - perf auxtrace: Fix queue resize (bnc#1012382). - perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382). - perf report powerpc: Fix crash if callchain is empty (bnc#1012382). - perf test session topology: Fix test on s390 (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382). - perf: fix invalid bit in diagnostic entry (bnc#1012382). - pinctrl: at91-pio4: add missing of_node_put (bnc#1012382). - pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382). - pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382). - powerpc/32: Add a missing include header (bnc#1012382). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032). - powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382). - powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382). - powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382). - powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223). - powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382). - powerpc/powermac: Mark variable x as unused (bnc#1012382). - powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382). - powerpc/topology: Get topology for shared processors at boot (bsc#1104683). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1066223). - provide special timeout module parameters for EC2 (bsc#1065364). - ptp: fix missing break in switch (bnc#1012382). - pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382). - qed: Add sanity check for SIMD fastpath handler (bnc#1012382). - qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ). - qed: Fix possible race for the link state value (bnc#1012382). - qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604). - qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604). - qlge: Fix netdev features configuration (bsc#1098822). - qlogic: check kstrtoul() for errors (bnc#1012382). - random: mix rdrand with entropy sent in from userspace (bnc#1012382). - readahead: stricter check for bdi io_pages (VM Functionality). - regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382). - reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382). - ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382). - root dentries need RCU-delayed freeing (bnc#1012382). - rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382). - rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382). - rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382). - s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382). - s390/kvm: fix deadlock when killed by oom (bnc#1012382). - s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029). - s390/pci: fix out of bounds access during irq setup (bnc#1012382). - s390/qdio: reset old sbal_state flags (bnc#1012382). - s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349). - s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726). - s390: add explicit for jump label (bsc#1105271). - s390: detect etoken facility (bnc#1106934, LTC#171029). - s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/tar-up.sh: Do not package gitlog-excludes file Also fix the evaluation of gitlog-excludes file, too - scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382). - scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382). - scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382). - scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346). - scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382). - scsi: megaraid: silence a static checker bug (bnc#1012382). - scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382). - scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382). - scsi: qla2xxx: Return error when TMF returns (bnc#1012382). - scsi: scsi_dh: replace too broad "TP9" string with the exact models (bnc#1012382). - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382). - scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382). - scsi: ufs: fix exception event handling (bnc#1012382). - scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382). - scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382). - scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138). - scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138). - selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382). - selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382). - selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382). - selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382). - selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: sync: add config fragment for testing sync framework (bnc#1012382). - selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382). - serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382). - sfc: stop the TX queue before pushing new buffers (bsc#1017967 ). - skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382). - slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060). - smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382). - smb3: do not request leases in symlink creation and query (bnc#1012382). - spi: davinci: fix a NULL pointer dereference (bnc#1012382). - squashfs: be more careful about metadata corruption (bnc#1012382). - squashfs: more metadata hardening (bnc#1012382). - squashfs: more metadata hardenings (bnc#1012382). - staging: android: ion: check for kref overflow (bnc#1012382). - string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - target_core_rbd: use RCU in free_device (bsc#1105524). - tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382). - tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382). - tcp: add one more quick ack after after ECN events (bnc#1012382). - tcp: do not aggressively quick ack after ECN events (bnc#1012382). - tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382). - tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382). - tcp: do not force quickack when receiving out-of-order packets (bnc#1012382). - tcp: fix dctcp delayed ACK schedule (bnc#1012382). - tcp: helpers to send special DCTCP ack (bnc#1012382). - tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382). - tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382). - tcp: remove DELAYED ACK events in DCTCP (bnc#1012382). - tg3: Add higher cpu clock for 5762 (bnc#1012382). - thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382). - timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470). - tools/power turbostat: Read extended processor family from CPUID (bnc#1012382). - tools/power turbostat: fix -S on UP systems (bnc#1012382). - tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382). - tpm: fix race condition in tpm_common_write() (bnc#1012382). - tracing/blktrace: Fix to allow setting same value (bnc#1012382). - tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382). - tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382). - tracing: Fix double free of event_trigger_data (bnc#1012382). - tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382). - tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382). - tracing: Use __printf markup to silence compiler (bnc#1012382). - tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382). - turn off -Wattribute-alias (bnc#1012382). - ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382). - ubi: Fix Fastmap's update_vol() (bnc#1012382). - ubi: Fix races around ubi_refill_pools() (bnc#1012382). - ubi: Introduce vol_ignored() (bnc#1012382). - ubi: Rework Fastmap attach base code (bnc#1012382). - ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382). - ubifs: Check data node size before truncate (bsc#1106276). - ubifs: Fix memory leak in lprobs self-check (bsc#1106278). - ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275). - ubifs: xattr: Do not operate on deleted inodes (bsc#1106271). - udl-kms: change down_interruptible to down (bnc#1012382). - udl-kms: fix crash due to uninitialized memory (bnc#1012382). - udl-kms: handle allocation failure (bnc#1012382). - udlfb: set optimal write delay (bnc#1012382). - uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382). - usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810). - usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382). - usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132). - usb: dwc2: fix isoc split in transfer with no data (bnc#1012382). - usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382). - usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382). - usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382). - usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382). - usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382). - usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382). - usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382). - usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536). - usb: xhci: increase CRS timeout value (bnc#1012382). - usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382). - userns: move user access out of the mutex (bnc#1012382). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - virtio_balloon: fix another race between migration and ballooning (bnc#1012382). - vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382). - vmw_balloon: do not use 2MB without batching (bnc#1012382). - vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382). - vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382). - vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253). - vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253). - vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253). - vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253). - vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253). - vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253). - vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253). - vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253). - vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253). - vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253). - vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253). - vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253). - vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253). - vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253). - vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253). - vmxnet3: remove unused flag "rxcsum" from struct vmxnet3_adapter (bsc#1091860 bsc#1098253). - vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253). - vmxnet3: update to version 3 (bsc#1091860 bsc#1098253). - vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253). - vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253). - vsock: split dwork to avoid reinitializations (bnc#1012382). - vti6: Fix dev->max_mtu setting (bsc#1033962). - vti6: fix PMTU caching and reporting on xmit (bnc#1012382). - wlcore: sdio: check for valid platform device data before suspend (bnc#1012382). - x86/MCE: Remove min interval polling limitation (bnc#1012382). - x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382). - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382). - x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382). - x86/bugs: Respect nospec command line option (bsc#1068032). - x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382). - x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382). - x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382). - x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382). - x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382). - x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382). - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715). - x86/init: fix build with CONFIG_SWAP=n (bnc#1012382). - x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382). - x86/irqflags: Provide a declaration for native_save_fl. - x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382). - x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382). - x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382). - x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382). - x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382). - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382). - x86/paravirt: Make native_save_fl() extern inline (bnc#1012382). - x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382). - x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382). - x86/process: Optimize TIF_NOTSC switch (bnc#1012382). - x86/process: Re-export start_thread() (bnc#1012382). - x86/spectre: Add missing family 6 check to microcode check (bnc#1012382). - x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382). - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382). - x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382). - x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382). - x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Invert all not present mappings (bnc#1012382). - x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382). - x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382). - x86/speculation: Add dependency (bnc#1012382). - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382). - x86/speculation: Clean up various Spectre related details (bnc#1012382). - x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382). - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382). - x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382). - x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382). - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382). - xen-netfront: wait xenbus state change when load module manually (bnc#1012382). - xen/blkback: do not keep persistent grants too long (bsc#1085042). - xen/blkback: move persistent grants flags to bool (bsc#1085042). - xen/blkfront: cleanup stale persistent grants (bsc#1085042). - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042). - xen/netfront: do not cache skb_shinfo() (bnc#1012382). - xen: set cpu capabilities from xen_start_kernel() (bnc#1012382). - xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382). - xfrm: free skb if nlsk pointer is NULL (bnc#1012382). - xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: repair malformed inode items during log recovery (bsc#1105396). - xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382). - zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-1941=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_155-94_50-default-1-4.3.1 kgraft-patch-4_4_155-94_50-default-debuginfo-1-4.3.1 References: https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-1128.html https://www.suse.com/security/cve/CVE-2018-1129.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-13094.html https://www.suse.com/security/cve/CVE-2018-13095.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://www.suse.com/security/cve/CVE-2018-9363.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1015342 https://bugzilla.suse.com/1015343 https://bugzilla.suse.com/1017967 https://bugzilla.suse.com/1019695 https://bugzilla.suse.com/1019699 https://bugzilla.suse.com/1020412 https://bugzilla.suse.com/1021121 https://bugzilla.suse.com/1022604 https://bugzilla.suse.com/1024361 https://bugzilla.suse.com/1024365 https://bugzilla.suse.com/1024376 https://bugzilla.suse.com/1027968 https://bugzilla.suse.com/1030552 https://bugzilla.suse.com/1031492 https://bugzilla.suse.com/1033962 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1048317 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1053685 https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1056596 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1063646 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065364 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068075 https://bugzilla.suse.com/1069138 https://bugzilla.suse.com/1078921 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1083663 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1085536 https://bugzilla.suse.com/1085539 https://bugzilla.suse.com/1086457 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089066 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1091171 https://bugzilla.suse.com/1091860 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1096748 https://bugzilla.suse.com/1097105 https://bugzilla.suse.com/1098253 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099597 https://bugzilla.suse.com/1099810 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099832 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1099999 https://bugzilla.suse.com/1100000 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1101822 https://bugzilla.suse.com/1101841 https://bugzilla.suse.com/1102346 https://bugzilla.suse.com/1102486 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102715 https://bugzilla.suse.com/1102797 https://bugzilla.suse.com/1103269 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1103717 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104485 https://bugzilla.suse.com/1104494 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104683 https://bugzilla.suse.com/1104897 https://bugzilla.suse.com/1105271 https://bugzilla.suse.com/1105292 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1105524 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105769 https://bugzilla.suse.com/1106016 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106185 https://bugzilla.suse.com/1106229 https://bugzilla.suse.com/1106271 https://bugzilla.suse.com/1106275 https://bugzilla.suse.com/1106276 https://bugzilla.suse.com/1106278 https://bugzilla.suse.com/1106281 https://bugzilla.suse.com/1106283 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106697 https://bugzilla.suse.com/1106929 https://bugzilla.suse.com/1106934 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107060 https://bugzilla.suse.com/1107078 https://bugzilla.suse.com/1107319 https://bugzilla.suse.com/1107320 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107966 https://bugzilla.suse.com/963575 https://bugzilla.suse.com/966170 https://bugzilla.suse.com/966172 https://bugzilla.suse.com/969470 https://bugzilla.suse.com/969476 https://bugzilla.suse.com/969477 https://bugzilla.suse.com/970506 From sle-updates at lists.suse.com Thu Sep 20 16:30:31 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 00:30:31 +0200 (CEST) Subject: SUSE-SU-2018:2776-1: important: Security update for the Linux Kernel Message-ID: <20180920223031.79ECAFD03@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2776-1 Rating: important References: #1012382 #1015342 #1015343 #1017967 #1019695 #1019699 #1020412 #1021121 #1022604 #1024361 #1024365 #1024376 #1027968 #1030552 #1031492 #1033962 #1042286 #1048317 #1050431 #1053685 #1055014 #1056596 #1062604 #1063646 #1064232 #1065364 #1066223 #1068032 #1068075 #1069138 #1078921 #1080157 #1083663 #1085042 #1085536 #1085539 #1086457 #1087092 #1089066 #1090888 #1091171 #1091860 #1096254 #1096748 #1097105 #1098253 #1098822 #1099597 #1099810 #1099811 #1099813 #1099832 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1099999 #1100000 #1100001 #1100132 #1101822 #1101841 #1102346 #1102486 #1102517 #1102715 #1102797 #1103269 #1103445 #1103717 #1104319 #1104485 #1104494 #1104495 #1104683 #1104897 #1105271 #1105292 #1105322 #1105323 #1105392 #1105396 #1105524 #1105536 #1105769 #1106016 #1106105 #1106185 #1106229 #1106271 #1106275 #1106276 #1106278 #1106281 #1106283 #1106369 #1106509 #1106511 #1106697 #1106929 #1106934 #1106995 #1107060 #1107078 #1107319 #1107320 #1107689 #1107735 #1107966 #963575 #966170 #966172 #969470 #969476 #969477 #970506 Cross-References: CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10938 CVE-2018-1128 CVE-2018-1129 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 CVE-2018-9363 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 98 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001). - CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999). - CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000). - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922). - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689). - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511). - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509). - CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748). - CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748). - CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016). - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517). - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323). - CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292) - CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863). - CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844). - CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813). - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811). - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846). - CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864). - CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849). - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845). The following non-security bugs were fixed: - 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382). - 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382). - 9p: fix multiple NULL-pointer-dereferences (bnc#1012382). - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382). - ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382). - ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382). - ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382). - ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382). - ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382). - ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382). - ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382). - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382). - ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382). - ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382). - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382). - ALSA: memalloc: Do not exceed over the requested size (bnc#1012382). - ALSA: rawmidi: Change resized buffers atomically (bnc#1012382). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810). - ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382). - ALSA: virmidi: Fix too long output trigger loop (bnc#1012382). - ALSA: vx222: Fix invalid endian conversions (bnc#1012382). - ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382). - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382). - ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382). - ARC: Fix CONFIG_SWAP (bnc#1012382). - ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382). - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382). - ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382). - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382). - ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382). - ARM: dts: da850: Fix interrups property for gpio (bnc#1012382). - ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382). - ARM: fix put_user() for gcc-8 (bnc#1012382). - ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382). - ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382). - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382). - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382). - ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver. - ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382). - ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382). - ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382). - ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382). - ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382). - Add reference to bsc#1091171 (bnc#1012382; bsc#1091171). - Bluetooth: avoid killing an already killed socket (bnc#1012382). - Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382). - Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092). - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092). - Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning (bnc#1012382). - Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382). - HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382). - HID: i2c-hid: check if device is there before really probing (bnc#1012382). - HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382). - IB/core: Make testing MR flags for writability a static inline function (bnc#1012382). - IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596). - IB/iser: Do not reduce max_sectors (bsc#1063646). - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'. - IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382). - IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343). - IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382). - Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382). - Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382). - Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382). - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382). - KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382). - KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382). - MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382). - MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382). - MIPS: lib: Provide MIPS64r6 __multi3() for GCC lower than < 7 (bnc#1012382). - NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382). - PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382). - PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382). - PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382). - PCI: pciehp: Fix use-after-free on unplug (bnc#1012382). - PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382). - PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382). - RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477). - RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376). - RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382). - RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343). - Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" (bnc#1012382). - Revert "UBIFS: Fix potential integer overflow in allocation" (bnc#1012382). - Revert "f2fs: handle dirty segments inside refresh_sit_entry" (bsc#1106281). - Revert "mm: page_alloc: skip over regions of invalid pfns where possible" (bnc#1107078). - Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717). - Smack: Mark inode instant in smack_task_to_inode (bnc#1012382). - USB: musb: fix external abort on suspend (bsc#1085536). - USB: option: add support for DW5821e (bnc#1012382). - USB: serial: metro-usb: stop I/O after failed open (bsc#1085539). - USB: serial: sierra: fix potential deadlock at close (bnc#1012382). - Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319). - afs: Fix directory permissions check (bsc#1106283). - arc: fix build errors in arc/include/asm/delay.h (bnc#1012382). - arc: fix type warnings in arc/mm/cache.c (bnc#1012382). - arm64: make secondary_start_kernel() notrace (bnc#1012382). - arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382). - ath: Add regulatory mapping for APL13_WORLD (bnc#1012382). - ath: Add regulatory mapping for APL2_FCCA (bnc#1012382). - ath: Add regulatory mapping for Bahamas (bnc#1012382). - ath: Add regulatory mapping for Bermuda (bnc#1012382). - ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382). - ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382). - ath: Add regulatory mapping for Serbia (bnc#1012382). - ath: Add regulatory mapping for Tanzania (bnc#1012382). - ath: Add regulatory mapping for Uganda (bnc#1012382). - atl1c: reserve min skb headroom (bnc#1012382). - atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066). - audit: allow not equal op for audit by executable (bnc#1012382). - backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929). - backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929). - bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232). - bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232). - bcache: do not check return value of debugfs_create_dir() (bsc#1064232). - bcache: finish incremental GC (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering (bsc#1064232). - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232). - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232). - bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232). - be2net: remove unused old custom busy-poll fields (bsc#1021121 ). - blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663). - block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663). - block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663). - block: do not use interruptible wait anywhere (bnc#1012382). - bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382). - bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382). - bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575). - bnxt_en: Fix for system hang if request_irq fails (bnc#1012382). - bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ). - bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382). - brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382). - brcmfmac: stop watchdog before detach and free everything (bnc#1012382). - bridge: Propagate vlan add failure to user (bnc#1012382). - btrfs: Do not remove block group still has pinned down bytes (bsc#1086457). - btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382). - btrfs: do not leak ret from do_chunk_alloc (bnc#1012382). - btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382). - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf. - btrfs: round down size diff when shrinking/growing device (bsc#1097105). - can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382). - can: mpc5xxx_can: check of_iomap return before use (bnc#1012382). - can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382). - can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382). - can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382). - can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382). - can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382). - can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382). - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382). - ceph: fix incorrect use of strncpy (bsc#1107319). - ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320). - cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382). - cifs: add missing debug entries for kconfig options (bnc#1012382). - cifs: check kmalloc before use (bsc#1012382). - cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382). - clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382). - crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: authenc - do not leak pointers to authenc keys (bnc#1012382). - crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382). - crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382). - crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382). - crypto: vmac - separate tfm and request context (bnc#1012382). - crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317). - cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382). - cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014). - dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382). - disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382). - dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382). - dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382). - dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382). - dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382). - driver core: Partially revert "driver core: correct device's shutdown order" (bnc#1012382). - drivers: net: lmc: fix case value for target abort error (bnc#1012382). - drm/armada: fix colorkey mode property (bnc#1012382). - drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929). - drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382). - drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382). - drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822). - drm/drivers: add support for using the arch wc mapping API. - drm/exynos/dsi: mask frame-done interrupt (bsc#1106929). - drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382). - drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382). - drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382). - drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382). - drm/i915/userptr: reject zero user_size (bsc#1090888). - drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092). - drm/imx: fix typo in ipu_plane_formats (bsc#1106929). - drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382). - drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382). - drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382). - drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769). - drm/radeon: fix mode_valid's return type (bnc#1012382). - drm: Add DP PSR2 sink enable bit (bnc#1012382). - drm: Reject getfb for multi-plane framebuffers (bsc#1106929). - enic: do not call enic_change_mtu in enic_probe - enic: handle mtu change for vf properly (bnc#1012382). - enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382). - esp6: fix memleak on error path in esp6_input - ext4: check for NUL characters in extended attribute's name (bnc#1012382). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382). - ext4: reset error code in ext4_find_entry in fallback (bnc#1012382). - ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229). - f2fs: fix to do not trigger writeback during recovery (bnc#1012382). - fat: fix memory allocation failure handling of match_strdup() (bnc#1012382). - fb: fix lost console when the user unplugs a USB adapter (bnc#1012382). - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929). - fix __legitimize_mnt()/mntput() race (bnc#1012382). - fix mntput/mntput race (bnc#1012382). - fork: unconditionally clear stack on fork (bnc#1012382). - fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382). - fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185). - fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382). - fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921). - fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382). - fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382). - fuse: Fix oops at process_init_reply() (bnc#1012382). - fuse: fix double request_end() (bnc#1012382). - fuse: fix unlocked access to processing queue (bnc#1012382). - fuse: umount should wait for all requests (bnc#1012382). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - getxattr: use correct xattr length (bnc#1012382). - hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552). - hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382). - hwrng: exynos - Disable runtime PM on driver unbind. - i2c: davinci: Avoid zero value of CLKH (bnc#1012382). - i2c: imx: Fix race condition in dma read (bnc#1012382). - i2c: imx: Fix reinit_completion() use (bnc#1012382). - i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382). - i40e: use cpumask_copy instead of direct assignment (bsc#1053685). - i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477). - i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477). - ibmvnic: Include missing return code checks in reset function (bnc#1107966). - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382). - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365). - iio: ad9523: Fix displayed phase (bnc#1012382). - iio: ad9523: Fix return value for ad952x_store() (bnc#1012382). - inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506). - iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105). - iommu/vt-d: Add definitions for PFSID (bnc#1012382). - iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ioremap: Update pgtable free interfaces with addr (bnc#1012382). - ip: hash fragments consistently (bnc#1012382). - ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382). - ipconfig: Correctly initialise ic_nameservers (bnc#1012382). - ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382). - ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382). - ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382). - ipv6: fix useless rol32 call on hash (bnc#1012382). - ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382). - ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962). - iscsi target: fix session creation failure handling (bnc#1012382). - isdn: Disable IIOCDBGVAR (bnc#1012382). - iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477). - iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382). - ixgbe: Be more careful when modifying MAC filters (bnc#1012382). - jfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - jump_label: Add RELEASE barrier after text changes (bsc#1105271). - jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271). - jump_label: Move CPU hotplug locking (bsc#1105271). - jump_label: Provide hotplug context variants (bsc#1105271). - jump_label: Reduce the size of struct static_key (bsc#1105271). - jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271). - jump_label: Split out code under the hotplug lock (bsc#1105271). - jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271). - kABI: protect enum tcp_ca_event (kabi). - kABI: reexport tcp_send_ack (kabi). - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597) - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kasan: do not emit builtin calls when sanitization is off (bnc#1012382). - kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382). - kbuild: verify that $DEPMOD is installed (bnc#1012382). - kernel: improve spectre mitigation (bnc#1106934, LTC#171029). - kprobes/x86: Fix %p uses in error messages (bnc#1012382). - kprobes: Make list and blacklist root user read only (bnc#1012382). - kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897). - kvm: x86: vmx: fix vpid leak (bnc#1012382). - l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382). - lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382). - libata: Fix command retry decision (bnc#1012382). - libceph: check authorizer reply/challenge length before reading (bsc#1096748). - libceph: factor out __ceph_x_decrypt() (bsc#1096748). - libceph: factor out __prepare_write_connect() (bsc#1096748). - libceph: factor out encrypt_authorizer() (bsc#1096748). - libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748). - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748). - llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382). - locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382). - locks: pass inode pointer to locks_free_lock_context (bsc at 1099832). - locks: prink more detail when there are leaked locks (bsc#1099832). - locks: restore a warn for leaked locks on close (bsc#1099832). - m68k: fix "bad page state" oops on ColdFire boot (bnc#1012382). - mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382). - md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382). - md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382). - media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382). - media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382). - media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431). - media: s5p-jpeg: fix number of components macro (bsc#1050431). - media: saa7164: Fix driver name in debug output (bnc#1012382). - media: si470x: fix __be16 annotations (bnc#1012382). - media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382). - media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382). - media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382). - memory: tegra: Apply interrupts mask per SoC (bnc#1012382). - memory: tegra: Do not handle spurious interrupts (bnc#1012382). - mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382). - microblaze: Fix simpleImage format generation (bnc#1012382). - mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697). - mm/memory.c: check return value of ioremap_prot (bnc#1012382). - mm/slub.c: add __printf verification to slab_err() (bnc#1012382). - mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382). - mm: Add vm_insert_pfn_prot() (bnc#1012382). - mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382). - mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382). - mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382). - mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382). - mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382). - mtd: ubi: wl: Fix error return code in ubi_wl_init(). - mwifiex: correct histogram data with appropriate index (bnc#1012382). - mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382). - net/9p/client.c: version pointer uninitialized (bnc#1012382). - net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382). - net/ethernet/freescale/fman: fix cross-build error (bnc#1012382). - net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382). - net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382). - net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343). - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172). - net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172). - net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172). - net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343). - net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343). - net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343). - net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172). - net: 6lowpan: fix reserved space for single frames (bnc#1012382). - net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382). - net: add skb_condense() helper (bsc#1089066). - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066). - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066). - net: axienet: Fix double deregister of mdio (bnc#1012382). - net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382). - net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382). - net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382). - net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968). - net: fix amd-xgbe flow-control issue (bnc#1012382). - net: hamradio: use eth_broadcast_addr (bnc#1012382). - net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382). - net: lan78xx: fix rx handling before first packet is send (bnc#1012382). - net: mac802154: tx: expand tailroom if necessary (bnc#1012382). - net: phy: fix flag masking in __set_phy_supported (bnc#1012382). - net: prevent ISA drivers from building on PPC32 (bnc#1012382). - net: propagate dev_get_valid_name return code (bnc#1012382). - net: qca_spi: Avoid packet drop during initial sync (bnc#1012382). - net: qca_spi: Fix log level if probe fails (bnc#1012382). - net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382). - net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382). - net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382). - net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253). - net_sched: Fix missing res info when create new tc_index filter (bnc#1012382). - net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382). - netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382). - netfilter: ipset: List timing out entries with "timeout 1" instead of zero (bnc#1012382). - netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382). - netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797). - netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797). - netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382). - netlink: Do not shift on 64 for ngroups (bnc#1012382). - netlink: Do not shift with UB on nlk->ngroups (bnc#1012382). - netlink: Do not subscribe to non-existent groups (bnc#1012382). - netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382). - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286). - nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382). - nl80211: Add a missing break in parse_station_flags (bnc#1012382). - nohz: Fix local_timer_softirq_pending() (bnc#1012382). - nvme-fc: release io queues to allow fast fail (bsc#1102486). - nvme: if_ready checks to fail io to deleting controller (bsc#1102486). - nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486). - nvmet-fc: fix target sgl list on large transfers (bsc#1102486). - osf_getdomainname(): use copy_to_user() (bnc#1012382). - ovl: Do d_type check only if work dir creation was successful (bnc#1012382). - ovl: Ensure upper filesystem supports d_type (bnc#1012382). - ovl: warn instead of error if d_type is not supported (bnc#1012382). - packet: refine ring v3 block size test to hold one frame (bnc#1012382). - packet: reset network header if packet shorter than ll reserved space (bnc#1012382). - parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382). - parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382). - parisc: Remove ordered stores from syscall.S (bnc#1012382). - parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382). - perf auxtrace: Fix queue resize (bnc#1012382). - perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382). - perf report powerpc: Fix crash if callchain is empty (bnc#1012382). - perf test session topology: Fix test on s390 (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382). - perf: fix invalid bit in diagnostic entry (bnc#1012382). - pinctrl: at91-pio4: add missing of_node_put (bnc#1012382). - pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382). - pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382). - powerpc/32: Add a missing include header (bnc#1012382). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032). - powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382). - powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382). - powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382). - powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223). - powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382). - powerpc/powermac: Mark variable x as unused (bnc#1012382). - powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382). - powerpc/topology: Get topology for shared processors at boot (bsc#1104683). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1066223). - provide special timeout module parameters for EC2 (bsc#1065364). - ptp: fix missing break in switch (bnc#1012382). - pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382). - qed: Add sanity check for SIMD fastpath handler (bnc#1012382). - qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ). - qed: Fix possible race for the link state value (bnc#1012382). - qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604). - qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604). - qlge: Fix netdev features configuration (bsc#1098822). - qlogic: check kstrtoul() for errors (bnc#1012382). - random: mix rdrand with entropy sent in from userspace (bnc#1012382). - readahead: stricter check for bdi io_pages (VM Functionality). - regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382). - reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382). - ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382). - root dentries need RCU-delayed freeing (bnc#1012382). - rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382). - rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382). - rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382). - s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382). - s390/kvm: fix deadlock when killed by oom (bnc#1012382). - s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029). - s390/pci: fix out of bounds access during irq setup (bnc#1012382). - s390/qdio: reset old sbal_state flags (bnc#1012382). - s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349). - s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726). - s390: add explicit for jump label (bsc#1105271). - s390: detect etoken facility (bnc#1106934, LTC#171029). - s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scripts/tar-up.sh: Do not package gitlog-excludes file Also fix the evaluation of gitlog-excludes file, too - scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382). - scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382). - scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382). - scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346). - scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382). - scsi: megaraid: silence a static checker bug (bnc#1012382). - scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382). - scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382). - scsi: qla2xxx: Return error when TMF returns (bnc#1012382). - scsi: scsi_dh: replace too broad "TP9" string with the exact models (bnc#1012382). - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382). - scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382). - scsi: ufs: fix exception event handling (bnc#1012382). - scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382). - scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382). - scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138). - scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138). - selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382). - selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382). - selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382). - selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382). - selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: sync: add config fragment for testing sync framework (bnc#1012382). - selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382). - serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382). - sfc: stop the TX queue before pushing new buffers (bsc#1017967 ). - skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382). - slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060). - smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382). - smb3: do not request leases in symlink creation and query (bnc#1012382). - spi: davinci: fix a NULL pointer dereference (bnc#1012382). - squashfs: be more careful about metadata corruption (bnc#1012382). - squashfs: more metadata hardening (bnc#1012382). - squashfs: more metadata hardenings (bnc#1012382). - staging: android: ion: check for kref overflow (bnc#1012382). - string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - target_core_rbd: use RCU in free_device (bsc#1105524). - tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382). - tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382). - tcp: add one more quick ack after after ECN events (bnc#1012382). - tcp: do not aggressively quick ack after ECN events (bnc#1012382). - tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382). - tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382). - tcp: do not force quickack when receiving out-of-order packets (bnc#1012382). - tcp: fix dctcp delayed ACK schedule (bnc#1012382). - tcp: helpers to send special DCTCP ack (bnc#1012382). - tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382). - tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382). - tcp: remove DELAYED ACK events in DCTCP (bnc#1012382). - tg3: Add higher cpu clock for 5762 (bnc#1012382). - thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382). - timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470). - tools/power turbostat: Read extended processor family from CPUID (bnc#1012382). - tools/power turbostat: fix -S on UP systems (bnc#1012382). - tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382). - tpm: fix race condition in tpm_common_write() (bnc#1012382). - tracing/blktrace: Fix to allow setting same value (bnc#1012382). - tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382). - tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382). - tracing: Fix double free of event_trigger_data (bnc#1012382). - tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382). - tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382). - tracing: Use __printf markup to silence compiler (bnc#1012382). - tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382). - turn off -Wattribute-alias (bnc#1012382). - ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382). - ubi: Fix Fastmap's update_vol() (bnc#1012382). - ubi: Fix races around ubi_refill_pools() (bnc#1012382). - ubi: Introduce vol_ignored() (bnc#1012382). - ubi: Rework Fastmap attach base code (bnc#1012382). - ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382). - ubifs: Check data node size before truncate (bsc#1106276). - ubifs: Fix memory leak in lprobs self-check (bsc#1106278). - ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275). - ubifs: xattr: Do not operate on deleted inodes (bsc#1106271). - udl-kms: change down_interruptible to down (bnc#1012382). - udl-kms: fix crash due to uninitialized memory (bnc#1012382). - udl-kms: handle allocation failure (bnc#1012382). - udlfb: set optimal write delay (bnc#1012382). - uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382). - usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810). - usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382). - usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132). - usb: dwc2: fix isoc split in transfer with no data (bnc#1012382). - usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382). - usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382). - usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382). - usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382). - usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382). - usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382). - usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382). - usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536). - usb: xhci: increase CRS timeout value (bnc#1012382). - usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382). - userns: move user access out of the mutex (bnc#1012382). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - virtio_balloon: fix another race between migration and ballooning (bnc#1012382). - vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382). - vmw_balloon: do not use 2MB without batching (bnc#1012382). - vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382). - vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382). - vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253). - vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253). - vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253). - vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253). - vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253). - vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253). - vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253). - vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253). - vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253). - vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253). - vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253). - vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253). - vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253). - vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253). - vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253). - vmxnet3: remove unused flag "rxcsum" from struct vmxnet3_adapter (bsc#1091860 bsc#1098253). - vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253). - vmxnet3: update to version 3 (bsc#1091860 bsc#1098253). - vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253). - vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253). - vsock: split dwork to avoid reinitializations (bnc#1012382). - vti6: Fix dev->max_mtu setting (bsc#1033962). - vti6: fix PMTU caching and reporting on xmit (bnc#1012382). - wlcore: sdio: check for valid platform device data before suspend (bnc#1012382). - x86/MCE: Remove min interval polling limitation (bnc#1012382). - x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382). - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382). - x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382). - x86/bugs: Respect nospec command line option (bsc#1068032). - x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382). - x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382). - x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382). - x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382). - x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382). - x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382). - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715). - x86/init: fix build with CONFIG_SWAP=n (bnc#1012382). - x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382). - x86/irqflags: Provide a declaration for native_save_fl. - x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382). - x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382). - x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382). - x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382). - x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382). - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382). - x86/paravirt: Make native_save_fl() extern inline (bnc#1012382). - x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382). - x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382). - x86/process: Optimize TIF_NOTSC switch (bnc#1012382). - x86/process: Re-export start_thread() (bnc#1012382). - x86/spectre: Add missing family 6 check to microcode check (bnc#1012382). - x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382). - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382). - x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382). - x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382). - x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Invert all not present mappings (bnc#1012382). - x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382). - x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382). - x86/speculation: Add dependency (bnc#1012382). - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382). - x86/speculation: Clean up various Spectre related details (bnc#1012382). - x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382). - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382). - x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382). - x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382). - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382). - xen-netfront: wait xenbus state change when load module manually (bnc#1012382). - xen/blkback: do not keep persistent grants too long (bsc#1085042). - xen/blkback: move persistent grants flags to bool (bsc#1085042). - xen/blkfront: cleanup stale persistent grants (bsc#1085042). - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042). - xen/netfront: do not cache skb_shinfo() (bnc#1012382). - xen: set cpu capabilities from xen_start_kernel() (bnc#1012382). - xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382). - xfrm: free skb if nlsk pointer is NULL (bnc#1012382). - xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: repair malformed inode items during log recovery (bsc#1105396). - xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382). - zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1941=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1941=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1941=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1941=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1941=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 kernel-default-extra-4.4.155-94.50.1 kernel-default-extra-debuginfo-4.4.155-94.50.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.4.155-94.50.1 kernel-obs-build-debugsource-4.4.155-94.50.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): kernel-docs-4.4.155-94.50.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-4.4.155-94.50.1 kernel-default-base-4.4.155-94.50.1 kernel-default-base-debuginfo-4.4.155-94.50.1 kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 kernel-default-devel-4.4.155-94.50.1 kernel-syms-4.4.155-94.50.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): kernel-devel-4.4.155-94.50.1 kernel-macros-4.4.155-94.50.1 kernel-source-4.4.155-94.50.1 - SUSE Linux Enterprise Server 12-SP3 (s390x): kernel-default-man-4.4.155-94.50.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.155-94.50.1 cluster-md-kmp-default-debuginfo-4.4.155-94.50.1 dlm-kmp-default-4.4.155-94.50.1 dlm-kmp-default-debuginfo-4.4.155-94.50.1 gfs2-kmp-default-4.4.155-94.50.1 gfs2-kmp-default-debuginfo-4.4.155-94.50.1 kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 ocfs2-kmp-default-4.4.155-94.50.1 ocfs2-kmp-default-debuginfo-4.4.155-94.50.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): kernel-default-4.4.155-94.50.1 kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 kernel-default-devel-4.4.155-94.50.1 kernel-default-extra-4.4.155-94.50.1 kernel-default-extra-debuginfo-4.4.155-94.50.1 kernel-syms-4.4.155-94.50.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): kernel-devel-4.4.155-94.50.1 kernel-macros-4.4.155-94.50.1 kernel-source-4.4.155-94.50.1 - SUSE CaaS Platform ALL (x86_64): kernel-default-4.4.155-94.50.1 kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 - SUSE CaaS Platform 3.0 (x86_64): kernel-default-4.4.155-94.50.1 kernel-default-debuginfo-4.4.155-94.50.1 kernel-default-debugsource-4.4.155-94.50.1 References: https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-1128.html https://www.suse.com/security/cve/CVE-2018-1129.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-13094.html https://www.suse.com/security/cve/CVE-2018-13095.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://www.suse.com/security/cve/CVE-2018-9363.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1015342 https://bugzilla.suse.com/1015343 https://bugzilla.suse.com/1017967 https://bugzilla.suse.com/1019695 https://bugzilla.suse.com/1019699 https://bugzilla.suse.com/1020412 https://bugzilla.suse.com/1021121 https://bugzilla.suse.com/1022604 https://bugzilla.suse.com/1024361 https://bugzilla.suse.com/1024365 https://bugzilla.suse.com/1024376 https://bugzilla.suse.com/1027968 https://bugzilla.suse.com/1030552 https://bugzilla.suse.com/1031492 https://bugzilla.suse.com/1033962 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1048317 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1053685 https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1056596 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1063646 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065364 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068075 https://bugzilla.suse.com/1069138 https://bugzilla.suse.com/1078921 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1083663 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1085536 https://bugzilla.suse.com/1085539 https://bugzilla.suse.com/1086457 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089066 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1091171 https://bugzilla.suse.com/1091860 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1096748 https://bugzilla.suse.com/1097105 https://bugzilla.suse.com/1098253 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099597 https://bugzilla.suse.com/1099810 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099832 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1099999 https://bugzilla.suse.com/1100000 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1101822 https://bugzilla.suse.com/1101841 https://bugzilla.suse.com/1102346 https://bugzilla.suse.com/1102486 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102715 https://bugzilla.suse.com/1102797 https://bugzilla.suse.com/1103269 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1103717 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104485 https://bugzilla.suse.com/1104494 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104683 https://bugzilla.suse.com/1104897 https://bugzilla.suse.com/1105271 https://bugzilla.suse.com/1105292 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1105524 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105769 https://bugzilla.suse.com/1106016 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106185 https://bugzilla.suse.com/1106229 https://bugzilla.suse.com/1106271 https://bugzilla.suse.com/1106275 https://bugzilla.suse.com/1106276 https://bugzilla.suse.com/1106278 https://bugzilla.suse.com/1106281 https://bugzilla.suse.com/1106283 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106697 https://bugzilla.suse.com/1106929 https://bugzilla.suse.com/1106934 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107060 https://bugzilla.suse.com/1107078 https://bugzilla.suse.com/1107319 https://bugzilla.suse.com/1107320 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107966 https://bugzilla.suse.com/963575 https://bugzilla.suse.com/966170 https://bugzilla.suse.com/966172 https://bugzilla.suse.com/969470 https://bugzilla.suse.com/969476 https://bugzilla.suse.com/969477 https://bugzilla.suse.com/970506 From sle-updates at lists.suse.com Fri Sep 21 04:11:28 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 12:11:28 +0200 (CEST) Subject: SUSE-SU-2018:2777-1: important: Security update for python-paramiko Message-ID: <20180921101128.E4092FCF0@maintenance.suse.de> SUSE Security Update: Security update for python-paramiko ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2777-1 Rating: important References: #1085276 #1106148 Cross-References: CVE-2018-7750 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python-paramiko to version 1.18.5 fixes the following issues: This security issue was fixed: - CVE-2018-7750: transport.py in the SSH server implementation of Paramiko did not properly check whether authentication is completed processing other requests. A customized SSH client could have skipped the authentication step (bsc#1085276) This non-security issue was fixed: - Prevent connection problems with ssh servers due to no acceptable macs being available (bsc#1106148) For additional changes please check the changelog. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-1945=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-paramiko-1.18.5-2.12.1 References: https://www.suse.com/security/cve/CVE-2018-7750.html https://bugzilla.suse.com/1085276 https://bugzilla.suse.com/1106148 From sle-updates at lists.suse.com Fri Sep 21 04:12:32 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 12:12:32 +0200 (CEST) Subject: SUSE-SU-2018:2778-1: moderate: Security update for ImageMagick Message-ID: <20180921101232.2D1FBFCF0@maintenance.suse.de> SUSE Security Update: Security update for ImageMagick ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2778-1 Rating: moderate References: #1102003 #1102004 #1102005 #1102007 #1105592 #1106855 #1106858 Cross-References: CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 CVE-2018-16323 CVE-2018-16329 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has one errata is now available. Description: This update for ImageMagick fixes the following issues: The following security vulnerabilities were fixed: - CVE-2018-16329: Prevent NULL pointer dereference in the GetMagickProperty function leading to DoS (bsc#1106858) - CVE-2018-16323: ReadXBMImage left data uninitialized when processing an XBM file that has a negative pixel value. If the affected code was used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data (bsc#1106855) - CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage (bsc#1102003) - CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c (bsc#1102007) - CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c (bsc#1102005) - CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c (bsc#1102004) - Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml (bsc#1105592) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1943=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1943=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1943=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1943=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): ImageMagick-6.8.8.1-71.74.1 ImageMagick-debuginfo-6.8.8.1-71.74.1 ImageMagick-debugsource-6.8.8.1-71.74.1 libMagick++-6_Q16-3-6.8.8.1-71.74.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.74.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-6.8.8.1-71.74.1 ImageMagick-debuginfo-6.8.8.1-71.74.1 ImageMagick-debugsource-6.8.8.1-71.74.1 ImageMagick-devel-6.8.8.1-71.74.1 libMagick++-6_Q16-3-6.8.8.1-71.74.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1 libMagick++-devel-6.8.8.1-71.74.1 perl-PerlMagick-6.8.8.1-71.74.1 perl-PerlMagick-debuginfo-6.8.8.1-71.74.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): ImageMagick-debuginfo-6.8.8.1-71.74.1 ImageMagick-debugsource-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.74.1 libMagickWand-6_Q16-1-6.8.8.1-71.74.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.74.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): ImageMagick-6.8.8.1-71.74.1 ImageMagick-debuginfo-6.8.8.1-71.74.1 ImageMagick-debugsource-6.8.8.1-71.74.1 libMagick++-6_Q16-3-6.8.8.1-71.74.1 libMagick++-6_Q16-3-debuginfo-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-debuginfo-32bit-6.8.8.1-71.74.1 libMagickCore-6_Q16-1-debuginfo-6.8.8.1-71.74.1 libMagickWand-6_Q16-1-6.8.8.1-71.74.1 libMagickWand-6_Q16-1-debuginfo-6.8.8.1-71.74.1 References: https://www.suse.com/security/cve/CVE-2018-14434.html https://www.suse.com/security/cve/CVE-2018-14435.html https://www.suse.com/security/cve/CVE-2018-14436.html https://www.suse.com/security/cve/CVE-2018-14437.html https://www.suse.com/security/cve/CVE-2018-16323.html https://www.suse.com/security/cve/CVE-2018-16329.html https://bugzilla.suse.com/1102003 https://bugzilla.suse.com/1102004 https://bugzilla.suse.com/1102005 https://bugzilla.suse.com/1102007 https://bugzilla.suse.com/1105592 https://bugzilla.suse.com/1106855 https://bugzilla.suse.com/1106858 From sle-updates at lists.suse.com Fri Sep 21 04:14:22 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 12:14:22 +0200 (CEST) Subject: SUSE-SU-2018:2779-1: important: Security update for openslp Message-ID: <20180921101422.CF7E5FD03@maintenance.suse.de> SUSE Security Update: Security update for openslp ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2779-1 Rating: important References: #1090638 Cross-References: CVE-2017-17833 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform ALL OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1942=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1942=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1942=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1942=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1942=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1942=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1942=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1942=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1942=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1942=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1942=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): openslp-2.0.0-18.15.1 openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-devel-2.0.0-18.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): openslp-2.0.0-18.15.1 openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 - SUSE Enterprise Storage 4 (x86_64): openslp-2.0.0-18.15.1 openslp-32bit-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debuginfo-32bit-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 openslp-server-2.0.0-18.15.1 openslp-server-debuginfo-2.0.0-18.15.1 - SUSE CaaS Platform ALL (x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): openslp-2.0.0-18.15.1 openslp-debuginfo-2.0.0-18.15.1 openslp-debugsource-2.0.0-18.15.1 References: https://www.suse.com/security/cve/CVE-2017-17833.html https://bugzilla.suse.com/1090638 From sle-updates at lists.suse.com Fri Sep 21 04:15:13 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 12:15:13 +0200 (CEST) Subject: SUSE-SU-2018:2780-1: moderate: Security update for liblouis Message-ID: <20180921101513.838EDFCF0@maintenance.suse.de> SUSE Security Update: Security update for liblouis ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2780-1 Rating: moderate References: #1095189 #1095825 #1095826 #1095827 #1095945 #1097103 Cross-References: CVE-2018-11440 CVE-2018-11577 CVE-2018-11683 CVE-2018-11684 CVE-2018-11685 CVE-2018-12085 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for liblouis, python-louis, python3-louis fixes the following issues: Security issues fixed: - CVE-2018-11440: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (bsc#1095189) - CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c (bsc#1095945) - CVE-2018-11683: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (different vulnerability than CVE-2018-11440) (bsc#1095827) - CVE-2018-11684: Fixed stack-based buffer overflow in the function includeFile() in compileTranslationTable.c (bsc#1095826) - CVE-2018-11685: Fixed a stack-based buffer overflow in the function compileHyphenation() in compileTranslationTable.c (bsc#1095825) - CVE-2018-12085: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (different vulnerability than CVE-2018-11440) (bsc#1097103) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1944=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1944=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1944=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): liblouis-debugsource-2.6.4-6.6.1 liblouis-devel-2.6.4-6.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): liblouis-data-2.6.4-6.6.1 liblouis-debugsource-2.6.4-6.6.1 liblouis9-2.6.4-6.6.1 liblouis9-debuginfo-2.6.4-6.6.1 python-louis-2.6.4-6.6.1 python3-louis-2.6.4-6.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): liblouis-data-2.6.4-6.6.1 liblouis-debugsource-2.6.4-6.6.1 liblouis9-2.6.4-6.6.1 liblouis9-debuginfo-2.6.4-6.6.1 python3-louis-2.6.4-6.6.1 References: https://www.suse.com/security/cve/CVE-2018-11440.html https://www.suse.com/security/cve/CVE-2018-11577.html https://www.suse.com/security/cve/CVE-2018-11683.html https://www.suse.com/security/cve/CVE-2018-11684.html https://www.suse.com/security/cve/CVE-2018-11685.html https://www.suse.com/security/cve/CVE-2018-12085.html https://bugzilla.suse.com/1095189 https://bugzilla.suse.com/1095825 https://bugzilla.suse.com/1095826 https://bugzilla.suse.com/1095827 https://bugzilla.suse.com/1095945 https://bugzilla.suse.com/1097103 From sle-updates at lists.suse.com Fri Sep 21 07:08:52 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:08:52 +0200 (CEST) Subject: SUSE-RU-2018:2782-1: moderate: Recommended update for yast2-installation Message-ID: <20180921130852.16E58FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-installation ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2782-1 Rating: moderate References: #1071745 #1097661 #1099505 #1101879 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for yast2-installation fixes the following issues: - Turn off systemd console output at the second stage of an installation (bsc#1099505). - Do not print errors if plymouth is not installed (bsc#1101879) - Do not crash if /etc/os-release is a directory (bsc#1097661) - Delete unneeded content of /mnt/run after installation/update. (bsc#1071745) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1949=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): yast2-installation-4.0.70-3.6.2 References: https://bugzilla.suse.com/1071745 https://bugzilla.suse.com/1097661 https://bugzilla.suse.com/1099505 https://bugzilla.suse.com/1101879 From sle-updates at lists.suse.com Fri Sep 21 07:09:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:09:57 +0200 (CEST) Subject: SUSE-RU-2018:2783-1: Recommended update for lsof Message-ID: <20180921130957.26C0BFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for lsof ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2783-1 Rating: low References: #1036304 #1099847 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for lsof provides the following fix: - Enhance -K option with the form "-K i" to direct lsof to ignore tasks. (bsc#1036304) - Add "Provides: backported-option-Ki" to indicate that "-K i" option is supported so libzypp can safely use it (bsc#1099847) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1948=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1948=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1948=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): lsof-4.84-23.5.1 lsof-debuginfo-4.84-23.5.1 lsof-debugsource-4.84-23.5.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): lsof-4.84-23.5.1 lsof-debuginfo-4.84-23.5.1 lsof-debugsource-4.84-23.5.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): lsof-4.84-23.5.1 lsof-debuginfo-4.84-23.5.1 lsof-debugsource-4.84-23.5.1 References: https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1099847 From sle-updates at lists.suse.com Fri Sep 21 07:10:54 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:10:54 +0200 (CEST) Subject: SUSE-RU-2018:2784-1: moderate: Recommended update for lsof Message-ID: <20180921131054.63CFEFCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for lsof ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2784-1 Rating: moderate References: #1036304 #1099847 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for lsof provides the following fix: - Enhance -K option with the form "-K i" to direct lsof to ignore tasks. (bsc#1036304) - Add "Provides: backported-option-Ki" to indicate that "-K i" option is supported so libzypp can safely use it. (bsc#1099847) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1947=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1947=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1947=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1947=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1947=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1947=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE Enterprise Storage 4 (x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE CaaS Platform ALL (x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 - SUSE CaaS Platform 3.0 (x86_64): lsof-4.89-27.5.1 lsof-debuginfo-4.89-27.5.1 lsof-debugsource-4.89-27.5.1 References: https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1099847 From sle-updates at lists.suse.com Fri Sep 21 07:12:18 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:12:18 +0200 (CEST) Subject: SUSE-RU-2018:2786-1: moderate: Recommended update for salt Message-ID: <20180921131218.ED969FD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2786-1 Rating: moderate References: #1057635 #1087342 #1087365 #1087581 #1088423 #1088888 #1089112 #1089362 #1089526 #1090271 #1092373 #1093458 #1094055 #1094546 #1095942 #1096514 #1098394 Affected Products: SUSE Enterprise Storage 5 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that has 17 recommended fixes can now be installed. Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename (bsc#1095942) - Handle packages with multiple version properly with zypper (bsc#1096514) - Fix file.get_diff regression in 2018.3. (bsc#1098394) - Fix file.managed binary file utf8 error. (bsc#1098394) - Add custom SUSE capabilities as Grains. (bsc#1089526) - State file.line warning. (bsc#1093458) - Add environment variable to know if yum is invoked from Salt. (bsc#1057635) - Fix usage of salt.utils.which, that broke file.managed. (bsc#1094546) - Prevent zypper from parsing repo configuration from not .repo files. (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems. (bsc#1089526) - Do not override jid on returners, only sending back to master. (bsc#1092373) - No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888) - Add 'retcode' to returners output on scheduled jobs. (bsc#1089112) - Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112) - Fix for logging during network interface querying. (bsc#1087581) - Strip trailing commas on Linux user's GECOS fields. (bsc#1089362) - Backport of AzureARM from Salt 2018.3 to Salt 2016.11.4. (bsc#1087342) - Fix salt-api fails to return job ids. (bsc#1087365) - Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581) - Add rsyslog rule to avoid salt-minion-watcher cron logs on RHEL6. (bsc#1090271) - RHEL6 is using anacron, so logging cannot be disabled by starting entry with "-". Use only on SLES11 and cleanup RHEL6 systems that might already be affected by previous update (bsc#1088423) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-1946=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1946=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): salt-2016.11.4-48.7.1 salt-api-2016.11.4-48.7.1 salt-master-2016.11.4-48.7.1 salt-minion-2016.11.4-48.7.1 - SUSE Enterprise Storage 4 (aarch64 x86_64): salt-2016.11.4-48.7.1 salt-master-2016.11.4-48.7.1 salt-minion-2016.11.4-48.7.1 References: https://bugzilla.suse.com/1057635 https://bugzilla.suse.com/1087342 https://bugzilla.suse.com/1087365 https://bugzilla.suse.com/1087581 https://bugzilla.suse.com/1088423 https://bugzilla.suse.com/1088888 https://bugzilla.suse.com/1089112 https://bugzilla.suse.com/1089362 https://bugzilla.suse.com/1089526 https://bugzilla.suse.com/1090271 https://bugzilla.suse.com/1092373 https://bugzilla.suse.com/1093458 https://bugzilla.suse.com/1094055 https://bugzilla.suse.com/1094546 https://bugzilla.suse.com/1095942 https://bugzilla.suse.com/1096514 https://bugzilla.suse.com/1098394 From sle-updates at lists.suse.com Fri Sep 21 07:16:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:16:02 +0200 (CEST) Subject: SUSE-SU-2018:2787-1: important: Security update for the Linux Kernel (Live Patch 32 for SLE 12) Message-ID: <20180921131602.33F35FCF0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 32 for SLE 12) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2787-1 Rating: important References: #1102682 #1103203 #1105323 Cross-References: CVE-2018-10902 CVE-2018-5390 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 3.12.61-52_122 fixes several issues. The following security issues were fixed: - CVE-2018-5390: Prevent very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming TCP packet which can lead to a denial of service (bsc#1102682). - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which lead to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(), allowing a malicious local attacker to use this for privilege escalation (bsc#1105323). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1951=1 SUSE-SLE-SERVER-12-2018-1952=1 SUSE-SLE-SERVER-12-2018-1953=1 SUSE-SLE-SERVER-12-2018-1954=1 SUSE-SLE-SERVER-12-2018-1955=1 SUSE-SLE-SERVER-12-2018-1956=1 SUSE-SLE-SERVER-12-2018-1957=1 SUSE-SLE-SERVER-12-2018-1958=1 SUSE-SLE-SERVER-12-2018-1959=1 SUSE-SLE-SERVER-12-2018-1960=1 SUSE-SLE-SERVER-12-2018-1961=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (x86_64): kgraft-patch-3_12_61-52_101-default-9-2.1 kgraft-patch-3_12_61-52_101-xen-9-2.1 kgraft-patch-3_12_61-52_106-default-9-2.1 kgraft-patch-3_12_61-52_106-xen-9-2.1 kgraft-patch-3_12_61-52_111-default-8-2.1 kgraft-patch-3_12_61-52_111-xen-8-2.1 kgraft-patch-3_12_61-52_119-default-8-2.1 kgraft-patch-3_12_61-52_119-xen-8-2.1 kgraft-patch-3_12_61-52_122-default-8-2.1 kgraft-patch-3_12_61-52_122-xen-8-2.1 kgraft-patch-3_12_61-52_125-default-7-2.1 kgraft-patch-3_12_61-52_125-xen-7-2.1 kgraft-patch-3_12_61-52_128-default-5-2.1 kgraft-patch-3_12_61-52_128-xen-5-2.1 kgraft-patch-3_12_61-52_133-default-4-2.1 kgraft-patch-3_12_61-52_133-xen-4-2.1 kgraft-patch-3_12_61-52_136-default-4-2.1 kgraft-patch-3_12_61-52_136-xen-4-2.1 kgraft-patch-3_12_61-52_141-default-3-2.1 kgraft-patch-3_12_61-52_141-xen-3-2.1 kgraft-patch-3_12_61-52_92-default-11-2.1 kgraft-patch-3_12_61-52_92-xen-11-2.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-5390.html https://bugzilla.suse.com/1102682 https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1105323 From sle-updates at lists.suse.com Fri Sep 21 07:16:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 15:16:58 +0200 (CEST) Subject: SUSE-RU-2018:2788-1: Recommended update for openais Message-ID: <20180921131658.8AB11FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for openais ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2788-1 Rating: low References: #1058830 #1082791 #983488 Affected Products: SUSE Linux Enterprise High Availability Extension 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for openais fixes the following issues: - Do not ignore START_ON_BOOT after upgrade. (bsc#1082791) - Fix openais_overview(8) man page so that it is correctly found by apropos(1) and whatis(1). (bsc#983488) - Handle the case of a misconfiguration in bindnetaddr by showing an error message indicating the problem instead of crashing. (bsc#1058830) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability Extension 11-SP4: zypper in -t patch slehasp4-openais-13780=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openais-13780=1 Package List: - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 ia64 ppc64 s390x x86_64): libopenais-devel-1.1.4-5.26.7.1 libopenais3-1.1.4-5.26.7.1 openais-1.1.4-5.26.7.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): openais-debuginfo-1.1.4-5.26.7.1 openais-debugsource-1.1.4-5.26.7.1 References: https://bugzilla.suse.com/1058830 https://bugzilla.suse.com/1082791 https://bugzilla.suse.com/983488 From sle-updates at lists.suse.com Fri Sep 21 10:08:11 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 18:08:11 +0200 (CEST) Subject: SUSE-SU-2018:2789-1: moderate: Security update for ant Message-ID: <20180921160811.77B3AFCB2@maintenance.suse.de> SUSE Security Update: Security update for ant ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2789-1 Rating: moderate References: #1100053 Cross-References: CVE-2018-10886 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053) Other changes made: - Removed support for javadoc - Default value for stripAbsolutePathSpec changed to 'true' Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-ant-13781=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-ant-13781=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): ant-1.7.1-20.11.5.1 ant-antlr-1.7.1-16.11.5.1 ant-apache-bcel-1.7.1-16.11.5.1 ant-apache-bsf-1.7.1-16.11.5.1 ant-apache-log4j-1.7.1-16.11.5.1 ant-apache-oro-1.7.1-16.11.5.1 ant-apache-regexp-1.7.1-16.11.5.1 ant-apache-resolver-1.7.1-16.11.5.1 ant-commons-logging-1.7.1-16.11.5.1 ant-javamail-1.7.1-16.11.5.1 ant-jdepend-1.7.1-16.11.5.1 ant-jmf-1.7.1-16.11.5.1 ant-junit-1.7.1-16.11.5.1 ant-manual-1.7.1-20.11.5.1 ant-nodeps-1.7.1-16.11.5.1 ant-scripts-1.7.1-20.11.5.1 ant-swing-1.7.1-16.11.5.1 ant-trax-1.7.1-16.11.5.1 - SUSE Linux Enterprise Server 11-SP4 (noarch): ant-1.7.1-20.11.5.1 ant-trax-1.7.1-16.11.5.1 References: https://www.suse.com/security/cve/CVE-2018-10886.html https://bugzilla.suse.com/1100053 From sle-updates at lists.suse.com Fri Sep 21 10:09:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 18:09:21 +0200 (CEST) Subject: SUSE-SU-2018:2791-1: moderate: Security update for xorg-x11-libs Message-ID: <20180921160921.D2B4FFCF0@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libs ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2791-1 Rating: moderate References: #1103511 Cross-References: CVE-2015-9262 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-libs fixes the following security issue: - CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow (bsc#1103511) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libs-13782=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libs-13782=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libs-13782=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-devel-7.4-8.26.50.8.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-devel-32bit-7.4-8.26.50.8.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libs-7.4-8.26.50.8.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libs-32bit-7.4-8.26.50.8.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libs-x86-7.4-8.26.50.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libs-debuginfo-7.4-8.26.50.8.1 xorg-x11-libs-debugsource-7.4-8.26.50.8.1 References: https://www.suse.com/security/cve/CVE-2015-9262.html https://bugzilla.suse.com/1103511 From sle-updates at lists.suse.com Fri Sep 21 10:09:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 18:09:58 +0200 (CEST) Subject: SUSE-RU-2018:2792-1: important: Recommended update for icewm Message-ID: <20180921160958.4B871FCF0@maintenance.suse.de> SUSE Recommended Update: Recommended update for icewm ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2792-1 Rating: important References: #1096917 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for icewm fixes the following issues: - Renamed icewm-session.desktop to icewm.desktop to fix a upgrade issue (bsc#1096917). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1962=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): icewm-1.4.2-7.3.1 icewm-debuginfo-1.4.2-7.3.1 icewm-debugsource-1.4.2-7.3.1 icewm-default-1.4.2-7.3.1 icewm-default-debuginfo-1.4.2-7.3.1 icewm-lite-1.4.2-7.3.1 icewm-lite-debuginfo-1.4.2-7.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): icewm-lang-1.4.2-7.3.1 References: https://bugzilla.suse.com/1096917 From sle-updates at lists.suse.com Fri Sep 21 13:48:34 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 21:48:34 +0200 (CEST) Subject: SUSE-RU-2018:2795-1: moderate: Recommended update for supportutils-plugin-ses Message-ID: <20180921194834.7113CFD03@maintenance.suse.de> SUSE Recommended Update: Recommended update for supportutils-plugin-ses ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2795-1 Rating: moderate References: #1107782 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for supportutils-plugin-ses fixes the following issues: (bsc#1107782) - ses/salt: copy salt log files instead of only grabbing the last msgs (bsc#1107782) - collect 'ceph pg $pg query' for inactive pgs - get some useful data via ceph daemon admin socket - Update RPM list for SUSE Enterprise Storage 5.5 - Fix missing "done" introduced by 2d15b52 - Add grafana and prometheus logs and systemd status Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-1966=1 Package List: - SUSE Enterprise Storage 5 (noarch): supportutils-plugin-ses-5.0+git.1534934474.7f7d8be-3.3.1 References: https://bugzilla.suse.com/1107782 From sle-updates at lists.suse.com Fri Sep 21 13:49:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 21 Sep 2018 21:49:03 +0200 (CEST) Subject: SUSE-SU-2018:2796-1: moderate: Security update for nodejs6 Message-ID: <20180921194903.9AB21FCF0@maintenance.suse.de> SUSE Security Update: Security update for nodejs6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2796-1 Rating: moderate References: #1097158 #1097748 #1105019 Cross-References: CVE-2018-0732 CVE-2018-12115 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for nodejs6 to version 6.14.4 fixes the following issues: Security issues fixed: CVE-2018-12115: Fixed an out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (bsc#1105019) CVE-2018-0732: Upgrade to OpenSSL 1.0.2p, fixing a client DoS due to large DH parameter (bsc#1097158) Other issues fixed: - Recommend same major version npm package (bsc#1097748) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-1968=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1968=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-1968=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1968=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): nodejs6-6.14.4-11.18.1 nodejs6-debuginfo-6.14.4-11.18.1 nodejs6-debugsource-6.14.4-11.18.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): nodejs6-6.14.4-11.18.1 nodejs6-debuginfo-6.14.4-11.18.1 nodejs6-debugsource-6.14.4-11.18.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs6-6.14.4-11.18.1 nodejs6-debuginfo-6.14.4-11.18.1 nodejs6-debugsource-6.14.4-11.18.1 nodejs6-devel-6.14.4-11.18.1 npm6-6.14.4-11.18.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs6-docs-6.14.4-11.18.1 - SUSE Enterprise Storage 4 (aarch64 x86_64): nodejs6-6.14.4-11.18.1 nodejs6-debuginfo-6.14.4-11.18.1 nodejs6-debugsource-6.14.4-11.18.1 References: https://www.suse.com/security/cve/CVE-2018-0732.html https://www.suse.com/security/cve/CVE-2018-12115.html https://bugzilla.suse.com/1097158 https://bugzilla.suse.com/1097748 https://bugzilla.suse.com/1105019 From sle-updates at lists.suse.com Mon Sep 24 04:10:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 12:10:57 +0200 (CEST) Subject: SUSE-SU-2018:2812-1: moderate: Security update for nodejs8 Message-ID: <20180924101057.0319BFCD2@maintenance.suse.de> SUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2812-1 Rating: moderate References: #1097158 #1097748 #1105019 Cross-References: CVE-2018-0732 CVE-2018-12115 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for nodejs8 to version 8.11.4 fixes the following issues: Security issues fixed: - CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could be used to write to memory outside of a Buffer's memory space buffer (bsc#1105019) - Upgrade to OpenSSL 1.0.2p, which fixed: - CVE-2018-0732: Client denial-of-service due to large DH parameter (bsc#1097158) - ECDSA key extraction via local side-channel Other changes made: - Recommend same major version npm package (bsc#1097748) - Fix parallel/test-tls-passphrase.js test to continue to function with older versions of OpenSSL library. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2018-1971=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64): nodejs8-8.11.4-3.8.2 nodejs8-debuginfo-8.11.4-3.8.2 nodejs8-debugsource-8.11.4-3.8.2 nodejs8-devel-8.11.4-3.8.2 npm8-8.11.4-3.8.2 - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): nodejs8-docs-8.11.4-3.8.2 References: https://www.suse.com/security/cve/CVE-2018-0732.html https://www.suse.com/security/cve/CVE-2018-12115.html https://bugzilla.suse.com/1097158 https://bugzilla.suse.com/1097748 https://bugzilla.suse.com/1105019 From sle-updates at lists.suse.com Mon Sep 24 04:12:15 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 12:12:15 +0200 (CEST) Subject: SUSE-SU-2018:2814-1: important: Security update for libzypp, zypper Message-ID: <20180924101215.EE13BFCD2@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2814-1 Rating: important References: #1036304 #1045735 #1049825 #1070851 #1076192 #1088705 #1091624 #1092413 #1096803 #1099847 #1100028 #1101349 #1102429 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has 11 fixes is now available. Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1969=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1969=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1969=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libzypp-debuginfo-16.17.20-2.33.2 libzypp-debugsource-16.17.20-2.33.2 libzypp-devel-16.17.20-2.33.2 libzypp-devel-doc-16.17.20-2.33.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libzypp-16.17.20-2.33.2 libzypp-debuginfo-16.17.20-2.33.2 libzypp-debugsource-16.17.20-2.33.2 zypper-1.13.45-21.21.2 zypper-debuginfo-1.13.45-21.21.2 zypper-debugsource-1.13.45-21.21.2 - SUSE Linux Enterprise Server 12-SP3 (noarch): zypper-log-1.13.45-21.21.2 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): zypper-log-1.13.45-21.21.2 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libzypp-16.17.20-2.33.2 libzypp-debuginfo-16.17.20-2.33.2 libzypp-debugsource-16.17.20-2.33.2 zypper-1.13.45-21.21.2 zypper-debuginfo-1.13.45-21.21.2 zypper-debugsource-1.13.45-21.21.2 - SUSE CaaS Platform ALL (x86_64): libzypp-16.17.20-2.33.2 libzypp-debuginfo-16.17.20-2.33.2 libzypp-debugsource-16.17.20-2.33.2 zypper-1.13.45-21.21.2 zypper-debuginfo-1.13.45-21.21.2 zypper-debugsource-1.13.45-21.21.2 - SUSE CaaS Platform 3.0 (x86_64): libzypp-16.17.20-2.33.2 libzypp-debuginfo-16.17.20-2.33.2 libzypp-debugsource-16.17.20-2.33.2 zypper-1.13.45-21.21.2 zypper-debuginfo-1.13.45-21.21.2 zypper-debugsource-1.13.45-21.21.2 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1049825 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 From sle-updates at lists.suse.com Mon Sep 24 04:15:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 12:15:08 +0200 (CEST) Subject: SUSE-SU-2018:2815-1: moderate: Security update for apache2 Message-ID: <20180924101508.5187CFCD7@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2815-1 Rating: moderate References: #1016715 #1104826 Cross-References: CVE-2016-4975 CVE-2016-8743 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) - CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the "Location" or other outbound header key or value. (bsc#1104826) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1970=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1970=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1970=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1970=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1970=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1970=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): apache2-2.4.23-29.24.1 apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-example-pages-2.4.23-29.24.1 apache2-prefork-2.4.23-29.24.1 apache2-prefork-debuginfo-2.4.23-29.24.1 apache2-utils-2.4.23-29.24.1 apache2-utils-debuginfo-2.4.23-29.24.1 apache2-worker-2.4.23-29.24.1 apache2-worker-debuginfo-2.4.23-29.24.1 - SUSE OpenStack Cloud 7 (noarch): apache2-doc-2.4.23-29.24.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-devel-2.4.23-29.24.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): apache2-2.4.23-29.24.1 apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-example-pages-2.4.23-29.24.1 apache2-prefork-2.4.23-29.24.1 apache2-prefork-debuginfo-2.4.23-29.24.1 apache2-utils-2.4.23-29.24.1 apache2-utils-debuginfo-2.4.23-29.24.1 apache2-worker-2.4.23-29.24.1 apache2-worker-debuginfo-2.4.23-29.24.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): apache2-doc-2.4.23-29.24.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.24.1 apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-example-pages-2.4.23-29.24.1 apache2-prefork-2.4.23-29.24.1 apache2-prefork-debuginfo-2.4.23-29.24.1 apache2-utils-2.4.23-29.24.1 apache2-utils-debuginfo-2.4.23-29.24.1 apache2-worker-2.4.23-29.24.1 apache2-worker-debuginfo-2.4.23-29.24.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): apache2-doc-2.4.23-29.24.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): apache2-2.4.23-29.24.1 apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-example-pages-2.4.23-29.24.1 apache2-prefork-2.4.23-29.24.1 apache2-prefork-debuginfo-2.4.23-29.24.1 apache2-utils-2.4.23-29.24.1 apache2-utils-debuginfo-2.4.23-29.24.1 apache2-worker-2.4.23-29.24.1 apache2-worker-debuginfo-2.4.23-29.24.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): apache2-doc-2.4.23-29.24.1 - SUSE Enterprise Storage 4 (noarch): apache2-doc-2.4.23-29.24.1 - SUSE Enterprise Storage 4 (x86_64): apache2-2.4.23-29.24.1 apache2-debuginfo-2.4.23-29.24.1 apache2-debugsource-2.4.23-29.24.1 apache2-example-pages-2.4.23-29.24.1 apache2-prefork-2.4.23-29.24.1 apache2-prefork-debuginfo-2.4.23-29.24.1 apache2-utils-2.4.23-29.24.1 apache2-utils-debuginfo-2.4.23-29.24.1 apache2-worker-2.4.23-29.24.1 apache2-worker-debuginfo-2.4.23-29.24.1 References: https://www.suse.com/security/cve/CVE-2016-4975.html https://www.suse.com/security/cve/CVE-2016-8743.html https://bugzilla.suse.com/1016715 https://bugzilla.suse.com/1104826 From sle-updates at lists.suse.com Mon Sep 24 07:08:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:08:57 +0200 (CEST) Subject: SUSE-RU-2018:2821-1: moderate: Recommended update for rear23a Message-ID: <20180924130857.F1FD7FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for rear23a ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2821-1 Rating: moderate References: #1095088 #1099901 #1103081 #1104499 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for rear23a fixes the following issues: - Fixed an issue where restoring a backup could fail if the backup-URL is an iso. (bsc#1104499) - Simplified and enhanced GRUB2 installation for PPC64/PPC64le. (bsc#1103081) - Initial tentative support for OBDR on ppc64le. (bsc#1099901) - Wait for systemd-udevd to avoid broken pipe error. (bsc#1095088) - Avoid duplicate UUID in boot menuentry when snapper is used. (bsc#1095088) For a detailed description, please refer to the changelog. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2018-1974=1 Package List: - SUSE Linux Enterprise High Availability 15 (ppc64le x86_64): rear23a-2.3.a-9.3.1 References: https://bugzilla.suse.com/1095088 https://bugzilla.suse.com/1099901 https://bugzilla.suse.com/1103081 https://bugzilla.suse.com/1104499 From sle-updates at lists.suse.com Mon Sep 24 07:10:13 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:10:13 +0200 (CEST) Subject: SUSE-OU-2018:2822-1: Recommended update for rear23a Message-ID: <20180924131013.373A6FCD2@maintenance.suse.de> SUSE Optional Update: Recommended update for rear23a ______________________________________________________________________________ Announcement ID: SUSE-OU-2018:2822-1 Rating: low References: #1095088 #1099901 #1103081 #1104499 #1105113 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that has 5 optional fixes can now be installed. Description: This update brings ReaR version 2.3a and brings many fixes and improvements provided from upstream. Following are the most notable fixes: - Fixed an issue where restoring a backup could fail if the backup-URL is an iso. (bsc#1104499) - Simplified and enhanced GRUB2 installation for PPC64/PPC64le. (bsc#1103081) - Initial tentative support for OBDR on ppc64le. (bsc#1099901) - Wait for systemd-udevd to avoid broken pipe error. (bsc#1095088) - Avoid duplicate UUID in boot menuentry when snapper is used. (bsc#1095088) For a detailed description, please refer to the changelog. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2018-1973=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2018-1973=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le x86_64): rear23a-2.3.a-3.3.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le x86_64): rear23a-2.3.a-3.3.1 References: https://bugzilla.suse.com/1095088 https://bugzilla.suse.com/1099901 https://bugzilla.suse.com/1103081 https://bugzilla.suse.com/1104499 https://bugzilla.suse.com/1105113 From sle-updates at lists.suse.com Mon Sep 24 07:11:53 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:11:53 +0200 (CEST) Subject: SUSE-RU-2018:2823-1: moderate: Recommended update for lifecycle-data-sle-live-patching Message-ID: <20180924131153.6C902FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for lifecycle-data-sle-live-patching ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2823-1 Rating: moderate References: #1020320 Affected Products: SUSE Linux Enterprise Live Patching 12-SP3 SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for lifecycle-data-sle-live-patching adds the life cycle data for the following Kernel Live Patches: - 3_12_61-52_128, 3_12_61-52_133, 3_12_61-52_136, 3_12_74-60_64_88, 3_12_74-60_64_93, 3_12_74-60_64_96, - 4_4_121-92_73, 4_4_121-92_80, 4_4_121-92_85, 4_4_131-94_29, 4_4_132-94_33, 4_4_138-94_39, 4_4_140-94_42. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP3: zypper in -t patch SUSE-SLE-Live-Patching-12-SP3-2018-1984=1 - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2018-1984=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP3 (noarch): lifecycle-data-sle-live-patching-1-10.27.1 - SUSE Linux Enterprise Live Patching 12 (noarch): lifecycle-data-sle-live-patching-1-10.27.1 References: https://bugzilla.suse.com/1020320 From sle-updates at lists.suse.com Mon Sep 24 07:12:44 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:12:44 +0200 (CEST) Subject: SUSE-RU-2018:2824-1: moderate: Recommended update for ucode-intel Message-ID: <20180924131244.64819FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2824-1 Rating: moderate References: #1104479 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel 20180807a fixes the following issues: The licensing was changed to clarify redistributability. (bsc#1104479) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1982=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1982=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1982=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1982=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1982=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1982=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1982=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1982=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1982=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Server 12-LTSS (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE Enterprise Storage 4 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 - SUSE CaaS Platform 3.0 (x86_64): ucode-intel-20180807a-13.35.1 ucode-intel-debuginfo-20180807a-13.35.1 ucode-intel-debugsource-20180807a-13.35.1 References: https://bugzilla.suse.com/1104479 From sle-updates at lists.suse.com Mon Sep 24 07:13:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:13:21 +0200 (CEST) Subject: SUSE-SU-2018:2825-1: moderate: Security update for gnutls Message-ID: <20180924131321.485C4FCD2@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2825-1 Rating: moderate References: #1047002 #1105437 #1105459 #1105460 Cross-References: CVE-2017-10790 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for gnutls fixes the following issues: This update for gnutls fixes the following issues: Security issues fixed: - Improved mitigations against Lucky 13 class of attacks - "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459) - HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437) - The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1977=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1977=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1977=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1977=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1977=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1977=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1977=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 - SUSE Linux Enterprise Server 12-LTSS (s390x x86_64): libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 - SUSE Enterprise Storage 4 (x86_64): gnutls-3.2.15-18.6.1 gnutls-debuginfo-3.2.15-18.6.1 gnutls-debugsource-3.2.15-18.6.1 libgnutls-openssl27-3.2.15-18.6.1 libgnutls-openssl27-debuginfo-3.2.15-18.6.1 libgnutls28-3.2.15-18.6.1 libgnutls28-32bit-3.2.15-18.6.1 libgnutls28-debuginfo-3.2.15-18.6.1 libgnutls28-debuginfo-32bit-3.2.15-18.6.1 References: https://www.suse.com/security/cve/CVE-2017-10790.html https://www.suse.com/security/cve/CVE-2018-10844.html https://www.suse.com/security/cve/CVE-2018-10845.html https://www.suse.com/security/cve/CVE-2018-10846.html https://bugzilla.suse.com/1047002 https://bugzilla.suse.com/1105437 https://bugzilla.suse.com/1105459 https://bugzilla.suse.com/1105460 From sle-updates at lists.suse.com Mon Sep 24 07:14:43 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:14:43 +0200 (CEST) Subject: SUSE-RU-2018:2826-1: Recommended update for myspell-dictionaries Message-ID: <20180924131443.1230CFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for myspell-dictionaries ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2826-1 Rating: low References: #1099508 #1102294 Affected Products: SUSE Linux Enterprise Workstation Extension 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update brings myspell-dictionaries to version 20180704, providing the following fixes: - Indonesian spelling dictionary, thesaurus and hyphenation added. - English updates. - Croatian updates. - Bulgarian files converted to UTF8 in order to avoid bugs. (bsc#1102294, bsc#1099508) - Other smaller updates. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2018-1978=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1978=1 Package List: - SUSE Linux Enterprise Workstation Extension 15 (noarch): myspell-af_ZA-20180704-3.3.2 myspell-ar-20180704-3.3.2 myspell-bg_BG-20180704-3.3.2 myspell-bn_BD-20180704-3.3.2 myspell-br_FR-20180704-3.3.2 myspell-ca-20180704-3.3.2 myspell-cs_CZ-20180704-3.3.2 myspell-da_DK-20180704-3.3.2 myspell-el_GR-20180704-3.3.2 myspell-et_EE-20180704-3.3.2 myspell-fr_FR-20180704-3.3.2 myspell-gl-20180704-3.3.2 myspell-gu_IN-20180704-3.3.2 myspell-he_IL-20180704-3.3.2 myspell-hi_IN-20180704-3.3.2 myspell-hr_HR-20180704-3.3.2 myspell-it_IT-20180704-3.3.2 myspell-lt_LT-20180704-3.3.2 myspell-lv_LV-20180704-3.3.2 myspell-nl_NL-20180704-3.3.2 myspell-pl_PL-20180704-3.3.2 myspell-pt_PT-20180704-3.3.2 myspell-si_LK-20180704-3.3.2 myspell-sk_SK-20180704-3.3.2 myspell-sl_SI-20180704-3.3.2 myspell-sr-20180704-3.3.2 myspell-sv_SE-20180704-3.3.2 myspell-te_IN-20180704-3.3.2 myspell-th_TH-20180704-3.3.2 myspell-uk_UA-20180704-3.3.2 myspell-zu_ZA-20180704-3.3.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): myspell-dictionaries-20180704-3.3.2 myspell-lightproof-en-20180704-3.3.2 myspell-lightproof-hu_HU-20180704-3.3.2 myspell-lightproof-pt_BR-20180704-3.3.2 myspell-lightproof-ru_RU-20180704-3.3.2 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): myspell-de-20180704-3.3.2 myspell-de_DE-20180704-3.3.2 myspell-en-20180704-3.3.2 myspell-en_US-20180704-3.3.2 myspell-es-20180704-3.3.2 myspell-es_ES-20180704-3.3.2 myspell-hu_HU-20180704-3.3.2 myspell-nb_NO-20180704-3.3.2 myspell-no-20180704-3.3.2 myspell-pt_BR-20180704-3.3.2 myspell-ro-20180704-3.3.2 myspell-ro_RO-20180704-3.3.2 myspell-ru_RU-20180704-3.3.2 References: https://bugzilla.suse.com/1099508 https://bugzilla.suse.com/1102294 From sle-updates at lists.suse.com Mon Sep 24 07:16:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:16:09 +0200 (CEST) Subject: SUSE-RU-2018:2828-1: moderate: Recommended update for gvfs Message-ID: <20180924131609.A550DFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for gvfs ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2828-1 Rating: moderate References: #1096476 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gvfs provides the following fix: - Fix failures copying files on smb mounts. (bsc#1096476) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1972=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): gvfs-1.34.2.1-4.3.20 gvfs-backend-afc-1.34.2.1-4.3.20 gvfs-backend-afc-debuginfo-1.34.2.1-4.3.20 gvfs-backend-samba-1.34.2.1-4.3.20 gvfs-backend-samba-debuginfo-1.34.2.1-4.3.20 gvfs-backends-1.34.2.1-4.3.20 gvfs-backends-debuginfo-1.34.2.1-4.3.20 gvfs-debuginfo-1.34.2.1-4.3.20 gvfs-debugsource-1.34.2.1-4.3.20 gvfs-devel-1.34.2.1-4.3.20 gvfs-fuse-1.34.2.1-4.3.20 gvfs-fuse-debuginfo-1.34.2.1-4.3.20 - SUSE Linux Enterprise Module for Desktop Applications 15 (noarch): gvfs-lang-1.34.2.1-4.3.20 References: https://bugzilla.suse.com/1096476 From sle-updates at lists.suse.com Mon Sep 24 07:16:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:16:47 +0200 (CEST) Subject: SUSE-RU-2018:2829-1: Recommended update for myspell-dictionaries Message-ID: <20180924131647.367A8FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for myspell-dictionaries ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2829-1 Rating: low References: #1099508 #1102294 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update brings myspell-dictionaries to version 20180704, providing the following fixes: - Indonesian hyphenation added. - English updates. - Croatian updates. - Bulgarian files converted to UTF8 in order to avoid bugs. (bsc#1102294, bsc#1099508) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1979=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1979=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (noarch): myspell-af_NA-20180704-16.12.1 myspell-af_ZA-20180704-16.12.1 myspell-ar-20180704-16.12.1 myspell-ar_AE-20180704-16.12.1 myspell-ar_BH-20180704-16.12.1 myspell-ar_DZ-20180704-16.12.1 myspell-ar_EG-20180704-16.12.1 myspell-ar_IQ-20180704-16.12.1 myspell-ar_JO-20180704-16.12.1 myspell-ar_KW-20180704-16.12.1 myspell-ar_LB-20180704-16.12.1 myspell-ar_LY-20180704-16.12.1 myspell-ar_MA-20180704-16.12.1 myspell-ar_OM-20180704-16.12.1 myspell-ar_QA-20180704-16.12.1 myspell-ar_SA-20180704-16.12.1 myspell-ar_SD-20180704-16.12.1 myspell-ar_SY-20180704-16.12.1 myspell-ar_TN-20180704-16.12.1 myspell-ar_YE-20180704-16.12.1 myspell-be_BY-20180704-16.12.1 myspell-bg_BG-20180704-16.12.1 myspell-bn_BD-20180704-16.12.1 myspell-bn_IN-20180704-16.12.1 myspell-bs-20180704-16.12.1 myspell-bs_BA-20180704-16.12.1 myspell-ca-20180704-16.12.1 myspell-ca_AD-20180704-16.12.1 myspell-ca_ES-20180704-16.12.1 myspell-ca_ES_valencia-20180704-16.12.1 myspell-ca_FR-20180704-16.12.1 myspell-ca_IT-20180704-16.12.1 myspell-cs_CZ-20180704-16.12.1 myspell-da_DK-20180704-16.12.1 myspell-de-20180704-16.12.1 myspell-de_AT-20180704-16.12.1 myspell-de_CH-20180704-16.12.1 myspell-de_DE-20180704-16.12.1 myspell-el_GR-20180704-16.12.1 myspell-en-20180704-16.12.1 myspell-en_AU-20180704-16.12.1 myspell-en_BS-20180704-16.12.1 myspell-en_BZ-20180704-16.12.1 myspell-en_CA-20180704-16.12.1 myspell-en_GB-20180704-16.12.1 myspell-en_GH-20180704-16.12.1 myspell-en_IE-20180704-16.12.1 myspell-en_IN-20180704-16.12.1 myspell-en_JM-20180704-16.12.1 myspell-en_MW-20180704-16.12.1 myspell-en_NA-20180704-16.12.1 myspell-en_NZ-20180704-16.12.1 myspell-en_PH-20180704-16.12.1 myspell-en_TT-20180704-16.12.1 myspell-en_US-20180704-16.12.1 myspell-en_ZA-20180704-16.12.1 myspell-en_ZW-20180704-16.12.1 myspell-es-20180704-16.12.1 myspell-es_AR-20180704-16.12.1 myspell-es_BO-20180704-16.12.1 myspell-es_CL-20180704-16.12.1 myspell-es_CO-20180704-16.12.1 myspell-es_CR-20180704-16.12.1 myspell-es_CU-20180704-16.12.1 myspell-es_DO-20180704-16.12.1 myspell-es_EC-20180704-16.12.1 myspell-es_ES-20180704-16.12.1 myspell-es_GT-20180704-16.12.1 myspell-es_HN-20180704-16.12.1 myspell-es_MX-20180704-16.12.1 myspell-es_NI-20180704-16.12.1 myspell-es_PA-20180704-16.12.1 myspell-es_PE-20180704-16.12.1 myspell-es_PR-20180704-16.12.1 myspell-es_PY-20180704-16.12.1 myspell-es_SV-20180704-16.12.1 myspell-es_UY-20180704-16.12.1 myspell-es_VE-20180704-16.12.1 myspell-et_EE-20180704-16.12.1 myspell-fr_BE-20180704-16.12.1 myspell-fr_CA-20180704-16.12.1 myspell-fr_CH-20180704-16.12.1 myspell-fr_FR-20180704-16.12.1 myspell-fr_LU-20180704-16.12.1 myspell-fr_MC-20180704-16.12.1 myspell-gu_IN-20180704-16.12.1 myspell-he_IL-20180704-16.12.1 myspell-hi_IN-20180704-16.12.1 myspell-hr_HR-20180704-16.12.1 myspell-hu_HU-20180704-16.12.1 myspell-id-20180704-16.12.1 myspell-id_ID-20180704-16.12.1 myspell-it_IT-20180704-16.12.1 myspell-lo_LA-20180704-16.12.1 myspell-lt_LT-20180704-16.12.1 myspell-lv_LV-20180704-16.12.1 myspell-nb_NO-20180704-16.12.1 myspell-nl_BE-20180704-16.12.1 myspell-nl_NL-20180704-16.12.1 myspell-nn_NO-20180704-16.12.1 myspell-no-20180704-16.12.1 myspell-pl_PL-20180704-16.12.1 myspell-pt_AO-20180704-16.12.1 myspell-pt_BR-20180704-16.12.1 myspell-pt_PT-20180704-16.12.1 myspell-ro-20180704-16.12.1 myspell-ro_RO-20180704-16.12.1 myspell-ru_RU-20180704-16.12.1 myspell-sk_SK-20180704-16.12.1 myspell-sl_SI-20180704-16.12.1 myspell-sr-20180704-16.12.1 myspell-sr_CS-20180704-16.12.1 myspell-sr_Latn_CS-20180704-16.12.1 myspell-sr_Latn_RS-20180704-16.12.1 myspell-sr_RS-20180704-16.12.1 myspell-sv_FI-20180704-16.12.1 myspell-sv_SE-20180704-16.12.1 myspell-te-20180704-16.12.1 myspell-te_IN-20180704-16.12.1 myspell-th_TH-20180704-16.12.1 myspell-uk_UA-20180704-16.12.1 myspell-vi-20180704-16.12.1 myspell-vi_VN-20180704-16.12.1 myspell-zu_ZA-20180704-16.12.1 - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): myspell-dictionaries-20180704-16.12.1 myspell-lightproof-en-20180704-16.12.1 myspell-lightproof-hu_HU-20180704-16.12.1 myspell-lightproof-pt_BR-20180704-16.12.1 myspell-lightproof-ru_RU-20180704-16.12.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): myspell-af_NA-20180704-16.12.1 myspell-af_ZA-20180704-16.12.1 myspell-ar-20180704-16.12.1 myspell-ar_AE-20180704-16.12.1 myspell-ar_BH-20180704-16.12.1 myspell-ar_DZ-20180704-16.12.1 myspell-ar_EG-20180704-16.12.1 myspell-ar_IQ-20180704-16.12.1 myspell-ar_JO-20180704-16.12.1 myspell-ar_KW-20180704-16.12.1 myspell-ar_LB-20180704-16.12.1 myspell-ar_LY-20180704-16.12.1 myspell-ar_MA-20180704-16.12.1 myspell-ar_OM-20180704-16.12.1 myspell-ar_QA-20180704-16.12.1 myspell-ar_SA-20180704-16.12.1 myspell-ar_SD-20180704-16.12.1 myspell-ar_SY-20180704-16.12.1 myspell-ar_TN-20180704-16.12.1 myspell-ar_YE-20180704-16.12.1 myspell-be_BY-20180704-16.12.1 myspell-bg_BG-20180704-16.12.1 myspell-bn_BD-20180704-16.12.1 myspell-bn_IN-20180704-16.12.1 myspell-bs-20180704-16.12.1 myspell-bs_BA-20180704-16.12.1 myspell-ca-20180704-16.12.1 myspell-ca_AD-20180704-16.12.1 myspell-ca_ES-20180704-16.12.1 myspell-ca_ES_valencia-20180704-16.12.1 myspell-ca_FR-20180704-16.12.1 myspell-ca_IT-20180704-16.12.1 myspell-cs_CZ-20180704-16.12.1 myspell-da_DK-20180704-16.12.1 myspell-de-20180704-16.12.1 myspell-de_AT-20180704-16.12.1 myspell-de_CH-20180704-16.12.1 myspell-de_DE-20180704-16.12.1 myspell-el_GR-20180704-16.12.1 myspell-en-20180704-16.12.1 myspell-en_AU-20180704-16.12.1 myspell-en_BS-20180704-16.12.1 myspell-en_BZ-20180704-16.12.1 myspell-en_CA-20180704-16.12.1 myspell-en_GB-20180704-16.12.1 myspell-en_GH-20180704-16.12.1 myspell-en_IE-20180704-16.12.1 myspell-en_IN-20180704-16.12.1 myspell-en_JM-20180704-16.12.1 myspell-en_MW-20180704-16.12.1 myspell-en_NA-20180704-16.12.1 myspell-en_NZ-20180704-16.12.1 myspell-en_PH-20180704-16.12.1 myspell-en_TT-20180704-16.12.1 myspell-en_US-20180704-16.12.1 myspell-en_ZA-20180704-16.12.1 myspell-en_ZW-20180704-16.12.1 myspell-es-20180704-16.12.1 myspell-es_AR-20180704-16.12.1 myspell-es_BO-20180704-16.12.1 myspell-es_CL-20180704-16.12.1 myspell-es_CO-20180704-16.12.1 myspell-es_CR-20180704-16.12.1 myspell-es_CU-20180704-16.12.1 myspell-es_DO-20180704-16.12.1 myspell-es_EC-20180704-16.12.1 myspell-es_ES-20180704-16.12.1 myspell-es_GT-20180704-16.12.1 myspell-es_HN-20180704-16.12.1 myspell-es_MX-20180704-16.12.1 myspell-es_NI-20180704-16.12.1 myspell-es_PA-20180704-16.12.1 myspell-es_PE-20180704-16.12.1 myspell-es_PR-20180704-16.12.1 myspell-es_PY-20180704-16.12.1 myspell-es_SV-20180704-16.12.1 myspell-es_UY-20180704-16.12.1 myspell-es_VE-20180704-16.12.1 myspell-et_EE-20180704-16.12.1 myspell-fr_BE-20180704-16.12.1 myspell-fr_CA-20180704-16.12.1 myspell-fr_CH-20180704-16.12.1 myspell-fr_FR-20180704-16.12.1 myspell-fr_LU-20180704-16.12.1 myspell-fr_MC-20180704-16.12.1 myspell-gu_IN-20180704-16.12.1 myspell-he_IL-20180704-16.12.1 myspell-hi_IN-20180704-16.12.1 myspell-hr_HR-20180704-16.12.1 myspell-hu_HU-20180704-16.12.1 myspell-id-20180704-16.12.1 myspell-id_ID-20180704-16.12.1 myspell-it_IT-20180704-16.12.1 myspell-lo_LA-20180704-16.12.1 myspell-lt_LT-20180704-16.12.1 myspell-lv_LV-20180704-16.12.1 myspell-nb_NO-20180704-16.12.1 myspell-nl_BE-20180704-16.12.1 myspell-nl_NL-20180704-16.12.1 myspell-nn_NO-20180704-16.12.1 myspell-no-20180704-16.12.1 myspell-pl_PL-20180704-16.12.1 myspell-pt_AO-20180704-16.12.1 myspell-pt_BR-20180704-16.12.1 myspell-pt_PT-20180704-16.12.1 myspell-ro-20180704-16.12.1 myspell-ro_RO-20180704-16.12.1 myspell-ru_RU-20180704-16.12.1 myspell-sk_SK-20180704-16.12.1 myspell-sl_SI-20180704-16.12.1 myspell-sr-20180704-16.12.1 myspell-sr_CS-20180704-16.12.1 myspell-sr_Latn_CS-20180704-16.12.1 myspell-sr_Latn_RS-20180704-16.12.1 myspell-sr_RS-20180704-16.12.1 myspell-sv_FI-20180704-16.12.1 myspell-sv_SE-20180704-16.12.1 myspell-te-20180704-16.12.1 myspell-te_IN-20180704-16.12.1 myspell-th_TH-20180704-16.12.1 myspell-uk_UA-20180704-16.12.1 myspell-vi-20180704-16.12.1 myspell-vi_VN-20180704-16.12.1 myspell-zu_ZA-20180704-16.12.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): myspell-dictionaries-20180704-16.12.1 myspell-lightproof-en-20180704-16.12.1 myspell-lightproof-hu_HU-20180704-16.12.1 myspell-lightproof-pt_BR-20180704-16.12.1 myspell-lightproof-ru_RU-20180704-16.12.1 References: https://bugzilla.suse.com/1099508 https://bugzilla.suse.com/1102294 From sle-updates at lists.suse.com Mon Sep 24 07:17:40 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:17:40 +0200 (CEST) Subject: SUSE-RU-2018:2830-1: moderate: Recommended update for openldap2 Message-ID: <20180924131740.22837FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2830-1 Rating: moderate References: #1089640 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1985=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1985=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1985=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1985=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): openldap2-back-perl-2.4.41-18.40.1 openldap2-back-perl-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 openldap2-devel-2.4.41-18.40.1 openldap2-devel-static-2.4.41-18.40.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.40.1 libldap-2_4-2-debuginfo-2.4.41-18.40.1 openldap2-2.4.41-18.40.1 openldap2-back-meta-2.4.41-18.40.1 openldap2-back-meta-debuginfo-2.4.41-18.40.1 openldap2-client-2.4.41-18.40.1 openldap2-client-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.40.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.40.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libldap-2_4-2-2.4.41-18.40.1 libldap-2_4-2-32bit-2.4.41-18.40.1 libldap-2_4-2-debuginfo-2.4.41-18.40.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.40.1 openldap2-client-2.4.41-18.40.1 openldap2-client-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 - SUSE CaaS Platform ALL (x86_64): libldap-2_4-2-2.4.41-18.40.1 libldap-2_4-2-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 - SUSE CaaS Platform 3.0 (x86_64): libldap-2_4-2-2.4.41-18.40.1 libldap-2_4-2-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): libldap-2_4-2-2.4.41-18.40.1 libldap-2_4-2-debuginfo-2.4.41-18.40.1 openldap2-debuginfo-2.4.41-18.40.1 openldap2-debugsource-2.4.41-18.40.1 References: https://bugzilla.suse.com/1089640 From sle-updates at lists.suse.com Mon Sep 24 07:18:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:18:21 +0200 (CEST) Subject: SUSE-RU-2018:2831-1: moderate: Recommended update for several ardana packages, python-ardana-opsconsole-server Message-ID: <20180924131821.691D1FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for several ardana packages, python-ardana-opsconsole-server ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2831-1 Rating: moderate References: #1100298 #1100445 #1100909 #1101703 #1102789 #1103349 Affected Products: SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for several ardana packages, and python-ardana-opsconsole-server fixes the following issues: service: - Add ssh-agent support to ardana-service. - Fix error message encoding when running under python3. (bsc#1100298) - Support passphrasing private id_rsa key. installer-ui: - Reorder Cloud settings tabs per training team feedback (bsc#1101703) - Include Lato font files with install UI (bsc#1100909) - Allow cloud settings to be modified earlier in the workflow (bsc#1100445) - Add Services Per Role page - Support case where ssh private id_rsa key is locked with passphrase - Resolves upstream sync issue - SCRD-3953 Update build scripts - Get fonts from npm package rather than tracking in source - Correct centering of progress numbers within their circles - Ignore files generated by build_deps.sh - Fix lint complaints opsconsole-ui: - Fix deprecated references to 'alive' (bsc#1102789) python-ardana-opsconsole-server: - Fix range import in objectstorage_summary_service plugin (bsc#1103349) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1975=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-1975=1 Package List: - SUSE OpenStack Cloud 8 (noarch): ardana-installer-ui-8.0+git.1533745008.65449ee-3.9.1 ardana-installer-ui-debugsource-8.0+git.1533745008.65449ee-3.9.1 ardana-opsconsole-ui-8.0+git.1532638816.ddee71b-3.6.1 ardana-service-8.0+git.1533856000.65f17bc-3.9.1 python-ardana-opsconsole-server-8.0+git.1533326559.d98c230-3.3.1 - HPE Helion Openstack 8 (noarch): ardana-installer-ui-hpe-8.0+git.1533745008.65449ee-3.9.1 ardana-installer-ui-hpe-debugsource-8.0+git.1533745008.65449ee-3.9.1 ardana-opsconsole-ui-hpe-8.0+git.1532638816.ddee71b-3.6.1 ardana-service-8.0+git.1533856000.65f17bc-3.9.1 python-ardana-opsconsole-server-8.0+git.1533326559.d98c230-3.3.1 References: https://bugzilla.suse.com/1100298 https://bugzilla.suse.com/1100445 https://bugzilla.suse.com/1100909 https://bugzilla.suse.com/1101703 https://bugzilla.suse.com/1102789 https://bugzilla.suse.com/1103349 From sle-updates at lists.suse.com Mon Sep 24 07:19:54 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 15:19:54 +0200 (CEST) Subject: SUSE-RU-2018:2832-1: Recommended update for kiwi Message-ID: <20180924131954.1BE28FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for kiwi ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2832-1 Rating: low References: #1071135 #1075810 #1075813 #1095856 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for kiwi provides the following fixes: - Set serial console configuration for grub for ec2 firmware and vhd-fixed format. (bsc#1071135) - Build initrd for every single kernel installed using dracut. (bsc#1075810) - Fix elog shell pid detection by running the debug shell as a sub process of the calling terminal and using the sub process pid. (bsc#1075813) - Call the reset program to clear the terminal I/O prior to call the dialog program. (bsc#1095856) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1976=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1976=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1976=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): kiwi-debugsource-7.03.125-72.25.1 kiwi-instsource-7.03.125-72.25.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): kiwi-pxeboot-7.03.125-72.25.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): kiwi-7.03.125-72.25.1 kiwi-debugsource-7.03.125-72.25.1 kiwi-desc-oemboot-7.03.125-72.25.1 kiwi-desc-vmxboot-7.03.125-72.25.1 kiwi-templates-7.03.125-72.25.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): kiwi-desc-netboot-7.03.125-72.25.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): kiwi-doc-7.03.125-72.25.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): kiwi-desc-isoboot-7.03.125-72.25.1 References: https://bugzilla.suse.com/1071135 https://bugzilla.suse.com/1075810 https://bugzilla.suse.com/1075813 https://bugzilla.suse.com/1095856 From sle-updates at lists.suse.com Mon Sep 24 10:09:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:09:09 +0200 (CEST) Subject: SUSE-SU-2018:2834-1: moderate: Security update for shadow Message-ID: <20180924160909.3A0BBFCD2@maintenance.suse.de> SUSE Security Update: Security update for shadow ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2834-1 Rating: moderate References: #1106914 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1993=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): shadow-4.5-7.3.1 shadow-debuginfo-4.5-7.3.1 shadow-debugsource-4.5-7.3.1 References: https://bugzilla.suse.com/1106914 From sle-updates at lists.suse.com Mon Sep 24 10:09:45 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:09:45 +0200 (CEST) Subject: SUSE-SU-2018:2835-1: moderate: Security update for shadow Message-ID: <20180924160945.8AB02FCD2@maintenance.suse.de> SUSE Security Update: Security update for shadow ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2835-1 Rating: moderate References: #1106914 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for shadow fixes the following security issue: - Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1994=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1994=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1994=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): shadow-4.2.1-27.19.1 shadow-debuginfo-4.2.1-27.19.1 shadow-debugsource-4.2.1-27.19.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): shadow-4.2.1-27.19.1 shadow-debuginfo-4.2.1-27.19.1 shadow-debugsource-4.2.1-27.19.1 - SUSE CaaS Platform ALL (x86_64): shadow-4.2.1-27.19.1 shadow-debuginfo-4.2.1-27.19.1 shadow-debugsource-4.2.1-27.19.1 - SUSE CaaS Platform 3.0 (x86_64): shadow-4.2.1-27.19.1 shadow-debuginfo-4.2.1-27.19.1 shadow-debugsource-4.2.1-27.19.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): shadow-4.2.1-27.19.1 shadow-debuginfo-4.2.1-27.19.1 shadow-debugsource-4.2.1-27.19.1 References: https://bugzilla.suse.com/1106914 From sle-updates at lists.suse.com Mon Sep 24 10:10:19 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:10:19 +0200 (CEST) Subject: SUSE-SU-2018:2836-1: moderate: Security update for tiff Message-ID: <20180924161019.7946DFCD7@maintenance.suse.de> SUSE Security Update: Security update for tiff ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2836-1 Rating: moderate References: #1074186 #1092480 #983440 Cross-References: CVE-2016-5319 CVE-2017-17942 CVE-2018-10779 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tiff fixes the following issues: Security issues fixed: - CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline() in tif_write.c (bsc#1092480) - CVE-2017-17942: Fixed a heap-based buffer overflow in the function PackBitsEncode in tif_packbits.c. (bsc#1074186) - CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1989=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1989=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1989=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libtiff-devel-4.0.9-44.21.1 tiff-debuginfo-4.0.9-44.21.1 tiff-debugsource-4.0.9-44.21.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libtiff5-4.0.9-44.21.1 libtiff5-debuginfo-4.0.9-44.21.1 tiff-4.0.9-44.21.1 tiff-debuginfo-4.0.9-44.21.1 tiff-debugsource-4.0.9-44.21.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libtiff5-32bit-4.0.9-44.21.1 libtiff5-debuginfo-32bit-4.0.9-44.21.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libtiff5-32bit-4.0.9-44.21.1 libtiff5-4.0.9-44.21.1 libtiff5-debuginfo-32bit-4.0.9-44.21.1 libtiff5-debuginfo-4.0.9-44.21.1 tiff-debuginfo-4.0.9-44.21.1 tiff-debugsource-4.0.9-44.21.1 References: https://www.suse.com/security/cve/CVE-2016-5319.html https://www.suse.com/security/cve/CVE-2017-17942.html https://www.suse.com/security/cve/CVE-2018-10779.html https://bugzilla.suse.com/1074186 https://bugzilla.suse.com/1092480 https://bugzilla.suse.com/983440 From sle-updates at lists.suse.com Mon Sep 24 10:11:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:11:21 +0200 (CEST) Subject: SUSE-SU-2018:2837-1: moderate: Security update for gd Message-ID: <20180924161121.03889FCD2@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2837-1 Rating: moderate References: #1105434 Cross-References: CVE-2018-1000222 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gd fixes the following issues: Security issue fixed: - CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that could result in remote code execution. This could have been exploited via a specially crafted JPEG image files. (bsc#1105434) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1991=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1991=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1991=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1991=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): gd-32bit-2.1.0-24.9.1 gd-debuginfo-32bit-2.1.0-24.9.1 gd-debugsource-2.1.0-24.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.1.0-24.9.1 gd-debugsource-2.1.0-24.9.1 gd-devel-2.1.0-24.9.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): gd-2.1.0-24.9.1 gd-debuginfo-2.1.0-24.9.1 gd-debugsource-2.1.0-24.9.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): gd-2.1.0-24.9.1 gd-32bit-2.1.0-24.9.1 gd-debuginfo-2.1.0-24.9.1 gd-debuginfo-32bit-2.1.0-24.9.1 gd-debugsource-2.1.0-24.9.1 References: https://www.suse.com/security/cve/CVE-2018-1000222.html https://bugzilla.suse.com/1105434 From sle-updates at lists.suse.com Mon Sep 24 10:12:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:12:03 +0200 (CEST) Subject: SUSE-SU-2018:2838-1: moderate: Security update for ant Message-ID: <20180924161203.1655CFCD2@maintenance.suse.de> SUSE Security Update: Security update for ant ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2838-1 Rating: moderate References: #1100053 Cross-References: CVE-2018-10886 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1988=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1988=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): ant-1.9.4-3.3.1 ant-antlr-1.9.4-3.3.1 ant-apache-bcel-1.9.4-3.3.1 ant-apache-bsf-1.9.4-3.3.1 ant-apache-log4j-1.9.4-3.3.1 ant-apache-oro-1.9.4-3.3.1 ant-apache-regexp-1.9.4-3.3.1 ant-apache-resolver-1.9.4-3.3.1 ant-commons-logging-1.9.4-3.3.1 ant-javadoc-1.9.4-3.3.1 ant-javamail-1.9.4-3.3.1 ant-jdepend-1.9.4-3.3.1 ant-jmf-1.9.4-3.3.1 ant-junit-1.9.4-3.3.1 ant-manual-1.9.4-3.3.1 ant-scripts-1.9.4-3.3.1 ant-swing-1.9.4-3.3.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): ant-1.9.4-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-10886.html https://bugzilla.suse.com/1100053 From sle-updates at lists.suse.com Mon Sep 24 10:12:43 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:12:43 +0200 (CEST) Subject: SUSE-SU-2018:2839-1: moderate: Security update for java-1_8_0-ibm Message-ID: <20180924161243.C6799FCD2@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2839-1 Rating: moderate References: #1104668 Cross-References: CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 CVE-2018-12539 CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2964 CVE-2018-2973 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues: - CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1104668) - CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1104668) - CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1104668) - CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. (bsc#1104668) - CVE-2016-0705: Prevent double free in the dsa_priv_decode function that allowed remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key (bsc#1104668) - CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) - CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery squaring procedure (bsc#1104668) - CVE-2018-1517: Unspecified vulnerability (bsc#1104668) - CVE-2018-1656: Unspecified vulnerability (bsc#1104668) - CVE-2018-12539: Users other than the process owner might have been able to use Java Attach API to connect to an IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code (bsc#1104668) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1987=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1987=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1987=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1987=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1987=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1987=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1987=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-1987=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 - SUSE Enterprise Storage 4 (x86_64): java-1_8_0-ibm-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-alsa-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-devel-1.8.0_sr5.20-30.36.1 java-1_8_0-ibm-plugin-1.8.0_sr5.20-30.36.1 References: https://www.suse.com/security/cve/CVE-2016-0705.html https://www.suse.com/security/cve/CVE-2017-3732.html https://www.suse.com/security/cve/CVE-2017-3736.html https://www.suse.com/security/cve/CVE-2018-12539.html https://www.suse.com/security/cve/CVE-2018-1517.html https://www.suse.com/security/cve/CVE-2018-1656.html https://www.suse.com/security/cve/CVE-2018-2940.html https://www.suse.com/security/cve/CVE-2018-2952.html https://www.suse.com/security/cve/CVE-2018-2964.html https://www.suse.com/security/cve/CVE-2018-2973.html https://bugzilla.suse.com/1104668 From sle-updates at lists.suse.com Mon Sep 24 10:13:23 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:13:23 +0200 (CEST) Subject: SUSE-SU-2018:2840-1: moderate: Security update for php7 Message-ID: <20180924161323.1FDCFFCD2@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2840-1 Rating: moderate References: #1105434 Cross-References: CVE-2018-1000222 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php7 fixes the following issues: Security issue fixed: - CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that could result in remote code execution. This could have been exploited via a specially crafted JPEG image files. (bsc#1105434) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-2018-1992=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.9.1 apache2-mod_php7-debuginfo-7.2.5-4.9.1 php7-7.2.5-4.9.1 php7-bcmath-7.2.5-4.9.1 php7-bcmath-debuginfo-7.2.5-4.9.1 php7-bz2-7.2.5-4.9.1 php7-bz2-debuginfo-7.2.5-4.9.1 php7-calendar-7.2.5-4.9.1 php7-calendar-debuginfo-7.2.5-4.9.1 php7-ctype-7.2.5-4.9.1 php7-ctype-debuginfo-7.2.5-4.9.1 php7-curl-7.2.5-4.9.1 php7-curl-debuginfo-7.2.5-4.9.1 php7-dba-7.2.5-4.9.1 php7-dba-debuginfo-7.2.5-4.9.1 php7-debuginfo-7.2.5-4.9.1 php7-debugsource-7.2.5-4.9.1 php7-devel-7.2.5-4.9.1 php7-dom-7.2.5-4.9.1 php7-dom-debuginfo-7.2.5-4.9.1 php7-enchant-7.2.5-4.9.1 php7-enchant-debuginfo-7.2.5-4.9.1 php7-exif-7.2.5-4.9.1 php7-exif-debuginfo-7.2.5-4.9.1 php7-fastcgi-7.2.5-4.9.1 php7-fastcgi-debuginfo-7.2.5-4.9.1 php7-fileinfo-7.2.5-4.9.1 php7-fileinfo-debuginfo-7.2.5-4.9.1 php7-fpm-7.2.5-4.9.1 php7-fpm-debuginfo-7.2.5-4.9.1 php7-ftp-7.2.5-4.9.1 php7-ftp-debuginfo-7.2.5-4.9.1 php7-gd-7.2.5-4.9.1 php7-gd-debuginfo-7.2.5-4.9.1 php7-gettext-7.2.5-4.9.1 php7-gettext-debuginfo-7.2.5-4.9.1 php7-gmp-7.2.5-4.9.1 php7-gmp-debuginfo-7.2.5-4.9.1 php7-iconv-7.2.5-4.9.1 php7-iconv-debuginfo-7.2.5-4.9.1 php7-intl-7.2.5-4.9.1 php7-intl-debuginfo-7.2.5-4.9.1 php7-json-7.2.5-4.9.1 php7-json-debuginfo-7.2.5-4.9.1 php7-ldap-7.2.5-4.9.1 php7-ldap-debuginfo-7.2.5-4.9.1 php7-mbstring-7.2.5-4.9.1 php7-mbstring-debuginfo-7.2.5-4.9.1 php7-mysql-7.2.5-4.9.1 php7-mysql-debuginfo-7.2.5-4.9.1 php7-odbc-7.2.5-4.9.1 php7-odbc-debuginfo-7.2.5-4.9.1 php7-opcache-7.2.5-4.9.1 php7-opcache-debuginfo-7.2.5-4.9.1 php7-openssl-7.2.5-4.9.1 php7-openssl-debuginfo-7.2.5-4.9.1 php7-pcntl-7.2.5-4.9.1 php7-pcntl-debuginfo-7.2.5-4.9.1 php7-pdo-7.2.5-4.9.1 php7-pdo-debuginfo-7.2.5-4.9.1 php7-pgsql-7.2.5-4.9.1 php7-pgsql-debuginfo-7.2.5-4.9.1 php7-phar-7.2.5-4.9.1 php7-phar-debuginfo-7.2.5-4.9.1 php7-posix-7.2.5-4.9.1 php7-posix-debuginfo-7.2.5-4.9.1 php7-shmop-7.2.5-4.9.1 php7-shmop-debuginfo-7.2.5-4.9.1 php7-snmp-7.2.5-4.9.1 php7-snmp-debuginfo-7.2.5-4.9.1 php7-soap-7.2.5-4.9.1 php7-soap-debuginfo-7.2.5-4.9.1 php7-sockets-7.2.5-4.9.1 php7-sockets-debuginfo-7.2.5-4.9.1 php7-sqlite-7.2.5-4.9.1 php7-sqlite-debuginfo-7.2.5-4.9.1 php7-sysvmsg-7.2.5-4.9.1 php7-sysvmsg-debuginfo-7.2.5-4.9.1 php7-sysvsem-7.2.5-4.9.1 php7-sysvsem-debuginfo-7.2.5-4.9.1 php7-sysvshm-7.2.5-4.9.1 php7-sysvshm-debuginfo-7.2.5-4.9.1 php7-tokenizer-7.2.5-4.9.1 php7-tokenizer-debuginfo-7.2.5-4.9.1 php7-wddx-7.2.5-4.9.1 php7-wddx-debuginfo-7.2.5-4.9.1 php7-xmlreader-7.2.5-4.9.1 php7-xmlreader-debuginfo-7.2.5-4.9.1 php7-xmlrpc-7.2.5-4.9.1 php7-xmlrpc-debuginfo-7.2.5-4.9.1 php7-xmlwriter-7.2.5-4.9.1 php7-xmlwriter-debuginfo-7.2.5-4.9.1 php7-xsl-7.2.5-4.9.1 php7-xsl-debuginfo-7.2.5-4.9.1 php7-zip-7.2.5-4.9.1 php7-zip-debuginfo-7.2.5-4.9.1 php7-zlib-7.2.5-4.9.1 php7-zlib-debuginfo-7.2.5-4.9.1 - SUSE Linux Enterprise Module for Web Scripting 15 (noarch): php7-pear-7.2.5-4.9.1 php7-pear-Archive_Tar-7.2.5-4.9.1 References: https://www.suse.com/security/cve/CVE-2018-1000222.html https://bugzilla.suse.com/1105434 From sle-updates at lists.suse.com Mon Sep 24 10:14:00 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:14:00 +0200 (CEST) Subject: SUSE-SU-2018:2841-1: moderate: Security update for libXcursor Message-ID: <20180924161400.C62A0FCD2@maintenance.suse.de> SUSE Security Update: Security update for libXcursor ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2841-1 Rating: moderate References: #1103511 Cross-References: CVE-2015-9262 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libXcursor fixes the following security issue: - CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow (bsc#1103511). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1986=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1986=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1986=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libXcursor-debugsource-1.1.14-4.6.1 libXcursor-devel-1.1.14-4.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libXcursor-debugsource-1.1.14-4.6.1 libXcursor1-1.1.14-4.6.1 libXcursor1-debuginfo-1.1.14-4.6.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libXcursor1-32bit-1.1.14-4.6.1 libXcursor1-debuginfo-32bit-1.1.14-4.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libXcursor-debugsource-1.1.14-4.6.1 libXcursor1-1.1.14-4.6.1 libXcursor1-32bit-1.1.14-4.6.1 libXcursor1-debuginfo-1.1.14-4.6.1 libXcursor1-debuginfo-32bit-1.1.14-4.6.1 References: https://www.suse.com/security/cve/CVE-2015-9262.html https://bugzilla.suse.com/1103511 From sle-updates at lists.suse.com Mon Sep 24 10:14:37 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 18:14:37 +0200 (CEST) Subject: SUSE-SU-2018:2842-1: moderate: Security update for gnutls Message-ID: <20180924161437.7BFC0FCD2@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2842-1 Rating: moderate References: #1047002 #1105437 #1105459 #1105460 Cross-References: CVE-2017-10790 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for gnutls fixes the following issues: Security issues fixed: - Improved mitigations against Lucky 13 class of attacks - "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459) - HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437) - The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1990=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1990=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1990=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): gnutls-debuginfo-3.3.27-3.3.1 gnutls-debugsource-3.3.27-3.3.1 libgnutls-devel-3.3.27-3.3.1 libgnutls-openssl-devel-3.3.27-3.3.1 libgnutlsxx-devel-3.3.27-3.3.1 libgnutlsxx28-3.3.27-3.3.1 libgnutlsxx28-debuginfo-3.3.27-3.3.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): gnutls-3.3.27-3.3.1 gnutls-debuginfo-3.3.27-3.3.1 gnutls-debugsource-3.3.27-3.3.1 libgnutls-openssl27-3.3.27-3.3.1 libgnutls-openssl27-debuginfo-3.3.27-3.3.1 libgnutls28-3.3.27-3.3.1 libgnutls28-debuginfo-3.3.27-3.3.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libgnutls28-32bit-3.3.27-3.3.1 libgnutls28-debuginfo-32bit-3.3.27-3.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): gnutls-3.3.27-3.3.1 gnutls-debuginfo-3.3.27-3.3.1 gnutls-debugsource-3.3.27-3.3.1 libgnutls28-3.3.27-3.3.1 libgnutls28-32bit-3.3.27-3.3.1 libgnutls28-debuginfo-3.3.27-3.3.1 libgnutls28-debuginfo-32bit-3.3.27-3.3.1 References: https://www.suse.com/security/cve/CVE-2017-10790.html https://www.suse.com/security/cve/CVE-2018-10844.html https://www.suse.com/security/cve/CVE-2018-10845.html https://www.suse.com/security/cve/CVE-2018-10846.html https://bugzilla.suse.com/1047002 https://bugzilla.suse.com/1105437 https://bugzilla.suse.com/1105459 https://bugzilla.suse.com/1105460 From sle-updates at lists.suse.com Mon Sep 24 13:08:15 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 24 Sep 2018 21:08:15 +0200 (CEST) Subject: SUSE-SU-2018:2843-1: moderate: Security update for pam_pkcs11 Message-ID: <20180924190815.21B48FCD7@maintenance.suse.de> SUSE Security Update: Security update for pam_pkcs11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2843-1 Rating: moderate References: #1105012 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for pam_pkcs11 fixes the following security issues: - It was possible to replay an authentication by using a specially prepared smartcard or token (bsc#1105012) - Prevent buffer overflow if a user has a home directory with a length of more than 512 bytes (bsc#1105012) - Memory not cleaned properly before free() (bsc#1105012) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-pam_pkcs11-13784=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-pam_pkcs11-13784=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): pam_pkcs11-0.6.0-141.3.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): pam_pkcs11-32bit-0.6.0-141.3.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): pam_pkcs11-x86-0.6.0-141.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): pam_pkcs11-debuginfo-0.6.0-141.3.1 pam_pkcs11-debugsource-0.6.0-141.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): pam_pkcs11-debuginfo-32bit-0.6.0-141.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): pam_pkcs11-debuginfo-x86-0.6.0-141.3.1 References: https://bugzilla.suse.com/1105012 From sle-updates at lists.suse.com Mon Sep 24 19:07:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 03:07:57 +0200 (CEST) Subject: SUSE-RU-2018:2844-1: moderate: Recommended update for python-kiwi Message-ID: <20180925010757.A905CFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-kiwi ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2844-1 Rating: moderate References: #1077096 #1077619 #1092485 #1092531 #1093377 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for python-kiwi provides the following fix: - Follow up fix to keep the permissions on target directory. This fix make sure the permissions are only applied if the target directory exists. (bsc#1077619) - Resize partition table after image resize. The command 'kiwi image resize' allows to change the size of a disk image. Depending on the partition table type it is also required to resize the partition table inside of the image to let the file size change become effective. (fate#323874) - Add the possibility of setting some unpartitioned area after the system disk partition into the image, and also simplify the unpartitioned area calculation. (fate#323874) - Support lookup for fstab.append on fstab creation. At the time kiwi creates the fstab with all required fields to boot the system it now also looks for an optional fstab.append file and appends its contents to the fstab file. This allows to setup custom fstab entries for filesystem mounts which are established outside of the kiwi image building process by e.g a service at first boot. (fate#323874) - Fixed truncation of image when writing vhd tag. When writing the vhd tag into a vhdfixed formatted image the image was opened with the wrong open bits 'wb' and thus was truncated at the 64k offset. (bsc#1077096) - Comment blocks causes use of high amounts of memory during XSLT processing. (bsc#1092485) - Fix the name generation for GCE images. The implementation assumed that GCE images are of a type that use a kiwi generated initrd, looking for image name components based on the boot attribute in the type element. This assumption is not correct, use the name provided in the XML to compose the image name. (bsc#1093377) - Fix zypper add lock operations by passing the correct arguments to zypper. - Allow arch attribute for profiles specification. A profile could be relevant only for a specific architecture. There was no way to express that in the XML description so this update makes it possible to represent that. (bsc#1092531) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2018-1996=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1996=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1996=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): kiwi-pxeboot-8.33.14-9.29.11 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): kiwi-man-pages-8.33.14-9.29.11 kiwi-tools-8.33.14-9.29.11 kiwi-tools-debuginfo-8.33.14-9.29.11 python-kiwi-debugsource-8.33.14-9.29.11 python2-kiwi-8.33.14-9.29.11 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): kiwi-tools-8.33.14-9.29.11 kiwi-tools-debuginfo-8.33.14-9.29.11 python-kiwi-debugsource-8.33.14-9.29.11 References: https://bugzilla.suse.com/1077096 https://bugzilla.suse.com/1077619 https://bugzilla.suse.com/1092485 https://bugzilla.suse.com/1092531 https://bugzilla.suse.com/1093377 From sle-updates at lists.suse.com Tue Sep 25 04:11:17 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 12:11:17 +0200 (CEST) Subject: SUSE-RU-2018:2845-1: moderate: Recommended update for ucode-intel Message-ID: <20180925101117.38477FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2845-1 Rating: moderate References: #1104479 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ucode-intel 2018007a fixes the following issues: No change except clarify the licensing and redistributable state. (bsc#1104479) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1997=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): ucode-intel-20180807a-3.9.1 References: https://bugzilla.suse.com/1104479 From sle-updates at lists.suse.com Tue Sep 25 04:11:57 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 12:11:57 +0200 (CEST) Subject: SUSE-RU-2018:2846-1: moderate: Recommended update for wireless-regdb Message-ID: <20180925101157.8C13FFD2E@maintenance.suse.de> SUSE Recommended Update: Recommended update for wireless-regdb ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2846-1 Rating: moderate References: #1095397 #1106528 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for wireless-regdb fixes the following issues: - Fix power limit in 5725-5785 GHz rule for France. - Updated regulatory database for France and Panama. - Fixes in python3 scripts. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1998=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): wireless-regdb-2018.05.31-3.5.1 References: https://bugzilla.suse.com/1095397 https://bugzilla.suse.com/1106528 From sle-updates at lists.suse.com Tue Sep 25 04:12:48 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 12:12:48 +0200 (CEST) Subject: SUSE-RU-2018:2847-1: moderate: Recommended update for powerpc-utils Message-ID: <20180925101248.2E5D2FD16@maintenance.suse.de> SUSE Recommended Update: Recommended update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2847-1 Rating: moderate References: #1099910 #1103283 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for powerpc-utils fixes the following issues: - Add support for ibm,dynamic-memory-v2 devicetree property (bsc#1103283) - Display logical name using bootlist -o option (bsc#1099910) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2000=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (ppc64le): powerpc-utils-1.3.4-7.3.1 powerpc-utils-debuginfo-1.3.4-7.3.1 powerpc-utils-debugsource-1.3.4-7.3.1 References: https://bugzilla.suse.com/1099910 https://bugzilla.suse.com/1103283 From sle-updates at lists.suse.com Tue Sep 25 04:13:47 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 12:13:47 +0200 (CEST) Subject: SUSE-RU-2018:2848-1: moderate: Recommended update for zlib Message-ID: <20180925101347.B4935FD16@maintenance.suse.de> SUSE Recommended Update: Recommended update for zlib ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2848-1 Rating: moderate References: #1071321 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1999=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1999=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): zlib-debugsource-1.2.11-3.3.1 zlib-devel-32bit-1.2.11-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libminizip1-1.2.11-3.3.1 libminizip1-debuginfo-1.2.11-3.3.1 libz1-1.2.11-3.3.1 libz1-debuginfo-1.2.11-3.3.1 minizip-devel-1.2.11-3.3.1 zlib-debugsource-1.2.11-3.3.1 zlib-devel-1.2.11-3.3.1 zlib-devel-static-1.2.11-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libz1-32bit-1.2.11-3.3.1 libz1-32bit-debuginfo-1.2.11-3.3.1 References: https://bugzilla.suse.com/1071321 From sle-updates at lists.suse.com Tue Sep 25 07:08:42 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 15:08:42 +0200 (CEST) Subject: SUSE-SU-2018:2850-1: important: Security update for mgetty Message-ID: <20180925130842.8274AFCD2@maintenance.suse.de> SUSE Security Update: Security update for mgetty ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2850-1 Rating: important References: #1108752 #1108756 #1108757 #1108761 #1108762 Cross-References: CVE-2018-16741 CVE-2018-16742 CVE-2018-16743 CVE-2018-16744 CVE-2018-16745 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mgetty fixes the following issues: - CVE-2018-16741: The function do_activate() did not properly sanitize shell metacharacters to prevent command injection (bsc#1108752) - CVE-2018-16745: The mail_to parameter was not sanitized, leading to a buffer overflow if long untrusted input reached it (bsc#1108756) - CVE-2018-16744: The mail_to parameter was not sanitized, leading to command injection if untrusted input reached reach it (bsc#1108757) - CVE-2018-16742: Prevent stack-based buffer overflow that could have been triggered via a command-line parameter (bsc#1108762) - CVE-2018-16743: The command-line parameter username wsa passed unsanitized to strcpy(), which could have caused a stack-based buffer overflow (bsc#1108761) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-mgetty-13785=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mgetty-13785=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): g3utils-1.1.36-28.3.1 mgetty-1.1.36-28.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): mgetty-debuginfo-1.1.36-28.3.1 mgetty-debugsource-1.1.36-28.3.1 References: https://www.suse.com/security/cve/CVE-2018-16741.html https://www.suse.com/security/cve/CVE-2018-16742.html https://www.suse.com/security/cve/CVE-2018-16743.html https://www.suse.com/security/cve/CVE-2018-16744.html https://www.suse.com/security/cve/CVE-2018-16745.html https://bugzilla.suse.com/1108752 https://bugzilla.suse.com/1108756 https://bugzilla.suse.com/1108757 https://bugzilla.suse.com/1108761 https://bugzilla.suse.com/1108762 From sle-updates at lists.suse.com Tue Sep 25 07:10:53 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 15:10:53 +0200 (CEST) Subject: SUSE-SU-2018:2853-1: important: Security update for python-paramiko Message-ID: <20180925131053.B8F90FCD2@maintenance.suse.de> SUSE Security Update: Security update for python-paramiko ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2853-1 Rating: important References: #1085276 #1106148 Cross-References: CVE-2018-7750 Affected Products: SUSE CaaS Platform ALL ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python-paramiko to version 1.18.5 fixes the following issues: This security issue was fixed: - CVE-2018-7750: transport.py in the SSH server implementation of Paramiko did not properly check whether authentication is completed processing other requests. A customized SSH client could have skipped the authentication step (bsc#1085276) This non-security issue was fixed: - Prevent connection problems with ssh servers due to no acceptable macs being available (bsc#1106148) For additional changes please check the changelog. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform ALL (noarch): python-paramiko-1.18.5-10.6.1 References: https://www.suse.com/security/cve/CVE-2018-7750.html https://bugzilla.suse.com/1085276 https://bugzilla.suse.com/1106148 From sle-updates at lists.suse.com Tue Sep 25 10:08:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 18:08:09 +0200 (CEST) Subject: SUSE-RU-2018:2857-1: moderate: Recommended update for nvme-cli Message-ID: <20180925160809.199B2FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for nvme-cli ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2857-1 Rating: moderate References: #1084379 #1087848 #1090568 #1099018 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for nvme-cli fixes the following issues: - Retry discovery log if the generation counter changes. (bsc#1087848) - Fix passing "host_traddr" for all transports (bsc#1084379) - Write ctrl_loss_tmo to fabrics device on connect. (bsc#1084379) - write keep-alive-timeout to fabrics device on connect. (bsc#1090568) - Add get_log LSP & LSO fields from 1.3 spec. (bsc#1099018) - Add option '--ctrl-loss-tmo' to 'connect-all' sub-command. (bsc#1084379) - Implement nvme_get_log13 (bsc#1099018) - Add support of unsigned long long to json (bsc#1099018) - Add support of RAE (bsc#1099018) - Add minimal ana-log page support (bsc#1099018) - Add ana_log documentation (bsc#1099018) - Fix double free in list_subsys (bsc#1099018) - Log error in case of failure in get_nvme_subsystem (bsc#1099018) - Move print function to nvme-print.c (bsc#1099018) - Show partial results if controller fails (bsc#1099018) - Add ctrl-loss-tmo to connect-all command (bsc#1084379) - Add device name argument and print ANA state. (bsc#1099018) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2003=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): nvme-cli-1.5-7.5.1 nvme-cli-debuginfo-1.5-7.5.1 nvme-cli-debugsource-1.5-7.5.1 References: https://bugzilla.suse.com/1084379 https://bugzilla.suse.com/1087848 https://bugzilla.suse.com/1090568 https://bugzilla.suse.com/1099018 From sle-updates at lists.suse.com Tue Sep 25 10:09:17 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 18:09:17 +0200 (CEST) Subject: SUSE-SU-2018:2858-1: important: Security update for the Linux Kernel Message-ID: <20180925160917.40CB3FCD2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2858-1 Rating: important References: #1012382 #1015342 #1015343 #1017967 #1019695 #1019699 #1020412 #1021121 #1022604 #1024361 #1024365 #1024376 #1027968 #1030552 #1033962 #1042286 #1048317 #1050431 #1053685 #1055014 #1056596 #1062604 #1063646 #1064232 #1065364 #1066223 #1068032 #1068075 #1069138 #1078921 #1080157 #1083663 #1085042 #1085536 #1085539 #1086457 #1087092 #1089066 #1090888 #1091171 #1091860 #1092903 #1096254 #1096748 #1097105 #1098253 #1098822 #1099597 #1099810 #1099811 #1099813 #1099832 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1099999 #1100000 #1100001 #1100132 #1101822 #1101841 #1102346 #1102486 #1102517 #1102715 #1102797 #1103269 #1103445 #1104319 #1104485 #1104494 #1104495 #1104683 #1104897 #1105271 #1105292 #1105322 #1105392 #1105396 #1105524 #1105536 #1105769 #1106016 #1106105 #1106185 #1106229 #1106271 #1106275 #1106276 #1106278 #1106281 #1106283 #1106369 #1106509 #1106511 #1106594 #1106697 #1106929 #1106934 #1106995 #1107060 #1107078 #1107319 #1107320 #1107689 #1107735 #1107966 #963575 #966170 #966172 #969470 #969476 #969477 #970506 Cross-References: CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10938 CVE-2018-10940 CVE-2018-1128 CVE-2018-1129 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 CVE-2018-9363 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that solves 22 vulnerabilities and has 96 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 azure kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) - CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999) - CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748) - CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748) - CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016) - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). - CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292) - CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863) - CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844) - CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813) - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811) - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846) - CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864) - CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849) - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845) The following non-security bugs were fixed: - 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382). - 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382). - 9p: fix multiple NULL-pointer-dereferences (bnc#1012382). - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382). - ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382). - ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382). - ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382). - ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382). - ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382). - ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382). - ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382). - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382). - ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382). - ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382). - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382). - ALSA: memalloc: Do not exceed over the requested size (bnc#1012382). - ALSA: rawmidi: Change resized buffers atomically (bnc#1012382). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810). - ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382). - ALSA: virmidi: Fix too long output trigger loop (bnc#1012382). - ALSA: vx222: Fix invalid endian conversions (bnc#1012382). - ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382). - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382). - ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382). - ARC: Fix CONFIG_SWAP (bnc#1012382). - ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382). - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382). - ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382). - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382). - ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382). - ARM: dts: da850: Fix interrups property for gpio (bnc#1012382). - ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382). - ARM: fix put_user() for gcc-8 (bnc#1012382). - ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382). - ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382). - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382). - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382). - ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver. - ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382). - ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382). - ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382). - ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382). - ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382). - Add reference to bsc#1091171 (bnc#1012382; bsc#1091171). - Bluetooth: avoid killing an already killed socket (bnc#1012382). - Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382). - Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092). - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092). - Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning (bnc#1012382). - Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382). - HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382). - HID: i2c-hid: check if device is there before really probing (bnc#1012382). - HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382). - IB/core: Make testing MR flags for writability a static inline function (bnc#1012382). - IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596). - IB/iser: Do not reduce max_sectors (bsc#1063646). - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'. - IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382). - IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343). - IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382). - Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382). - Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382). - Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382). - KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382). - KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382). - KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382). - MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382). - MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382). - MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 (bnc#1012382). - NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382). - PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382). - PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382). - PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382). - PCI: pciehp: Fix use-after-free on unplug (bnc#1012382). - PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382). - PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382). - RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477). - RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376). - RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382). - RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343). - Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" (bnc#1012382). - Revert "UBIFS: Fix potential integer overflow in allocation" (bnc#1012382). - Revert "f2fs: handle dirty segments inside refresh_sit_entry" (bsc#1106281). - Revert "mm: page_alloc: skip over regions of invalid pfns where possible" (bnc#1107078). - Revert "net: Do not copy pfmemalloc flag in __copy_skb_header()" (kabi). - Revert "netfilter: ipv6: nf_defrag: reduce struct net memory waste" (kabi). - Revert "skbuff: Unconditionally copy pfmemalloc in __skb_clone()" (kabi). - Revert "vsock: split dwork to avoid reinitializations" (kabi). - Revert "x86/mm: Give each mm TLB flush generation a unique ID" (kabi). - Revert "x86/speculation/l1tf: Fix up CPU feature flags" (kabi). - Revert "x86/speculation: Use Indirect Branch Prediction Barrier in context switch" (kabi). - Smack: Mark inode instant in smack_task_to_inode (bnc#1012382). - USB: musb: fix external abort on suspend (bsc#1085536). - USB: option: add support for DW5821e (bnc#1012382). - USB: serial: metro-usb: stop I/O after failed open (bsc#1085539). - USB: serial: sierra: fix potential deadlock at close (bnc#1012382). - Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319). - afs: Fix directory permissions check (bsc#1106283). - arc: fix build errors in arc/include/asm/delay.h (bnc#1012382). - arc: fix type warnings in arc/mm/cache.c (bnc#1012382). - arm64: make secondary_start_kernel() notrace (bnc#1012382). - arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382). - ath: Add regulatory mapping for APL13_WORLD (bnc#1012382). - ath: Add regulatory mapping for APL2_FCCA (bnc#1012382). - ath: Add regulatory mapping for Bahamas (bnc#1012382). - ath: Add regulatory mapping for Bermuda (bnc#1012382). - ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382). - ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382). - ath: Add regulatory mapping for Serbia (bnc#1012382). - ath: Add regulatory mapping for Tanzania (bnc#1012382). - ath: Add regulatory mapping for Uganda (bnc#1012382). - atl1c: reserve min skb headroom (bnc#1012382). - atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066). - audit: allow not equal op for audit by executable (bnc#1012382). - backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929). - backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929). - bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232). - bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232). - bcache: do not check return value of debugfs_create_dir() (bsc#1064232). - bcache: finish incremental GC (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering (bsc#1064232). - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232). - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232). - bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232). - be2net: remove unused old custom busy-poll fields (bsc#1021121 ). - blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663). - block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663). - block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663). - block: do not use interruptible wait anywhere (bnc#1012382). - bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382). - bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382). - bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575). - bnxt_en: Fix for system hang if request_irq fails (bnc#1012382). - bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ). - bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382). - brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382). - brcmfmac: stop watchdog before detach and free everything (bnc#1012382). - bridge: Propagate vlan add failure to user (bnc#1012382). - btrfs: Do not remove block group still has pinned down bytes (bsc#1086457). - btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382). - btrfs: do not leak ret from do_chunk_alloc (bnc#1012382). - btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382). - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf. - btrfs: round down size diff when shrinking/growing device (bsc#1097105). - can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382). - can: mpc5xxx_can: check of_iomap return before use (bnc#1012382). - can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382). - can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382). - can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382). - can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382). - can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382). - can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382). - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382). - ceph: fix incorrect use of strncpy (bsc#1107319). - ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320). - cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382). - cifs: add missing debug entries for kconfig options (bnc#1012382). - cifs: check kmalloc before use (bsc#1012382). - cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382). - clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382). - crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: authenc - do not leak pointers to authenc keys (bnc#1012382). - crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382). - crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382). - crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382). - crypto: vmac - separate tfm and request context (bnc#1012382). - crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317). - cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382). - cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014). - dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382). - disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382). - dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382). - dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382). - dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382). - dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382). - driver core: Partially revert "driver core: correct device's shutdown order" (bnc#1012382). - drivers: net: lmc: fix case value for target abort error (bnc#1012382). - drm/armada: fix colorkey mode property (bnc#1012382). - drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929). - drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382). - drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382). - drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822). - drm/drivers: add support for using the arch wc mapping API. - drm/exynos/dsi: mask frame-done interrupt (bsc#1106929). - drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382). - drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382). - drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382). - drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382). - drm/i915/userptr: reject zero user_size (bsc#1090888). - drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092). - drm/imx: fix typo in ipu_plane_formats (bsc#1106929). - drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382). - drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382). - drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382). - drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769). - drm/radeon: fix mode_valid's return type (bnc#1012382). - drm: Add DP PSR2 sink enable bit (bnc#1012382). - drm: Reject getfb for multi-plane framebuffers (bsc#1106929). - enic: do not call enic_change_mtu in enic_probe. - enic: handle mtu change for vf properly (bnc#1012382). - enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382). - ext4: check for NUL characters in extended attribute's name (bnc#1012382). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update s_last_mounted of a frozen fs (bsc#1101841). - ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - ext4: fix inline data updates with checksums enabled (bsc#1104494). - ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382). - ext4: reset error code in ext4_find_entry in fallback (bnc#1012382). - ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229). - f2fs: fix to do not trigger writeback during recovery (bnc#1012382). - fat: fix memory allocation failure handling of match_strdup() (bnc#1012382). - fb: fix lost console when the user unplugs a USB adapter (bnc#1012382). - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929). - fix __legitimize_mnt()/mntput() race (bnc#1012382). - fix mntput/mntput race (bnc#1012382). - fork: unconditionally clear stack on fork (bnc#1012382). - fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382). - fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185). - fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382). - fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921). - fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382). - fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382). - fuse: Fix oops at process_init_reply() (bnc#1012382). - fuse: fix double request_end() (bnc#1012382). - fuse: fix unlocked access to processing queue (bnc#1012382). - fuse: umount should wait for all requests (bnc#1012382). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - getxattr: use correct xattr length (bnc#1012382). - hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552). - hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382). - hwrng: exynos - Disable runtime PM on driver unbind. - i2c: davinci: Avoid zero value of CLKH (bnc#1012382). - i2c: imx: Fix race condition in dma read (bnc#1012382). - i2c: imx: Fix reinit_completion() use (bnc#1012382). - i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382). - i40e: use cpumask_copy instead of direct assignment (bsc#1053685). - i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477). - i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477). - ibmvnic: Include missing return code checks in reset function (bnc#1107966). - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382). - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365). - iio: ad9523: Fix displayed phase (bnc#1012382). - iio: ad9523: Fix return value for ad952x_store() (bnc#1012382). - inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506). - iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105). - iommu/vt-d: Add definitions for PFSID (bnc#1012382). - iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ioremap: Update pgtable free interfaces with addr (bnc#1012382). - ip: hash fragments consistently (bnc#1012382). - ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382). - ipconfig: Correctly initialise ic_nameservers (bnc#1012382). - ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382). - ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382). - ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382). - ipv6: fix useless rol32 call on hash (bnc#1012382). - ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382). - ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962). - iscsi target: fix session creation failure handling (bnc#1012382). - isdn: Disable IIOCDBGVAR (bnc#1012382). - iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477). - iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382). - ixgbe: Be more careful when modifying MAC filters (bnc#1012382). - jfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - jump_label: Add RELEASE barrier after text changes (bsc#1105271). - jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271). - jump_label: Move CPU hotplug locking (bsc#1105271). - jump_label: Provide hotplug context variants (bsc#1105271). - jump_label: Reduce the size of struct static_key (bsc#1105271). - jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271). - jump_label: Split out code under the hotplug lock (bsc#1105271). - jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271). - kABI: protect enum tcp_ca_event (kabi). - kABI: reexport tcp_send_ack (kabi). - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597) - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kasan: do not emit builtin calls when sanitization is off (bnc#1012382). - kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382). - kbuild: verify that $DEPMOD is installed (bnc#1012382). - kernel: improve spectre mitigation (bnc#1106934, LTC#171029). - kprobes/x86: Fix %p uses in error messages (bnc#1012382). - kprobes: Make list and blacklist root user read only (bnc#1012382). - kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897). - kvm: x86: vmx: fix vpid leak (bnc#1012382). - l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382). - lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382). - libata: Fix command retry decision (bnc#1012382). - libceph: check authorizer reply/challenge length before reading (bsc#1096748). - libceph: factor out __ceph_x_decrypt() (bsc#1096748). - libceph: factor out __prepare_write_connect() (bsc#1096748). - libceph: factor out encrypt_authorizer() (bsc#1096748). - libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748). - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748). - llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382). - locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382). - locks: pass inode pointer to locks_free_lock_context (bsc at 1099832). - locks: prink more detail when there are leaked locks (bsc#1099832). - locks: restore a warn for leaked locks on close (bsc#1099832). - m68k: fix "bad page state" oops on ColdFire boot (bnc#1012382). - mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382). - md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382). - md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382). - media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382). - media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382). - media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431). - media: s5p-jpeg: fix number of components macro (bsc#1050431). - media: saa7164: Fix driver name in debug output (bnc#1012382). - media: si470x: fix __be16 annotations (bnc#1012382). - media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382). - media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382). - media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382). - memory: tegra: Apply interrupts mask per SoC (bnc#1012382). - memory: tegra: Do not handle spurious interrupts (bnc#1012382). - mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382). - microblaze: Fix simpleImage format generation (bnc#1012382). - mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697). - mm/memory.c: check return value of ioremap_prot (bnc#1012382). - mm/slub.c: add __printf verification to slab_err() (bnc#1012382). - mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382). - mm: Add vm_insert_pfn_prot() (bnc#1012382). - mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382). - mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382). - mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382). - mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382). - mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382). - mtd: ubi: wl: Fix error return code in ubi_wl_init(). - mwifiex: correct histogram data with appropriate index (bnc#1012382). - mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382). - net/9p/client.c: version pointer uninitialized (bnc#1012382). - net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382). - net/ethernet/freescale/fman: fix cross-build error (bnc#1012382). - net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382). - net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382). - net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343). - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172). - net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172). - net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172). - net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343). - net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343). - net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343). - net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172). - net: 6lowpan: fix reserved space for single frames (bnc#1012382). - net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382). - net: add skb_condense() helper (bsc#1089066). - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066). - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066). - net: axienet: Fix double deregister of mdio (bnc#1012382). - net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382). - net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382). - net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382). - net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968). - net: fix amd-xgbe flow-control issue (bnc#1012382). - net: hamradio: use eth_broadcast_addr (bnc#1012382). - net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382). - net: lan78xx: fix rx handling before first packet is send (bnc#1012382). - net: mac802154: tx: expand tailroom if necessary (bnc#1012382). - net: phy: fix flag masking in __set_phy_supported (bnc#1012382). - net: prevent ISA drivers from building on PPC32 (bnc#1012382). - net: propagate dev_get_valid_name return code (bnc#1012382). - net: qca_spi: Avoid packet drop during initial sync (bnc#1012382). - net: qca_spi: Fix log level if probe fails (bnc#1012382). - net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382). - net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382). - net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382). - net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253). - net_sched: Fix missing res info when create new tc_index filter (bnc#1012382). - net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382). - netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382). - netfilter: ipset: List timing out entries with "timeout 1" instead of zero (bnc#1012382). - netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382). - netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797). - netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797). - netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382). - netlink: Do not shift on 64 for ngroups (bnc#1012382). - netlink: Do not shift with UB on nlk->ngroups (bnc#1012382). - netlink: Do not subscribe to non-existent groups (bnc#1012382). - netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382). - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286). - nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382). - nl80211: Add a missing break in parse_station_flags (bnc#1012382). - nohz: Fix local_timer_softirq_pending() (bnc#1012382). - nvme-fc: release io queues to allow fast fail (bsc#1102486). - nvme: if_ready checks to fail io to deleting controller (bsc#1102486). - nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486). - nvmet-fc: fix target sgl list on large transfers (bsc#1102486). - osf_getdomainname(): use copy_to_user() (bnc#1012382). - ovl: Do d_type check only if work dir creation was successful (bnc#1012382). - ovl: Ensure upper filesystem supports d_type (bnc#1012382). - ovl: warn instead of error if d_type is not supported (bnc#1012382). - packet: refine ring v3 block size test to hold one frame (bnc#1012382). - packet: reset network header if packet shorter than ll reserved space (bnc#1012382). - parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382). - parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382). - parisc: Remove ordered stores from syscall.S (bnc#1012382). - parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382). - perf auxtrace: Fix queue resize (bnc#1012382). - perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382). - perf report powerpc: Fix crash if callchain is empty (bnc#1012382). - perf test session topology: Fix test on s390 (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382). - perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382). - perf: fix invalid bit in diagnostic entry (bnc#1012382). - pinctrl: at91-pio4: add missing of_node_put (bnc#1012382). - pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382). - pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382). - powerpc/32: Add a missing include header (bnc#1012382). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032). - powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382). - powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382). - powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382). - powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382). - powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269). - powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223). - powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382). - powerpc/powermac: Mark variable x as unused (bnc#1012382). - powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382). - powerpc/topology: Get topology for shared processors at boot (bsc#1104683). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1066223). - provide special timeout module parameters for EC2 (bsc#1065364). - ptp: fix missing break in switch (bnc#1012382). - pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382). - qed: Add sanity check for SIMD fastpath handler (bnc#1012382). - qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ). - qed: Fix possible race for the link state value (bnc#1012382). - qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604). - qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604). - qlge: Fix netdev features configuration (bsc#1098822). - qlogic: check kstrtoul() for errors (bnc#1012382). - random: mix rdrand with entropy sent in from userspace (bnc#1012382). - readahead: stricter check for bdi io_pages (VM Functionality). - regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382). - reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382). - ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382). - root dentries need RCU-delayed freeing (bnc#1012382). - rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382). - rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382). - rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382). - s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382). - s390/kvm: fix deadlock when killed by oom (bnc#1012382). - s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029). - s390/pci: fix out of bounds access during irq setup (bnc#1012382). - s390/qdio: reset old sbal_state flags (bnc#1012382). - s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349). - s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726). - s390: add explicit for jump label (bsc#1105271). - s390: detect etoken facility (bnc#1106934, LTC#171029). - s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029). - sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254). - scsi: 3w-9xxx: fix a missing-check bug (bnc#1012382). - scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382). - scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382). - scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382). - scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346). - scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382). - scsi: megaraid: silence a static checker bug (bnc#1012382). - scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382). - scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382). - scsi: qla2xxx: Return error when TMF returns (bnc#1012382). - scsi: scsi_dh: replace too broad "TP9" string with the exact models (bnc#1012382). - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382). - scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382). - scsi: ufs: fix exception event handling (bnc#1012382). - scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382). - scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382). - scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138). - scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138). - selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382). - selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382). - selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382). - selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382). - selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: sync: add config fragment for testing sync framework (bnc#1012382). - selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382). - serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382). - sfc: stop the TX queue before pushing new buffers (bsc#1017967 ). - skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382). - slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060). - smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382). - smb3: do not request leases in symlink creation and query (bnc#1012382). - spi: davinci: fix a NULL pointer dereference (bnc#1012382). - squashfs: be more careful about metadata corruption (bnc#1012382). - squashfs: more metadata hardening (bnc#1012382). - squashfs: more metadata hardenings (bnc#1012382). - staging: android: ion: check for kref overflow (bnc#1012382). - string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - target_core_rbd: use RCU in free_device (bsc#1105524). - tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382). - tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382). - tcp: add one more quick ack after after ECN events (bnc#1012382). - tcp: do not aggressively quick ack after ECN events (bnc#1012382). - tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382). - tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382). - tcp: do not force quickack when receiving out-of-order packets (bnc#1012382). - tcp: fix dctcp delayed ACK schedule (bnc#1012382). - tcp: helpers to send special DCTCP ack (bnc#1012382). - tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382). - tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382). - tcp: remove DELAYED ACK events in DCTCP (bnc#1012382). - tg3: Add higher cpu clock for 5762 (bnc#1012382). - thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382). - timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470). - tools/power turbostat: Read extended processor family from CPUID (bnc#1012382). - tools/power turbostat: fix -S on UP systems (bnc#1012382). - tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382). - tpm: fix race condition in tpm_common_write() (bnc#1012382). - tracing/blktrace: Fix to allow setting same value (bnc#1012382). - tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382). - tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382). - tracing: Fix double free of event_trigger_data (bnc#1012382). - tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382). - tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382). - tracing: Use __printf markup to silence compiler (bnc#1012382). - tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382). - turn off -Wattribute-alias (bnc#1012382). - ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382). - ubi: Fix Fastmap's update_vol() (bnc#1012382). - ubi: Fix races around ubi_refill_pools() (bnc#1012382). - ubi: Introduce vol_ignored() (bnc#1012382). - ubi: Rework Fastmap attach base code (bnc#1012382). - ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382). - ubifs: Check data node size before truncate (bsc#1106276). - ubifs: Fix memory leak in lprobs self-check (bsc#1106278). - ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275). - ubifs: xattr: Do not operate on deleted inodes (bsc#1106271). - udl-kms: change down_interruptible to down (bnc#1012382). - udl-kms: fix crash due to uninitialized memory (bnc#1012382). - udl-kms: handle allocation failure (bnc#1012382). - udlfb: set optimal write delay (bnc#1012382). - uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382). - usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810). - usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382). - usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132). - usb: dwc2: fix isoc split in transfer with no data (bnc#1012382). - usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382). - usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382). - usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382). - usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382). - usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382). - usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382). - usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382). - usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536). - usb: xhci: increase CRS timeout value (bnc#1012382). - usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382). - userns: move user access out of the mutex (bnc#1012382). - vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841). - virtio_balloon: fix another race between migration and ballooning (bnc#1012382). - virtio_console: fix uninitialized variable use. - vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382). - vmw_balloon: do not use 2MB without batching (bnc#1012382). - vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382). - vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382). - vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253). - vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253). - vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253). - vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253). - vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253). - vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253). - vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253). - vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253). - vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253). - vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253). - vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253). - vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253). - vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253). - vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253). - vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253). - vmxnet3: remove unused flag "rxcsum" from struct vmxnet3_adapter (bsc#1091860 bsc#1098253). - vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253). - vmxnet3: update to version 3 (bsc#1091860 bsc#1098253). - vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253). - vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253). - vsock: split dwork to avoid reinitializations (bnc#1012382). - vti6: Fix dev->max_mtu setting (bsc#1033962). - vti6: fix PMTU caching and reporting on xmit (bnc#1012382). - wlcore: sdio: check for valid platform device data before suspend (bnc#1012382). - x86/MCE: Remove min interval polling limitation (bnc#1012382). - x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382). - x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382). - x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382). - x86/bugs: Respect nospec command line option (bsc#1068032). - x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382). - x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382). - x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382). - x86/cpufeature: preserve numbers (kabi). - x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382). - x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382). - x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382). - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715). - x86/init: fix build with CONFIG_SWAP=n (bnc#1012382). - x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382). - x86/irqflags: Provide a declaration for native_save_fl. - x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382). - x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382). - x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382). - x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382). - x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382). - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382). - x86/paravirt: Make native_save_fl() extern inline (bnc#1012382). - x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382). - x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382). - x86/process: Optimize TIF_NOTSC switch (bnc#1012382). - x86/process: Re-export start_thread() (bnc#1012382). - x86/spectre: Add missing family 6 check to microcode check (bnc#1012382). - x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382). - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382). - x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382). - x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382). - x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Invert all not present mappings (bnc#1012382). - x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382). - x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382). - x86/speculation: Add dependency (bnc#1012382). - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382). - x86/speculation: Clean up various Spectre related details (bnc#1012382). - x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382). - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382). - x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382). - x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382). - x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382). - xen-netfront: wait xenbus state change when load module manually (bnc#1012382). - xen/blkback: do not keep persistent grants too long (bsc#1085042). - xen/blkback: move persistent grants flags to bool (bsc#1085042). - xen/blkfront: cleanup stale persistent grants (bsc#1085042). - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042). - xen/netfront: do not cache skb_shinfo() (bnc#1012382). - xen: avoid crash in disable_hotplug_cpu (bsc#1106594). - xen: set cpu capabilities from xen_start_kernel() (bnc#1012382). - xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382). - xfrm: free skb if nlsk pointer is NULL (bnc#1012382). - xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: repair malformed inode items during log recovery (bsc#1105396). - xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382). - zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2004=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2004=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): kernel-docs-azure-4.4.155-4.16.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): kernel-azure-4.4.155-4.16.1 kernel-azure-base-4.4.155-4.16.1 kernel-azure-base-debuginfo-4.4.155-4.16.1 kernel-azure-debuginfo-4.4.155-4.16.1 kernel-azure-debugsource-4.4.155-4.16.1 kernel-azure-devel-4.4.155-4.16.1 kernel-syms-azure-4.4.155-4.16.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): kernel-devel-azure-4.4.155-4.16.1 kernel-source-azure-4.4.155-4.16.1 References: https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-1128.html https://www.suse.com/security/cve/CVE-2018-1129.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-13094.html https://www.suse.com/security/cve/CVE-2018-13095.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://www.suse.com/security/cve/CVE-2018-9363.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1015342 https://bugzilla.suse.com/1015343 https://bugzilla.suse.com/1017967 https://bugzilla.suse.com/1019695 https://bugzilla.suse.com/1019699 https://bugzilla.suse.com/1020412 https://bugzilla.suse.com/1021121 https://bugzilla.suse.com/1022604 https://bugzilla.suse.com/1024361 https://bugzilla.suse.com/1024365 https://bugzilla.suse.com/1024376 https://bugzilla.suse.com/1027968 https://bugzilla.suse.com/1030552 https://bugzilla.suse.com/1033962 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1048317 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1053685 https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1056596 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1063646 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1065364 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068075 https://bugzilla.suse.com/1069138 https://bugzilla.suse.com/1078921 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1083663 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1085536 https://bugzilla.suse.com/1085539 https://bugzilla.suse.com/1086457 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089066 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1091171 https://bugzilla.suse.com/1091860 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1096254 https://bugzilla.suse.com/1096748 https://bugzilla.suse.com/1097105 https://bugzilla.suse.com/1098253 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099597 https://bugzilla.suse.com/1099810 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099832 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1099999 https://bugzilla.suse.com/1100000 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1101822 https://bugzilla.suse.com/1101841 https://bugzilla.suse.com/1102346 https://bugzilla.suse.com/1102486 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102715 https://bugzilla.suse.com/1102797 https://bugzilla.suse.com/1103269 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104485 https://bugzilla.suse.com/1104494 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104683 https://bugzilla.suse.com/1104897 https://bugzilla.suse.com/1105271 https://bugzilla.suse.com/1105292 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1105524 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105769 https://bugzilla.suse.com/1106016 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106185 https://bugzilla.suse.com/1106229 https://bugzilla.suse.com/1106271 https://bugzilla.suse.com/1106275 https://bugzilla.suse.com/1106276 https://bugzilla.suse.com/1106278 https://bugzilla.suse.com/1106281 https://bugzilla.suse.com/1106283 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106594 https://bugzilla.suse.com/1106697 https://bugzilla.suse.com/1106929 https://bugzilla.suse.com/1106934 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107060 https://bugzilla.suse.com/1107078 https://bugzilla.suse.com/1107319 https://bugzilla.suse.com/1107320 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107966 https://bugzilla.suse.com/963575 https://bugzilla.suse.com/966170 https://bugzilla.suse.com/966172 https://bugzilla.suse.com/969470 https://bugzilla.suse.com/969476 https://bugzilla.suse.com/969477 https://bugzilla.suse.com/970506 From sle-updates at lists.suse.com Tue Sep 25 13:08:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 21:08:02 +0200 (CEST) Subject: SUSE-SU-2018:2860-1: important: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP2) Message-ID: <20180925190802.46D02FCAB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2860-1 Rating: important References: #1096723 #1102682 #1105323 #1106191 Cross-References: CVE-2018-1000026 CVE-2018-10902 CVE-2018-10938 CVE-2018-5390 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.103-92_56 fixes several issues. The following security issues were fixed: - CVE-2018-5390: Prevent very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming TCP packet which can lead to a denial of service (bsc#1102682). - CVE-2018-1000026: Fixed an insufficient input validation in bnx2x network card driver that can result in DoS via very large, specially crafted packet to the bnx2x card due to a network card firmware assertion that will take the card offline (bsc#1096723). - CVE-2018-10938: Fixed an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service via crafted network packets (bsc#1106191). - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which lead to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(), allowing a malicious local attacker to use this for privilege escalation (bsc#1105323). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2011=1 SUSE-SLE-SAP-12-SP2-2018-2012=1 SUSE-SLE-SAP-12-SP2-2018-2013=1 SUSE-SLE-SAP-12-SP2-2018-2014=1 SUSE-SLE-SAP-12-SP2-2018-2015=1 SUSE-SLE-SAP-12-SP2-2018-2016=1 SUSE-SLE-SAP-12-SP2-2018-2017=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2011=1 SUSE-SLE-SERVER-12-SP2-2018-2012=1 SUSE-SLE-SERVER-12-SP2-2018-2013=1 SUSE-SLE-SERVER-12-SP2-2018-2014=1 SUSE-SLE-SERVER-12-SP2-2018-2015=1 SUSE-SLE-SERVER-12-SP2-2018-2016=1 SUSE-SLE-SERVER-12-SP2-2018-2017=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): kgraft-patch-4_4_103-92_53-default-9-2.1 kgraft-patch-4_4_103-92_56-default-9-2.1 kgraft-patch-4_4_114-92_64-default-7-2.1 kgraft-patch-4_4_114-92_67-default-7-2.1 kgraft-patch-4_4_74-92_38-default-12-2.1 kgraft-patch-4_4_90-92_45-default-10-2.1 kgraft-patch-4_4_90-92_50-default-10-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): kgraft-patch-4_4_103-92_53-default-9-2.1 kgraft-patch-4_4_103-92_56-default-9-2.1 kgraft-patch-4_4_114-92_64-default-7-2.1 kgraft-patch-4_4_114-92_67-default-7-2.1 kgraft-patch-4_4_74-92_38-default-12-2.1 kgraft-patch-4_4_90-92_45-default-10-2.1 kgraft-patch-4_4_90-92_50-default-10-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000026.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-5390.html https://bugzilla.suse.com/1096723 https://bugzilla.suse.com/1102682 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1106191 From sle-updates at lists.suse.com Tue Sep 25 13:09:06 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 21:09:06 +0200 (CEST) Subject: SUSE-SU-2018:2861-1: moderate: Security update for dom4j Message-ID: <20180925190906.047D6FCD2@maintenance.suse.de> SUSE Security Update: Security update for dom4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2861-1 Rating: moderate References: #1105443 Cross-References: CVE-2018-1000632 Affected Products: SUSE Manager Server 3.2 SUSE Manager Server 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection vulnerability that allowed an attacker to tamper with XML documents (bsc#1105443) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2018=1 - SUSE Manager Server 3.0: zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2018-2018=1 Package List: - SUSE Manager Server 3.2 (noarch): dom4j-1.6.1-27.4.1 - SUSE Manager Server 3.0 (noarch): dom4j-1.6.1-27.4.1 References: https://www.suse.com/security/cve/CVE-2018-1000632.html https://bugzilla.suse.com/1105443 From sle-updates at lists.suse.com Tue Sep 25 13:09:39 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 21:09:39 +0200 (CEST) Subject: SUSE-SU-2018:2862-1: important: Security update for the Linux Kernel Message-ID: <20180925190939.62F0DFCD2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2862-1 Rating: important References: #1012382 #1015342 #1015343 #1017967 #1019695 #1019699 #1020412 #1021121 #1022604 #1024361 #1024365 #1024376 #1027968 #1030552 #1031492 #1033962 #1042286 #1048317 #1050431 #1053685 #1055014 #1056596 #1062604 #1063646 #1064232 #1066223 #1068032 #1068075 #1069138 #1078921 #1080157 #1083663 #1085042 #1085536 #1085539 #1087092 #1089066 #1090888 #1092903 #1096748 #1097105 #1098822 #1099597 #1099810 #1099832 #1099922 #1099999 #1100000 #1100001 #1100132 #1102346 #1102486 #1102517 #1104485 #1104683 #1105271 #1105296 #1105322 #1105323 #1105392 #1105396 #1105524 #1105536 #1105769 #1106016 #1106105 #1106185 #1106191 #1106229 #1106271 #1106275 #1106276 #1106278 #1106281 #1106283 #1106369 #1106509 #1106511 #1106697 #1106929 #1106934 #1106995 #1107060 #1107078 #1107319 #1107320 #1107689 #1107735 #1107966 #963575 #966170 #966172 #969470 #969476 #969477 Cross-References: CVE-2018-10902 CVE-2018-10938 CVE-2018-1128 CVE-2018-1129 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP3 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 83 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.155 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) - CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999) - CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748) - CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748) - CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016) - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). The following non-security bugs were fixed: - 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382). - 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382). - 9p: fix multiple NULL-pointer-dereferences (bnc#1012382). - ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382). - ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382). - ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382). - ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382). - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382). - ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382). - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382). - ALSA: memalloc: Do not exceed over the requested size (bnc#1012382). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810). - ALSA: virmidi: Fix too long output trigger loop (bnc#1012382). - ALSA: vx222: Fix invalid endian conversions (bnc#1012382). - ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382). - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382). - ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382). - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382). - ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382). - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382). - ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382). - ARM: dts: da850: Fix interrups property for gpio (bnc#1012382). - ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382). - ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382). - ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382). - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382). - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382). - ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver (git-fixes). - ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382). - ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382). - ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382). - Bluetooth: avoid killing an already killed socket (bnc#1012382). - Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092). - Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092). - HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382). - IB/core: Make testing MR flags for writability a static inline function (bnc#1012382). - IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596). - IB/iser: Do not reduce max_sectors (bsc#1063646). - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' (git-fixes). - IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382). - IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343). - IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382). - KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382). - KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382). - MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 (bnc#1012382). - PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382). - PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382). - PCI: pciehp: Fix use-after-free on unplug (bnc#1012382). - PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382). - RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477). - RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477). - RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376). - RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343). - Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" (bnc#1012382). - Revert "UBIFS: Fix potential integer overflow in allocation" (bnc#1012382). - Revert "f2fs: handle dirty segments inside refresh_sit_entry" (bsc#1106281). - Revert "mm: page_alloc: skip over regions of invalid pfns where possible" (bnc#1107078). - Smack: Mark inode instant in smack_task_to_inode (bnc#1012382). - USB: musb: fix external abort on suspend (bsc#1085536). - USB: option: add support for DW5821e (bnc#1012382). - USB: serial: metro-usb: stop I/O after failed open (bsc#1085539). - USB: serial: sierra: fix potential deadlock at close (bnc#1012382). - Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319). - afs: Fix directory permissions check (bsc#1106283). - arc: fix build errors in arc/include/asm/delay.h (bnc#1012382). - arc: fix type warnings in arc/mm/cache.c (bnc#1012382). - arm64: make secondary_start_kernel() notrace (bnc#1012382). - arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382). - atl1c: reserve min skb headroom (bnc#1012382). - atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066). - backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929). - backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929). - bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232). - bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232). - bcache: do not check return value of debugfs_create_dir() (bsc#1064232). - bcache: finish incremental GC (bsc#1064232). - bcache: fix I/O significant decline while backend devices registering (bsc#1064232). - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232). - bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232). - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232). - bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232). - bcache: set max writeback rate when I/O request is idle (bsc#1064232). - bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232). - be2net: remove unused old custom busy-poll fields (bsc#1021121 ). - blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663). - block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663). - block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663). - bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382). - bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382). - bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575). - bnxt_en: Fix for system hang if request_irq fails (bnc#1012382). - bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ). - brcmfmac: stop watchdog before detach and free everything (bnc#1012382). - bridge: Propagate vlan add failure to user (bnc#1012382). - btrfs: do not leak ret from do_chunk_alloc (bnc#1012382). - btrfs: round down size diff when shrinking/growing device (bsc#1097105). - can: mpc5xxx_can: check of_iomap return before use (bnc#1012382). - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382). - ceph: fix incorrect use of strncpy (bsc#1107319). - ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320). - cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382). - cifs: add missing debug entries for kconfig options (bnc#1012382). - cifs: check kmalloc before use (bsc#1012382). - cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382). - crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382). - crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382). - crypto: vmac - separate tfm and request context (bnc#1012382). - crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317). - cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382). - cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014, git-fixes). - dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382). - dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382). - dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382). - drivers: net: lmc: fix case value for target abort error (bnc#1012382). - drm/armada: fix colorkey mode property (bnc#1012382). - drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929). - drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382). - drm/drivers: add support for using the arch wc mapping API (git-fixes). - drm/exynos/dsi: mask frame-done interrupt (bsc#1106929). - drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382). - drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382). - drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382). - drm/i915/userptr: reject zero user_size (bsc#1090888). - drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092). - drm/imx: fix typo in ipu_plane_formats (bsc#1106929). - drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382). - drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382). - drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382). - drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769). - drm: Reject getfb for multi-plane framebuffers (bsc#1106929). - enic: do not call enic_change_mtu in enic_probe (git-fixes). - enic: handle mtu change for vf properly (bnc#1012382). - enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382). - ext4: check for NUL characters in extended attribute's name (bnc#1012382). - ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382). - ext4: reset error code in ext4_find_entry in fallback (bnc#1012382). - ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229). - fb: fix lost console when the user unplugs a USB adapter (bnc#1012382). - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929). - fix __legitimize_mnt()/mntput() race (bnc#1012382). - fix mntput/mntput race (bnc#1012382). - fork: unconditionally clear stack on fork (bnc#1012382). - fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382). - fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185). - fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382). - fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921). - fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382). - fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382). - fuse: Fix oops at process_init_reply() (bnc#1012382). - fuse: fix double request_end() (bnc#1012382). - fuse: fix unlocked access to processing queue (bnc#1012382). - fuse: umount should wait for all requests (bnc#1012382). - genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392). - getxattr: use correct xattr length (bnc#1012382). - hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552). - hwrng: exynos - Disable runtime PM on driver unbind (git-fixes). - i2c: davinci: Avoid zero value of CLKH (bnc#1012382). - i2c: imx: Fix race condition in dma read (bnc#1012382). - i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382). - i40e: use cpumask_copy instead of direct assignment (bsc#1053685). - i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477). - i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477). - ibmvnic: Include missing return code checks in reset function (bnc#1107966). - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382). - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382). - igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365). - iio: ad9523: Fix displayed phase (bnc#1012382). - iio: ad9523: Fix return value for ad952x_store() (bnc#1012382). - iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105). - iommu/vt-d: Add definitions for PFSID (bnc#1012382). - iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ioremap: Update pgtable free interfaces with addr (bnc#1012382). - ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382). - ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382). - ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962). - iscsi target: fix session creation failure handling (bnc#1012382). - isdn: Disable IIOCDBGVAR (bnc#1012382). - iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477). - ixgbe: Be more careful when modifying MAC filters (bnc#1012382). - jfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - jump_label: Add RELEASE barrier after text changes (bsc#1105271). - jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271). - jump_label: Move CPU hotplug locking (bsc#1105271). - jump_label: Provide hotplug context variants (bsc#1105271). - jump_label: Reduce the size of struct static_key (bsc#1105271). - jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271). - jump_label: Split out code under the hotplug lock (bsc#1105271). - jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271). - kABI: protect enum tcp_ca_event (kabi). - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597) - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kasan: do not emit builtin calls when sanitization is off (bnc#1012382). - kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382). - kbuild: verify that $DEPMOD is installed (bnc#1012382). - kernel: improve spectre mitigation (bnc#1106934. - kprobes/x86: Fix %p uses in error messages (bnc#1012382). - kprobes: Make list and blacklist root user read only (bnc#1012382). - l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382). - libceph: check authorizer reply/challenge length before reading (bsc#1096748). - libceph: factor out __ceph_x_decrypt() (bsc#1096748). - libceph: factor out __prepare_write_connect() (bsc#1096748). - libceph: factor out encrypt_authorizer() (bsc#1096748). - libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748). - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748). - llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382). - locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382). - locks: pass inode pointer to locks_free_lock_context (bsc at 1099832). - locks: prink more detail when there are leaked locks (bsc#1099832). - locks: restore a warn for leaked locks on close (bsc#1099832). - m68k: fix "bad page state" oops on ColdFire boot (bnc#1012382). - mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382). - md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382). - media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431). - media: s5p-jpeg: fix number of components macro (bsc#1050431). - media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382). - mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697). - mm/memory.c: check return value of ioremap_prot (bnc#1012382). - mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382). - mm: Add vm_insert_pfn_prot() (bnc#1012382). - mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382). - mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382). - net/9p/client.c: version pointer uninitialized (bnc#1012382). - net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382). - net/ethernet/freescale/fman: fix cross-build error (bnc#1012382). - net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343). - net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172). - net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343). - net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172). - net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172). - net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343). - net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343). - net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343). - net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172). - net: 6lowpan: fix reserved space for single frames (bnc#1012382). - net: add skb_condense() helper (bsc#1089066). - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066). - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066). - net: axienet: Fix double deregister of mdio (bnc#1012382). - net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382). - net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382). - net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968). - net: hamradio: use eth_broadcast_addr (bnc#1012382). - net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382). - net: mac802154: tx: expand tailroom if necessary (bnc#1012382). - net: prevent ISA drivers from building on PPC32 (bnc#1012382). - net: propagate dev_get_valid_name return code (bnc#1012382). - net: qca_spi: Avoid packet drop during initial sync (bnc#1012382). - net: qca_spi: Fix log level if probe fails (bnc#1012382). - net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382). - net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382). - net_sched: Fix missing res info when create new tc_index filter (bnc#1012382). - net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382). - netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382). - netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382). - netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382). - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286). - nl80211: Add a missing break in parse_station_flags (bnc#1012382). - nvme-fc: release io queues to allow fast fail (bsc#1102486). - nvme: if_ready checks to fail io to deleting controller (bsc#1102486). - nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486). - nvmet-fc: fix target sgl list on large transfers (bsc#1102486). - osf_getdomainname(): use copy_to_user() (bnc#1012382). - ovl: Do d_type check only if work dir creation was successful (bnc#1012382). - ovl: Ensure upper filesystem supports d_type (bnc#1012382). - ovl: warn instead of error if d_type is not supported (bnc#1012382). - packet: refine ring v3 block size test to hold one frame (bnc#1012382). - packet: reset network header if packet shorter than ll reserved space (bnc#1012382). - parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382). - parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382). - parisc: Remove ordered stores from syscall.S (bnc#1012382). - parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382). - perf auxtrace: Fix queue resize (bnc#1012382). - perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382). - perf report powerpc: Fix crash if callchain is empty (bnc#1012382). - perf test session topology: Fix test on s390 (bnc#1012382). - pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382). - pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032, git-fixes). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223). - powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382). - powerpc/topology: Get topology for shared processors at boot (bsc#1104683). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157, git-fixes). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1066223). - pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382). - qed: Add sanity check for SIMD fastpath handler (bnc#1012382). - qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ). - qed: Fix possible race for the link state value (bnc#1012382). - qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604). - qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604). - qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604). - qlge: Fix netdev features configuration (bsc#1098822). - qlogic: check kstrtoul() for errors (bnc#1012382). - readahead: stricter check for bdi io_pages (VM Functionality, git fixes). - reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382). - root dentries need RCU-delayed freeing (bnc#1012382). - s390/kvm: fix deadlock when killed by oom (bnc#1012382). - s390/lib: use expoline for all bcr instructions (bnc#1106934. - s390/pci: fix out of bounds access during irq setup (bnc#1012382). - s390/qdio: reset old sbal_state flags (bnc#1012382). - s390/qeth: do not clobber buffer on async TX completion (bnc#1104485. - s390/qeth: fix race when setting MAC address (bnc#1104485. - s390: add explicit for jump label (bsc#1105271). - s390: detect etoken facility (bnc#1106934. - s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934. - scripts/tar-up.sh: Do not package gitlog-excludes file Also fix the evaluation of gitlog-excludes file, too - scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382). - scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382). - scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346). - scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382). - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382). - scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382). - scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382). - scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382). - scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138). - scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138). - selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382). - selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382). - selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: sync: add config fragment for testing sync framework (bnc#1012382). - selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382). - selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382). - serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382). - sfc: stop the TX queue before pushing new buffers (bsc#1017967 ). - slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060). - smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382). - smb3: do not request leases in symlink creation and query (bnc#1012382). - spi: davinci: fix a NULL pointer dereference (bnc#1012382). - staging: android: ion: check for kref overflow (bnc#1012382). - string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - target_core_rbd: use RCU in free_device (bsc#1105524). - tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382). - tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382). - tcp: remove DELAYED ACK events in DCTCP (bnc#1012382). - timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470). - tools/power turbostat: Read extended processor family from CPUID (bnc#1012382). - tools/power turbostat: fix -S on UP systems (bnc#1012382). - tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382). - tpm: fix race condition in tpm_common_write() (bnc#1012382). - tracing/blktrace: Fix to allow setting same value (bnc#1012382). - tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382). - tracing: Use __printf markup to silence compiler (bnc#1012382). - ubifs: Check data node size before truncate (bsc#1106276). - ubifs: Fix memory leak in lprobs self-check (bsc#1106278). - ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275). - ubifs: xattr: Do not operate on deleted inodes (bsc#1106271). - udl-kms: change down_interruptible to down (bnc#1012382). - udl-kms: fix crash due to uninitialized memory (bnc#1012382). - udl-kms: handle allocation failure (bnc#1012382). - udlfb: set optimal write delay (bnc#1012382). - uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382). - usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810). - usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132). - usb: dwc2: fix isoc split in transfer with no data (bnc#1012382). - usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382). - usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382). - usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382). - usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382). - usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382). - usb: renesas_usbhs: gadget: fix spin_lock_init() for uep->lock (bsc#1085536). - usb: xhci: increase CRS timeout value (bnc#1012382). - userns: move user access out of the mutex (bnc#1012382). - virtio_console: fix uninitialized variable use (git-fixes). - vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382). - vmw_balloon: do not use 2MB without batching (bnc#1012382). - vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382). - vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382). - vsock: split dwork to avoid reinitializations (bnc#1012382). - vti6: Fix dev->max_mtu setting (bsc#1033962). - vti6: fix PMTU caching and reporting on xmit (bnc#1012382). - x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382). - x86/init: fix build with CONFIG_SWAP=n (bnc#1012382). - x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382). - x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382). - x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382). - x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382). - x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382). - x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382). - x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382). - x86/process: Re-export start_thread() (bnc#1012382). - x86/spectre: Add missing family 6 check to microcode check (bnc#1012382). - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382). - x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382). - x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382). - x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Invert all not present mappings (bnc#1012382). - x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382). - x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - xen/blkback: do not keep persistent grants too long (bsc#1085042). - xen/blkback: move persistent grants flags to bool (bsc#1085042). - xen/blkfront: cleanup stale persistent grants (bsc#1085042). - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042). - xen/netfront: do not cache skb_shinfo() (bnc#1012382). - xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382). - xfrm: free skb if nlsk pointer is NULL (bnc#1012382). - xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: repair malformed inode items during log recovery (bsc#1105396). - zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP3: zypper in -t patch SUSE-SLE-RT-12-SP3-2018-2019=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP3 (noarch): kernel-devel-rt-4.4.155-3.23.1 kernel-source-rt-4.4.155-3.23.1 - SUSE Linux Enterprise Real Time Extension 12-SP3 (x86_64): cluster-md-kmp-rt-4.4.155-3.23.1 cluster-md-kmp-rt-debuginfo-4.4.155-3.23.1 dlm-kmp-rt-4.4.155-3.23.1 dlm-kmp-rt-debuginfo-4.4.155-3.23.1 gfs2-kmp-rt-4.4.155-3.23.1 gfs2-kmp-rt-debuginfo-4.4.155-3.23.1 kernel-rt-4.4.155-3.23.1 kernel-rt-base-4.4.155-3.23.1 kernel-rt-base-debuginfo-4.4.155-3.23.1 kernel-rt-debuginfo-4.4.155-3.23.1 kernel-rt-debugsource-4.4.155-3.23.1 kernel-rt-devel-4.4.155-3.23.1 kernel-rt_debug-debuginfo-4.4.155-3.23.1 kernel-rt_debug-debugsource-4.4.155-3.23.1 kernel-rt_debug-devel-4.4.155-3.23.1 kernel-rt_debug-devel-debuginfo-4.4.155-3.23.1 kernel-syms-rt-4.4.155-3.23.1 ocfs2-kmp-rt-4.4.155-3.23.1 ocfs2-kmp-rt-debuginfo-4.4.155-3.23.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-1128.html https://www.suse.com/security/cve/CVE-2018-1129.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-13094.html https://www.suse.com/security/cve/CVE-2018-13095.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1015342 https://bugzilla.suse.com/1015343 https://bugzilla.suse.com/1017967 https://bugzilla.suse.com/1019695 https://bugzilla.suse.com/1019699 https://bugzilla.suse.com/1020412 https://bugzilla.suse.com/1021121 https://bugzilla.suse.com/1022604 https://bugzilla.suse.com/1024361 https://bugzilla.suse.com/1024365 https://bugzilla.suse.com/1024376 https://bugzilla.suse.com/1027968 https://bugzilla.suse.com/1030552 https://bugzilla.suse.com/1031492 https://bugzilla.suse.com/1033962 https://bugzilla.suse.com/1042286 https://bugzilla.suse.com/1048317 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1053685 https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1056596 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1063646 https://bugzilla.suse.com/1064232 https://bugzilla.suse.com/1066223 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1068075 https://bugzilla.suse.com/1069138 https://bugzilla.suse.com/1078921 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1083663 https://bugzilla.suse.com/1085042 https://bugzilla.suse.com/1085536 https://bugzilla.suse.com/1085539 https://bugzilla.suse.com/1087092 https://bugzilla.suse.com/1089066 https://bugzilla.suse.com/1090888 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1096748 https://bugzilla.suse.com/1097105 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099597 https://bugzilla.suse.com/1099810 https://bugzilla.suse.com/1099832 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1099999 https://bugzilla.suse.com/1100000 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1102346 https://bugzilla.suse.com/1102486 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1104485 https://bugzilla.suse.com/1104683 https://bugzilla.suse.com/1105271 https://bugzilla.suse.com/1105296 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1105392 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1105524 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105769 https://bugzilla.suse.com/1106016 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106185 https://bugzilla.suse.com/1106191 https://bugzilla.suse.com/1106229 https://bugzilla.suse.com/1106271 https://bugzilla.suse.com/1106275 https://bugzilla.suse.com/1106276 https://bugzilla.suse.com/1106278 https://bugzilla.suse.com/1106281 https://bugzilla.suse.com/1106283 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106697 https://bugzilla.suse.com/1106929 https://bugzilla.suse.com/1106934 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107060 https://bugzilla.suse.com/1107078 https://bugzilla.suse.com/1107319 https://bugzilla.suse.com/1107320 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107966 https://bugzilla.suse.com/963575 https://bugzilla.suse.com/966170 https://bugzilla.suse.com/966172 https://bugzilla.suse.com/969470 https://bugzilla.suse.com/969476 https://bugzilla.suse.com/969477 From sle-updates at lists.suse.com Tue Sep 25 13:30:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 21:30:02 +0200 (CEST) Subject: SUSE-SU-2018:2863-1: moderate: Security update for dom4j Message-ID: <20180925193002.562B4FCD2@maintenance.suse.de> SUSE Security Update: Security update for dom4j ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2863-1 Rating: moderate References: #1105443 Cross-References: CVE-2018-1000632 Affected Products: SUSE Manager Server 3.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection vulnerability that allowed an attacker to tamper with XML documents (bsc#1105443). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-2005=1 Package List: - SUSE Manager Server 3.1 (noarch): dom4j-1.6.1-3.3.2 References: https://www.suse.com/security/cve/CVE-2018-1000632.html https://bugzilla.suse.com/1105443 From sle-updates at lists.suse.com Tue Sep 25 13:30:40 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 25 Sep 2018 21:30:40 +0200 (CEST) Subject: SUSE-SU-2018:2864-1: important: Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP2) Message-ID: <20180925193040.8E0E4FCD2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2864-1 Rating: important References: #1102682 #1103203 #1105323 #1106191 Cross-References: CVE-2018-10902 CVE-2018-10938 CVE-2018-5390 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.4.121-92_92 fixes several issues. The following security issues were fixed: - CVE-2018-5390: Prevent very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming TCP packet which can lead to a denial of service (bsc#1102682). - CVE-2018-10938: Fixed an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service via crafted network packets (bsc#1106191). - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which lead to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(), allowing a malicious local attacker to use this for privilege escalation (bsc#1105323). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2006=1 SUSE-SLE-SAP-12-SP2-2018-2007=1 SUSE-SLE-SAP-12-SP2-2018-2008=1 SUSE-SLE-SAP-12-SP2-2018-2009=1 SUSE-SLE-SAP-12-SP2-2018-2010=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2006=1 SUSE-SLE-SERVER-12-SP2-2018-2007=1 SUSE-SLE-SERVER-12-SP2-2018-2008=1 SUSE-SLE-SERVER-12-SP2-2018-2009=1 SUSE-SLE-SERVER-12-SP2-2018-2010=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): kgraft-patch-4_4_120-92_70-default-6-2.1 kgraft-patch-4_4_121-92_73-default-5-2.1 kgraft-patch-4_4_121-92_80-default-5-2.1 kgraft-patch-4_4_121-92_85-default-3-2.1 kgraft-patch-4_4_121-92_92-default-3-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): kgraft-patch-4_4_120-92_70-default-6-2.1 kgraft-patch-4_4_121-92_73-default-5-2.1 kgraft-patch-4_4_121-92_80-default-5-2.1 kgraft-patch-4_4_121-92_85-default-3-2.1 kgraft-patch-4_4_121-92_92-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-5390.html https://bugzilla.suse.com/1102682 https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1106191 From sle-updates at lists.suse.com Tue Sep 25 19:08:56 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 03:08:56 +0200 (CEST) Subject: SUSE-RU-2018:2865-1: moderate: Recommended update for yast2-update Message-ID: <20180926010856.5936FFCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-update ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2865-1 Rating: moderate References: #1079034 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 SUSE Linux Enterprise Installer 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-update provides the following fix: - Do not show wrong fstype "Windows Data Partition" for partition which are suggested for upgrade. (bsc#1079034) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2020=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2018-2020=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): yast2-update-4.0.18-3.7.2 - SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64): yast2-update-4.0.18-3.7.2 References: https://bugzilla.suse.com/1079034 From sle-updates at lists.suse.com Wed Sep 26 04:11:35 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 12:11:35 +0200 (CEST) Subject: SUSE-SU-2018:2866-1: moderate: Security update for ant Message-ID: <20180926101135.234CFFCAB@maintenance.suse.de> SUSE Security Update: Security update for ant ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2866-1 Rating: moderate References: #1100053 Cross-References: CVE-2018-10886 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-2021=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (noarch): ant-1.9.10-3.3.1 ant-antlr-1.9.10-3.3.1 ant-apache-bcel-1.9.10-3.3.1 ant-apache-bsf-1.9.10-3.3.1 ant-apache-log4j-1.9.10-3.3.1 ant-apache-oro-1.9.10-3.3.1 ant-apache-regexp-1.9.10-3.3.1 ant-apache-resolver-1.9.10-3.3.1 ant-commons-logging-1.9.10-3.3.1 ant-javamail-1.9.10-3.3.1 ant-jdepend-1.9.10-3.3.1 ant-jmf-1.9.10-3.3.1 ant-junit-1.9.10-3.3.1 ant-manual-1.9.10-3.3.1 ant-scripts-1.9.10-3.3.1 ant-swing-1.9.10-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-10886.html https://bugzilla.suse.com/1100053 From sle-updates at lists.suse.com Wed Sep 26 07:08:39 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:08:39 +0200 (CEST) Subject: SUSE-RU-2018:2867-1: moderate: Recommended update for SUSE Manager Client Tools Message-ID: <20180926130839.C476AFCAB@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2867-1 Rating: moderate References: #1103388 #1104120 #1106523 Affected Products: SUSE Manager Tools 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: hwdata: - Update to version 0.314: + Updated pci, usb and vendor ids. spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15: zypper in -t patch SUSE-SLE-Manager-Tools-15-2018-2022=1 Package List: - SUSE Manager Tools 15 (noarch): hwdata-0.314-3.5.2 python3-spacewalk-backend-libs-2.8.57.7-3.6.2 References: https://bugzilla.suse.com/1103388 https://bugzilla.suse.com/1104120 https://bugzilla.suse.com/1106523 From sle-updates at lists.suse.com Wed Sep 26 07:09:33 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:09:33 +0200 (CEST) Subject: SUSE-RU-2018:2868-1: moderate: Recommended update for SUSE Manager Client Tools Message-ID: <20180926130933.BB6ACFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2868-1 Rating: moderate References: #1103090 #1103388 #1104120 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: spacecmd: - Suggest not to use password option for spacecmd. (bsc#1103090) spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS: zypper in -t patch slesctsp4-client-tools-201809-13791=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS: zypper in -t patch slesctsp3-client-tools-201809-13791=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): spacecmd-2.8.25.5-18.26.1 spacewalk-backend-libs-2.8.57.7-28.25.2 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): spacecmd-2.8.25.5-18.26.1 spacewalk-backend-libs-2.8.57.7-28.25.2 References: https://bugzilla.suse.com/1103090 https://bugzilla.suse.com/1103388 https://bugzilla.suse.com/1104120 From sle-updates at lists.suse.com Wed Sep 26 07:10:46 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:10:46 +0200 (CEST) Subject: SUSE-RU-2018:2869-1: moderate: Recommended update for Salt Message-ID: <20180926131046.5645DFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for Salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2869-1 Rating: moderate References: #1095942 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for salt fixes the following issue: - Prepend current directory when path is just filename. (bsc#1095942) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS: zypper in -t patch slesctsp4-salt-13790=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS: zypper in -t patch slesctsp3-salt-13790=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): salt-2016.11.4-43.32.1 salt-doc-2016.11.4-43.32.1 salt-minion-2016.11.4-43.32.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): salt-2016.11.4-43.32.1 salt-doc-2016.11.4-43.32.1 salt-minion-2016.11.4-43.32.1 References: https://bugzilla.suse.com/1095942 From sle-updates at lists.suse.com Wed Sep 26 07:11:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:11:21 +0200 (CEST) Subject: SUSE-RU-2018:2870-1: moderate: Recommended update for SUSE Manager Proxy 3.2 Message-ID: <20180926131121.23F3AFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Proxy 3.2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2870-1 Rating: moderate References: #1103388 #1104120 Affected Products: SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update includes the following new features: - Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) - Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) - Add script for retrieving the systemid file in configure-proxy.sh for minions. (fate#323069) This update fixes the following issues: patterns-suse-manager: - Remove unneeded requires for minion proxy. spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) spacewalk-certs-tools: - Feat: Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) spacewalk-proxy-installer: - Add script for retrieving the systemid file in configure-proxy.sh for minions. (fate#323069) - Fix wrong paths to scripts. Ensure CA can be found. spacewalk-web: - Allow relative path in visibleIf tag in formulas. - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2032=1 Package List: - SUSE Manager Proxy 3.2 (noarch): python2-spacewalk-certs-tools-2.8.8.6-3.3.1 spacewalk-backend-2.8.57.7-3.7.1 spacewalk-backend-libs-2.8.57.7-3.7.1 spacewalk-base-minimal-2.8.7.9-3.7.1 spacewalk-base-minimal-config-2.8.7.9-3.7.1 spacewalk-certs-tools-2.8.8.6-3.3.1 spacewalk-proxy-installer-2.8.6.3-3.3.1 - SUSE Manager Proxy 3.2 (x86_64): patterns-suma_proxy-3.2-11.1 References: https://bugzilla.suse.com/1103388 https://bugzilla.suse.com/1104120 From sle-updates at lists.suse.com Wed Sep 26 07:12:06 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:12:06 +0200 (CEST) Subject: SUSE-RU-2018:2871-1: moderate: Recommended update for SUSE Manager Client Tools Message-ID: <20180926131206.8193AFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2871-1 Rating: moderate References: #1103090 #1103388 #1104120 Affected Products: SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Server 3.1 SUSE Manager Server 3.0 SUSE Manager Proxy 3.2 SUSE Manager Proxy 3.1 SUSE Manager Proxy 3.0 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update fixes the following issues: hwdata: - Update to version 0.314 * Updated pci, usb and vendor ids. spacecmd: - Suggest not to use password option for spacecmd. (bsc#1103090) spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2018-2029=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2029=1 - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-2029=1 - SUSE Manager Server 3.0: zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2018-2029=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2029=1 - SUSE Manager Proxy 3.1: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2018-2029=1 - SUSE Manager Proxy 3.0: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2018-2029=1 Package List: - SUSE Manager Tools 12 (noarch): hwdata-0.314-10.9.1 spacecmd-2.8.25.5-38.24.1 spacewalk-backend-libs-2.8.57.7-55.24.1 - SUSE Manager Server 3.2 (noarch): hwdata-0.314-10.9.1 - SUSE Manager Server 3.1 (noarch): hwdata-0.314-10.9.1 - SUSE Manager Server 3.0 (noarch): hwdata-0.314-10.9.1 - SUSE Manager Proxy 3.2 (noarch): hwdata-0.314-10.9.1 - SUSE Manager Proxy 3.1 (noarch): hwdata-0.314-10.9.1 - SUSE Manager Proxy 3.0 (noarch): hwdata-0.314-10.9.1 References: https://bugzilla.suse.com/1103090 https://bugzilla.suse.com/1103388 https://bugzilla.suse.com/1104120 From sle-updates at lists.suse.com Wed Sep 26 07:13:06 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:13:06 +0200 (CEST) Subject: SUSE-SU-2018:2872-1: moderate: Security update for wireshark Message-ID: <20180926131306.15381FCD2@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2872-1 Rating: moderate References: #1106514 Cross-References: CVE-2018-16056 CVE-2018-16057 CVE-2018-16058 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for wireshark fixes the following issues: Update wireshark to version 2.2.17 (bsc#1106514): Security issues fixed: - CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44) - CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45) - CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46) Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.2.17.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-wireshark-13792=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-wireshark-13792=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wireshark-13792=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-devel-2.2.17-40.31.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): libwireshark8-2.2.17-40.31.1 libwiretap6-2.2.17-40.31.1 libwscodecs1-2.2.17-40.31.1 libwsutil7-2.2.17-40.31.1 wireshark-2.2.17-40.31.1 wireshark-gtk-2.2.17-40.31.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): libwireshark8-2.2.17-40.31.1 libwiretap6-2.2.17-40.31.1 libwscodecs1-2.2.17-40.31.1 libwsutil7-2.2.17-40.31.1 wireshark-2.2.17-40.31.1 wireshark-gtk-2.2.17-40.31.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): wireshark-debuginfo-2.2.17-40.31.1 wireshark-debugsource-2.2.17-40.31.1 References: https://www.suse.com/security/cve/CVE-2018-16056.html https://www.suse.com/security/cve/CVE-2018-16057.html https://www.suse.com/security/cve/CVE-2018-16058.html https://bugzilla.suse.com/1106514 From sle-updates at lists.suse.com Wed Sep 26 07:13:40 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:13:40 +0200 (CEST) Subject: SUSE-RU-2018:2873-1: Recommended update for the SUSE Manager 3.2 release notes Message-ID: <20180926131340.84DECFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for the SUSE Manager 3.2 release notes ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2873-1 Rating: low References: #1099517 #1104025 #1105045 Affected Products: SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for the SUSE Manager 3.2 Release Notes provides the following additions: - New Server features added: + Prevent sudoers corruption + changed XMLRPC API calls + OS Image building with Kiwi + Check for Dynamic CA-Trust Updates while bootstrapping on RES + Configuration channel label restriction + Set DNS name in createSystemRecord - New products supported: + CaaSP 3.0 (deployment only) + Product class for Live Patching on PPC - SUSE Manager Server bugs fixed by latest updates: + bsc#1094524, bsc#1095569, bsc#1095942, bsc#1095972, bsc#1096511, bsc#1098388, bsc#1098993, bsc#1099517, bsc#1100131, bsc#1100731, bsc#1101033, bsc#1102009, bsc#1102464, bsc#1102478, bsc#1103090, bsc#1103218, bsc#1103388, bsc#1103696, bsc#1104025, bsc#1104120, bsc#1104503, bsc#1105045, bsc#1105062, bsc#1105074, bsc#1105107, bsc#1105720, bsc#1105886, bsc#1106026, bsc#1107117 - New Proxy features added: + Proxy can be a Salt minion - SUSE Manager Proxy bugs fixed by latest updates: + bsc#1103388, bsc#1104120 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2025=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2025=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): release-notes-susemanager-3.2.2-6.10.1 - SUSE Manager Proxy 3.2 (x86_64): release-notes-susemanager-proxy-3.2.2-0.16.6.1 References: https://bugzilla.suse.com/1099517 https://bugzilla.suse.com/1104025 https://bugzilla.suse.com/1105045 From sle-updates at lists.suse.com Wed Sep 26 07:14:38 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:14:38 +0200 (CEST) Subject: SUSE-RU-2018:2874-1: moderate: Recommended update for SUSE Manager Server 3.2 Message-ID: <20180926131438.055E0FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2874-1 Rating: moderate References: #1094524 #1095569 #1095942 #1095972 #1096511 #1098388 #1098993 #1099517 #1100131 #1100731 #1101033 #1102009 #1102464 #1102478 #1103090 #1103218 #1103388 #1103696 #1104020 #1104025 #1104120 #1104503 #1105045 #1105062 #1105074 #1105107 #1105720 #1105886 #1106026 #1107117 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that has 30 recommended fixes can now be installed. Description: This update includes the following new features: - Add OS Image building with Kiwi. (fate#322959 fate#323057 fate#323056) - Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) - Generate systemid certificate on suse/systemid/generate event. (fate#323069) - Allow salt systems to be registered as proxies. (fate#323069) - Add DNS name to cobbler network interface. (fate#326501, bsc#1104020) This update fixes the following issues: patterns-suse-manager: - Remove unneeded requires for minion proxy. py26-compat-salt: - Prepend current directory when path is just filename. (bsc#1095942) spacecmd: - Suggest not to use password option for spacecmd. (bsc#1103090) spacewalk-backend: - Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120) - Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388) spacewalk-branding: - Missing link to LDAP instructions. (bsc#1102464) - Fix copyright for the package specfile. (bsc#1103696) - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) spacewalk-certs-tools: - Feat: Check for Dynamic CA-Trust Updates while bootstrapping on RES. (fate#325588) - Feat: Add OS Image building with Kiwi. (fate#322959 fate#323057 fate#323056) spacewalk-config: - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) - Fix /etc/sudoers.d/spacewalk file. (related to bsc#1099517) NOTE: In case there have been custom modifications to this file, it will be saved in /root/sudoers-spacewalk.save as sudo will fail on duplicate definitions spacewalk-java: - Fix mgr-sync refresh when subscription was removed. (bsc#1105720) - Method to Unsubscribe channel from system. (bsc#1104120) - Enable auto patch updates for salt clients. - Fix ACLs for system details settings. - Fix delete old custom OS images pillar before generation. (bsc#1105107) - Fix an error in the system software channels UI due to SUSE product channels missing a corresponding synced channel. (bsc#1105886) - Fix 'Compare Config Files' task hanging. (bsc#1103218) - Reschedule taskomatic jobs if task threads limit reached. (bsc#1096511) - XMLRPC API for state channels. - Subscribe saltbooted minion to software channels, respect activation key in final registration steps. - Fix deletion of Taskomatic schedules via the GUI. (bsc#1095569) - Generate OS image pillars via Java. - Logic constraint: Results must be ordered and grouped by systemId first. (bsc#1101033) - Store activation key in the Kiwi built image. - Do not wrap output if stderr is not present. (bsc#1105074) - Store image size in image pillar as integer value. - Fix retrieving salt-ssh pub key for proxy setup when key already exists. (bsc#1105062) - Implement the 2-phase registration of saltbooted minions. - Avoid an NPE on expired tokens. (bsc#1104503) - Generate systemid certificate on suse/systemid/generate event. (fate#323069) - Fix system group overview patch status. (bsc#1102478) - Allow salt systems to be registered as proxies. (fate#323069) - Add DNS name to cobbler network interface. (fate#326501, bsc#1104020) - Fix behavior when canceling actions. (bsc#1098993) - Speedup listing systems of a group. (bsc#1102009) - Disallow '.' in config channel names. (bsc#1100731) - Add python3 xmlrpc api example to docs.. - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) - Apply State Result - use different color for applied changes. - Fix missing acl to toggle notifications in user prefs in salt clients. (bsc#1100131) spacewalk-setup: - Clean up correct system sudoers file. (bsc#1099517) - Feat: add OS Image building with Kiwi. (fate#322959 fate#323057 fate#323056) spacewalk-web: - Allow relative path in visibleIf tag in formulas. - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) - Refactor the fetching and cache the child channels and mandatory channels in System Details change channels page. subscription-matcher: - Update partnumbers rule file. (bsc#1095972) - Use intermediate object to store confirmed matches within a penalty group and prevent infinite reactivation of Inherited virtualization rule. (bsc#1094524) susemanager: - Bootstrap repos for SLE12 SP4. (bsc#1107117) - Do not fail if postgresql user has no interactive login shell. - Fix broken stderr redirection in mgr-setup. - Add new dependency python-setuptools to bootstrap packages. (bsc#1106026) - Add debug mode for mgr-create-bootstrap-repo. - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) susemanager-docs_en: - OS Image building with Kiwi: SUSE Manager can now build Kiwi-based image creation for installable Linux OS images and virtual machines. - Missing link to LDAP instructions. (bsc#1102464) susemanager-schema: - Enable auto patch updates for Salt minions. - Enable system preferences for Salt minions. (bsc#1098388) - Feat: Add OS Image building with Kiwi (fate#322959, fate#323057, fate#323056) susemanager-sls: - Fix merging of image pillars. - Fix delete old custom OS images pillar before generation. (bsc#1105107) - Generate OS image pillars via Java. - Store activation key in the Kiwi built image. - Implement the 2-phase registration of saltbooted minions. - Feat: Add OS Image building with Kiwi. (fate#322959, fate#323057, fate#323056) susemanager-sync-data: - Support SLE12 SP4 product family. (bsc#1107117) - Add CaaSP 3.0 channels. (bsc#1105045) - Add product class for Live Patching on PPC. (bsc#1104025) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2032=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): patterns-suma_server-3.2-11.1 spacewalk-branding-2.8.5.11-3.7.1 susemanager-3.2.12-3.7.2 susemanager-tools-3.2.12-3.7.2 - SUSE Manager Server 3.2 (noarch): py26-compat-salt-2016.11.4-6.9.1 python2-spacewalk-certs-tools-2.8.8.6-3.3.1 spacecmd-2.8.25.5-3.3.1 spacewalk-backend-2.8.57.7-3.7.1 spacewalk-backend-app-2.8.57.7-3.7.1 spacewalk-backend-applet-2.8.57.7-3.7.1 spacewalk-backend-config-files-2.8.57.7-3.7.1 spacewalk-backend-config-files-common-2.8.57.7-3.7.1 spacewalk-backend-config-files-tool-2.8.57.7-3.7.1 spacewalk-backend-iss-2.8.57.7-3.7.1 spacewalk-backend-iss-export-2.8.57.7-3.7.1 spacewalk-backend-libs-2.8.57.7-3.7.1 spacewalk-backend-package-push-server-2.8.57.7-3.7.1 spacewalk-backend-server-2.8.57.7-3.7.1 spacewalk-backend-sql-2.8.57.7-3.7.1 spacewalk-backend-sql-oracle-2.8.57.7-3.7.1 spacewalk-backend-sql-postgresql-2.8.57.7-3.7.1 spacewalk-backend-tools-2.8.57.7-3.7.1 spacewalk-backend-xml-export-libs-2.8.57.7-3.7.1 spacewalk-backend-xmlrpc-2.8.57.7-3.7.1 spacewalk-base-2.8.7.9-3.7.1 spacewalk-base-minimal-2.8.7.9-3.7.1 spacewalk-base-minimal-config-2.8.7.9-3.7.1 spacewalk-certs-tools-2.8.8.6-3.3.1 spacewalk-config-2.8.5.4-3.7.1 spacewalk-html-2.8.7.9-3.7.1 spacewalk-java-2.8.78.11-3.7.1 spacewalk-java-config-2.8.78.11-3.7.1 spacewalk-java-lib-2.8.78.11-3.7.1 spacewalk-java-oracle-2.8.78.11-3.7.1 spacewalk-java-postgresql-2.8.78.11-3.7.1 spacewalk-setup-2.8.7.4-3.7.1 spacewalk-taskomatic-2.8.78.11-3.7.1 subscription-matcher-0.20-4.3.1 susemanager-advanced-topics_en-pdf-3.2-11.6.1 susemanager-best-practices_en-pdf-3.2-11.6.1 susemanager-docs_en-3.2-11.6.1 susemanager-getting-started_en-pdf-3.2-11.6.1 susemanager-jsp_en-3.2-11.6.1 susemanager-reference_en-pdf-3.2-11.6.1 susemanager-schema-3.2.13-3.7.1 susemanager-sls-3.2.16-3.7.1 susemanager-sync-data-3.2.8-3.3.1 References: https://bugzilla.suse.com/1094524 https://bugzilla.suse.com/1095569 https://bugzilla.suse.com/1095942 https://bugzilla.suse.com/1095972 https://bugzilla.suse.com/1096511 https://bugzilla.suse.com/1098388 https://bugzilla.suse.com/1098993 https://bugzilla.suse.com/1099517 https://bugzilla.suse.com/1100131 https://bugzilla.suse.com/1100731 https://bugzilla.suse.com/1101033 https://bugzilla.suse.com/1102009 https://bugzilla.suse.com/1102464 https://bugzilla.suse.com/1102478 https://bugzilla.suse.com/1103090 https://bugzilla.suse.com/1103218 https://bugzilla.suse.com/1103388 https://bugzilla.suse.com/1103696 https://bugzilla.suse.com/1104020 https://bugzilla.suse.com/1104025 https://bugzilla.suse.com/1104120 https://bugzilla.suse.com/1104503 https://bugzilla.suse.com/1105045 https://bugzilla.suse.com/1105062 https://bugzilla.suse.com/1105074 https://bugzilla.suse.com/1105107 https://bugzilla.suse.com/1105720 https://bugzilla.suse.com/1105886 https://bugzilla.suse.com/1106026 https://bugzilla.suse.com/1107117 From sle-updates at lists.suse.com Wed Sep 26 07:20:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:20:41 +0200 (CEST) Subject: SUSE-RU-2018:2875-1: moderate: Recommended update for patchinfo.salt, salt Message-ID: <20180926132041.E3A24FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for patchinfo.salt, salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2875-1 Rating: moderate References: #1095942 #1102013 #1103530 #1104154 Affected Products: SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Server 3.1 SUSE Manager Server 3.0 SUSE Manager Proxy 3.2 SUSE Manager Proxy 3.1 SUSE Manager Proxy 3.0 SUSE Linux Enterprise Point of Sale 12-SP2 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2018-2023=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2023=1 - SUSE Manager Server 3.1: zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-2023=1 - SUSE Manager Server 3.0: zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2018-2023=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2023=1 - SUSE Manager Proxy 3.1: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.1-2018-2023=1 - SUSE Manager Proxy 3.0: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2018-2023=1 - SUSE Linux Enterprise Point of Sale 12-SP2: zypper in -t patch SUSE-SLE-POS-12-SP2-2018-2023=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2018-2023=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-2018.3.0-46.36.1 python3-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 - SUSE Manager Server 3.2 (ppc64le s390x x86_64): python2-salt-2018.3.0-46.36.1 python3-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-api-2018.3.0-46.36.1 salt-cloud-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-master-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 salt-proxy-2018.3.0-46.36.1 salt-ssh-2018.3.0-46.36.1 salt-syndic-2018.3.0-46.36.1 - SUSE Manager Server 3.2 (noarch): salt-bash-completion-2018.3.0-46.36.1 salt-zsh-completion-2018.3.0-46.36.1 - SUSE Manager Server 3.1 (ppc64le s390x x86_64): python2-salt-2018.3.0-46.36.1 python3-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-api-2018.3.0-46.36.1 salt-cloud-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-master-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 salt-proxy-2018.3.0-46.36.1 salt-ssh-2018.3.0-46.36.1 salt-syndic-2018.3.0-46.36.1 - SUSE Manager Server 3.1 (noarch): salt-bash-completion-2018.3.0-46.36.1 salt-zsh-completion-2018.3.0-46.36.1 - SUSE Manager Server 3.0 (s390x x86_64): python2-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-api-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-master-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 salt-proxy-2018.3.0-46.36.1 salt-ssh-2018.3.0-46.36.1 salt-syndic-2018.3.0-46.36.1 - SUSE Manager Server 3.0 (noarch): salt-bash-completion-2018.3.0-46.36.1 salt-zsh-completion-2018.3.0-46.36.1 - SUSE Manager Proxy 3.2 (x86_64): python2-salt-2018.3.0-46.36.1 python3-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 - SUSE Manager Proxy 3.1 (ppc64le x86_64): python2-salt-2018.3.0-46.36.1 python3-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 - SUSE Manager Proxy 3.0 (noarch): salt-bash-completion-2018.3.0-46.36.1 salt-zsh-completion-2018.3.0-46.36.1 - SUSE Manager Proxy 3.0 (x86_64): python2-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-api-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-master-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 salt-proxy-2018.3.0-46.36.1 salt-ssh-2018.3.0-46.36.1 salt-syndic-2018.3.0-46.36.1 - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64): python2-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-2018.3.0-46.36.1 salt-2018.3.0-46.36.1 salt-api-2018.3.0-46.36.1 salt-cloud-2018.3.0-46.36.1 salt-doc-2018.3.0-46.36.1 salt-master-2018.3.0-46.36.1 salt-minion-2018.3.0-46.36.1 salt-proxy-2018.3.0-46.36.1 salt-ssh-2018.3.0-46.36.1 salt-syndic-2018.3.0-46.36.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-2018.3.0-46.36.1 salt-zsh-completion-2018.3.0-46.36.1 References: https://bugzilla.suse.com/1095942 https://bugzilla.suse.com/1102013 https://bugzilla.suse.com/1103530 https://bugzilla.suse.com/1104154 From sle-updates at lists.suse.com Wed Sep 26 07:21:55 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:21:55 +0200 (CEST) Subject: SUSE-RU-2018:2876-1: moderate: Recommended update for fio Message-ID: <20180926132155.0DFD3FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for fio ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2876-1 Rating: moderate References: #1083445 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for fio provides version 3.10 and fixes the following issue: - Enable building of the rbd support on aarch64. (bsc#1083445) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-2034=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): fio-3.10-5.3.1 fio-debuginfo-3.10-5.3.1 fio-debugsource-3.10-5.3.1 References: https://bugzilla.suse.com/1083445 From sle-updates at lists.suse.com Wed Sep 26 07:22:32 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:22:32 +0200 (CEST) Subject: SUSE-RU-2018:2877-1: moderate: Recommended update for golang-github-prometheus-node_exporter Message-ID: <20180926132232.415A5FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for golang-github-prometheus-node_exporter ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2877-1 Rating: moderate References: #1102732 #1105861 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for golang-github-prometheus-node_exporter provides the following changes: - read throughput, write throughput and IOPS (FATE#324358, bsc#1102732) - backstore support RBD, block, file and memory (FATE#324358, bsc#1102732) - Backport the lio iscsi backstore reader from sysfs - Fix smartmon.sh for the smartmon text exporter (bsc#1105861) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-2033=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): golang-github-prometheus-node_exporter-0.14.0-5.5.1 References: https://bugzilla.suse.com/1102732 https://bugzilla.suse.com/1105861 From sle-updates at lists.suse.com Wed Sep 26 07:23:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 15:23:20 +0200 (CEST) Subject: SUSE-RU-2018:2878-1: moderate: Recommended update for golang-github-digitalocean-ceph_exporter Message-ID: <20180926132320.4D1DAFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for golang-github-digitalocean-ceph_exporter ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2878-1 Rating: moderate References: #1107627 #1108177 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for golang-github-digitalocean-ceph_exporter provides version 2.0.1 and fixes the following issues: - Remove stale metrics of pools/daemons that no longer exist. (bsc#1108177) - Remove unclean_pgs metric and add clean_pgs instead. (bsc#1107627) - health: Add active_pg metric. - osd: Add metrics for down and destroyed OSD. - monitors: Add back clock skew and latency metric support. - Add tracking of scrub/deep scrub on a per osd basis. - Add constant for tcp keepalive period. - health: Add visibility for stuck requests. - health: Capture slow request per osd. - luminous: Pick correct value from health status after compat warning is removed. - luminous: Move luminous stats to be extracted from json. - Add promhttp to vendor directory. - Update /metrics handler to promhttp.Handler(). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-2037=1 Package List: - SUSE Enterprise Storage 5 (aarch64 x86_64): golang-github-digitalocean-ceph_exporter-2.0.1+git20180913.eed5856-4.6.2 References: https://bugzilla.suse.com/1107627 https://bugzilla.suse.com/1108177 From sle-updates at lists.suse.com Wed Sep 26 10:08:20 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 18:08:20 +0200 (CEST) Subject: SUSE-SU-2018:2879-1: important: Security update for the Linux Kernel Message-ID: <20180926160820.EFAEFFCD7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2879-1 Rating: important References: #1037441 #1045538 #1047487 #1048185 #1050381 #1050431 #1057199 #1060245 #1064861 #1068032 #1080157 #1087081 #1092772 #1092903 #1093666 #1096547 #1097562 #1098822 #1099922 #1100132 #1100705 #1102517 #1102870 #1103119 #1103884 #1103909 #1104481 #1104684 #1104818 #1104901 #1105100 #1105322 #1105348 #1105536 #1105723 #1106095 #1106105 #1106199 #1106202 #1106206 #1106209 #1106212 #1106369 #1106509 #1106511 #1106609 #1106886 #1106930 #1106995 #1107001 #1107064 #1107071 #1107650 #1107689 #1107735 #1107949 #1108096 #1108170 #1108823 #1108912 Cross-References: CVE-2018-10902 CVE-2018-10940 CVE-2018-12896 CVE-2018-14617 CVE-2018-14634 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 48 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870). - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in yurex_read allowed local attackers to use user access read/writes to crash the kernel or potentially escalate privileges (bsc#1106095). - CVE-2018-15594: Ensure correct handling of indirect calls, to prevent attackers for conducting Spectre-v2 attacks against paravirtual guests (bsc#1105348). - CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322) - CVE-2018-14734: ucma_leave_multicast accessed a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bsc#1103119) The following non-security bugs were fixed: - ACPI: APEI / ERST: Fix missing error handling in erst_reader() (bsc#1045538). - ALSA: fm801: propagate TUNER_ONLY bit when autodetected (bsc#1045538). - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode (bsc#1045538). - ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() (bsc#1045538). - ALSA: pcm: fix fifo_size frame calculation (bsc#1045538). - ALSA: snd-aoa: add of_node_put() in error path (bsc#1045538). - ALSA: usb-audio: Add sanity checks in v2 clock parsers (bsc#1045538). - ALSA: usb-audio: Add sanity checks to FE parser (bsc#1045538). - ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bsc#1045538). - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() (bsc#1045538). - ALSA: usb-audio: Fix parameter block size for UAC2 control requests (bsc#1045538). - ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit (bsc#1045538). - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU (bsc#1045538). - ALSA: usb-audio: Set correct type for some UAC2 mixer controls (bsc#1045538). - ASoC: blackfin: Fix missing break (bsc#1045538). - Enforce module signatures if the kernel is locked down (bsc#1093666). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - PCI: Fix TI816X class code quirk (bsc#1050431). - Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch (bsc#1105100). - TPM: Zero buffer whole after copying to userspace (bsc#1050381). - USB: add USB_DEVICE_INTERFACE_CLASS macro (bsc#1047487). - USB: hub: fix non-SS hub-descriptor handling (bsc#1047487). - USB: serial: ftdi_sio: fix latency-timer error handling (bsc#1037441). - USB: serial: io_edgeport: fix possible sleep-in-atomic (bsc#1037441). - USB: serial: io_ti: fix NULL-deref in interrupt callback (bsc#1106609). - USB: serial: sierra: fix potential deadlock at close (bsc#1100132). - USB: visor: Match I330 phone more precisely (bsc#1047487). - applicom: dereferencing NULL on error path (git-fixes). - ath5k: Change led pin configuration for compaq c700 laptop (bsc#1048185). - base: make module_create_drivers_dir race-free (git-fixes). - block: fix an error code in add_partition() (bsc#1106209). - btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096). - btrfs: scrub: Do not use inode pages for device replace (bsc#1107949). - dasd: Add IFCC notice message (bnc#1104481, LTC#170484). - drm/i915: Remove bogus __init annotation from DMI callbacks (bsc#1106886). - drm/i915: fix use-after-free in page_flip_completed() (bsc#1103909). - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bsc#1106886). - drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() (bsc#1106886). - drm: crtc: integer overflow in drm_property_create_blob() (bsc#1106886). - drm: re-enable error handling (bsc#1103884) - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106886). - iommu/amd: Finish TLB flush in amd_iommu_unmap() (bsc#1106105). - iommu/amd: Fix the left value check of cmd buffer (bsc#1106105). - iommu/amd: Free domain id when free a domain of struct dma_ops_domain (bsc#1106105). - iommu/amd: Update Alias-DTE in update_device_table() (bsc#1106105). - iommu/vt-d: Do not over-free page table directories (bsc#1106105). - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105). - ipv6: Regenerate host route according to node pointer upon loopback up (bsc#1100705). - ipv6: correctly add local routes when lo goes up (bsc#1100705). - ipv6: introduce ip6_rt_put() (bsc#1100705). - ipv6: reallocate addrconf router for ipv6 address when lo device up (bsc#1100705). - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kthread, tracing: Do not expose half-written comm when creating kthreads (Git-fixes). - mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection (bnc#1107071). - mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1107064). - modsign: log module name in the event of an error (bsc#1093666). - modsign: print module name along with error message (bsc#1093666). - module: make it clear when we're handling the module copy in info->hdr (bsc#1093666). - module: setup load info before module_sig_check() (bsc#1093666). - nbd: ratelimit error msgs after socket close (bsc#1106206). - ncpfs: return proper error from NCP_IOC_SETROOT ioctl (bsc#1106199). - nvme: add device id's with intel stripe quirk (bsc#1097562). - perf/core: Fix group scheduling with mixed hw and sw events (Git-fixes). - perf/x86/intel: Add cpu_(prepare|starting|dying) for core_pmu (bsc#1104901). - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032, git-fixes). - powerpc/fadump: Do not use hugepages when fadump is active (bsc#1092772, bsc#1107650). - powerpc/fadump: exclude memory holes while reserving memory in second kernel (bsc#1092772, bsc#1107650). - powerpc/fadump: re-register firmware-assisted dump if already registered (bsc#1108170, bsc#1108823). - powerpc/lib: Fix off-by-one in alternate feature patching (bsc#1064861). - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1064861). - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157, git-fixes). - powerpc: Avoid code patching freed init sections (bnc#1107735). - powerpc: make feature-fixup tests fortify-safe (bsc#1064861). - ptrace: fix PTRACE_LISTEN race corrupting task->state (bnc#1107001). - qlge: Fix netdev features configuration (bsc#1098822). - resource: fix integer overflow at reallocation (bsc#1045538). - rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199) - s390/ftrace: use expoline for indirect branches (bnc#1106930, LTC#171029). - s390/kernel: use expoline for indirect branches (bnc#1106930, LTC#171029). - s390/qeth: do not clobber buffer on async TX completion (bnc#1060245, LTC#170349). - s390: Correct register corruption in critical section cleanup (bnc#1106930, LTC#171029). - s390: add assembler macros for CPU alternatives (bnc#1106930, LTC#171029). - s390: detect etoken facility (bnc#1106930, LTC#171029). - s390: move expoline assembler macros to a header (bnc#1106930, LTC#171029). - s390: move spectre sysfs attribute code (bnc#1106930, LTC#171029). - s390: remove indirect branch from do_softirq_own_stack (bnc#1106930, LTC#171029). - smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132). - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995). - tpm: fix race condition in tpm_common_write() (bsc#1050381). - tracing/blktrace: Fix to allow setting same value (bsc#1106212). - tty: vt, fix bogus division in csi_J (git-fixes). - tty: vt, return error when con_startup fails (git-fixes). - uml: fix hostfs mknod() (bsc#1106202). - usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1045538). - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547). - x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). - x86/init: fix build with CONFIG_SWAP=n (bsc#1105723). - x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y (bsc#1106105). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - x86/vdso: Fix vDSO build if a retpoline is emitted (git-fixes). - xen x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-kernel-13796=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-kernel-13796=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-13796=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-13796=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch): kernel-docs-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-3.0.101-108.71.1 kernel-default-base-3.0.101-108.71.1 kernel-default-devel-3.0.101-108.71.1 kernel-source-3.0.101-108.71.1 kernel-syms-3.0.101-108.71.1 kernel-trace-3.0.101-108.71.1 kernel-trace-base-3.0.101-108.71.1 kernel-trace-devel-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64): kernel-ec2-3.0.101-108.71.1 kernel-ec2-base-3.0.101-108.71.1 kernel-ec2-devel-3.0.101-108.71.1 kernel-xen-3.0.101-108.71.1 kernel-xen-base-3.0.101-108.71.1 kernel-xen-devel-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64): kernel-bigmem-3.0.101-108.71.1 kernel-bigmem-base-3.0.101-108.71.1 kernel-bigmem-devel-3.0.101-108.71.1 kernel-ppc64-3.0.101-108.71.1 kernel-ppc64-base-3.0.101-108.71.1 kernel-ppc64-devel-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-SP4 (s390x): kernel-default-man-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-SP4 (i586): kernel-pae-3.0.101-108.71.1 kernel-pae-base-3.0.101-108.71.1 kernel-pae-devel-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-108.71.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-108.71.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-108.71.1 kernel-default-debugsource-3.0.101-108.71.1 kernel-trace-debuginfo-3.0.101-108.71.1 kernel-trace-debugsource-3.0.101-108.71.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-108.71.1 kernel-trace-devel-debuginfo-3.0.101-108.71.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-108.71.1 kernel-ec2-debugsource-3.0.101-108.71.1 kernel-xen-debuginfo-3.0.101-108.71.1 kernel-xen-debugsource-3.0.101-108.71.1 kernel-xen-devel-debuginfo-3.0.101-108.71.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-108.71.1 kernel-bigmem-debugsource-3.0.101-108.71.1 kernel-ppc64-debuginfo-3.0.101-108.71.1 kernel-ppc64-debugsource-3.0.101-108.71.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-108.71.1 kernel-pae-debugsource-3.0.101-108.71.1 kernel-pae-devel-debuginfo-3.0.101-108.71.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-14617.html https://www.suse.com/security/cve/CVE-2018-14634.html https://www.suse.com/security/cve/CVE-2018-14734.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-15594.html https://www.suse.com/security/cve/CVE-2018-16276.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1037441 https://bugzilla.suse.com/1045538 https://bugzilla.suse.com/1047487 https://bugzilla.suse.com/1048185 https://bugzilla.suse.com/1050381 https://bugzilla.suse.com/1050431 https://bugzilla.suse.com/1057199 https://bugzilla.suse.com/1060245 https://bugzilla.suse.com/1064861 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1080157 https://bugzilla.suse.com/1087081 https://bugzilla.suse.com/1092772 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1093666 https://bugzilla.suse.com/1096547 https://bugzilla.suse.com/1097562 https://bugzilla.suse.com/1098822 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1100132 https://bugzilla.suse.com/1100705 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1102870 https://bugzilla.suse.com/1103119 https://bugzilla.suse.com/1103884 https://bugzilla.suse.com/1103909 https://bugzilla.suse.com/1104481 https://bugzilla.suse.com/1104684 https://bugzilla.suse.com/1104818 https://bugzilla.suse.com/1104901 https://bugzilla.suse.com/1105100 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105348 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1105723 https://bugzilla.suse.com/1106095 https://bugzilla.suse.com/1106105 https://bugzilla.suse.com/1106199 https://bugzilla.suse.com/1106202 https://bugzilla.suse.com/1106206 https://bugzilla.suse.com/1106209 https://bugzilla.suse.com/1106212 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1106609 https://bugzilla.suse.com/1106886 https://bugzilla.suse.com/1106930 https://bugzilla.suse.com/1106995 https://bugzilla.suse.com/1107001 https://bugzilla.suse.com/1107064 https://bugzilla.suse.com/1107071 https://bugzilla.suse.com/1107650 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1107735 https://bugzilla.suse.com/1107949 https://bugzilla.suse.com/1108096 https://bugzilla.suse.com/1108170 https://bugzilla.suse.com/1108823 https://bugzilla.suse.com/1108912 From sle-updates at lists.suse.com Wed Sep 26 10:25:24 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 18:25:24 +0200 (CEST) Subject: SUSE-RU-2018:2882-1: moderate: Recommended update for firewalld-rpcbind-helper Message-ID: <20180926162524.A36A6FCD7@maintenance.suse.de> SUSE Recommended Update: Recommended update for firewalld-rpcbind-helper ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2882-1 Rating: moderate References: #1096064 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for firewalld-rpcbind-helper fixes the following issues: - Fix error when running in python3 context, because of a missing decode() call. (bsc#1096064) - Don't raise Exceptions when one of the target sysconfig files isn't installed. (bsc#1096064) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2044=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): firewalld-rpcbind-helper-0.1-3.3.6 References: https://bugzilla.suse.com/1096064 From sle-updates at lists.suse.com Wed Sep 26 10:26:05 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 18:26:05 +0200 (CEST) Subject: SUSE-SU-2018:2883-1: important: Security update for glibc Message-ID: <20180926162605.327F3FCD2@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2883-1 Rating: important References: #1058774 #1064580 #1064583 #941234 Cross-References: CVE-2015-5180 CVE-2017-15670 CVE-2017-15804 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for glibc fixes the following security issues: - CVE-2017-15670: Prevent off-by-one error that lead to a heap-based buffer overflow in the glob function, related to the processing of home directories using the ~ operator followed by a long string (bsc#1064583) - CVE-2017-15804: The glob function contained a buffer overflow during unescaping of user names with the ~ operator (bsc#1064580) - CVE-2015-5180: res_query in libresolv allowed remote attackers to cause a denial of service (NULL pointer dereference and process crash) (bsc#941234). This non-security issue was fixed: - Fix inaccuracies in casin, cacos, casinh, cacosh (bsc#1058774) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-glibc-13795=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-glibc-13795=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-glibc-13795=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-glibc-13795=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-glibc-13795=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-glibc-13795=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64): glibc-html-2.11.3-17.110.19.2 glibc-info-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP4 (i586 i686 ia64 ppc64 s390x x86_64): glibc-2.11.3-17.110.19.2 glibc-devel-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): glibc-html-2.11.3-17.110.19.2 glibc-i18ndata-2.11.3-17.110.19.2 glibc-info-2.11.3-17.110.19.2 glibc-locale-2.11.3-17.110.19.2 glibc-profile-2.11.3-17.110.19.2 nscd-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): glibc-32bit-2.11.3-17.110.19.2 glibc-devel-32bit-2.11.3-17.110.19.2 glibc-locale-32bit-2.11.3-17.110.19.2 glibc-profile-32bit-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP4 (ia64): glibc-locale-x86-2.11.3-17.110.19.2 glibc-profile-x86-2.11.3-17.110.19.2 glibc-x86-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 i686 s390x x86_64): glibc-2.11.3-17.110.19.2 glibc-devel-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): glibc-html-2.11.3-17.110.19.2 glibc-i18ndata-2.11.3-17.110.19.2 glibc-info-2.11.3-17.110.19.2 glibc-locale-2.11.3-17.110.19.2 glibc-profile-2.11.3-17.110.19.2 nscd-2.11.3-17.110.19.2 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): glibc-32bit-2.11.3-17.110.19.2 glibc-devel-32bit-2.11.3-17.110.19.2 glibc-locale-32bit-2.11.3-17.110.19.2 glibc-profile-32bit-2.11.3-17.110.19.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586 i686): glibc-2.11.3-17.110.19.2 glibc-devel-2.11.3-17.110.19.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): glibc-html-2.11.3-17.110.19.2 glibc-i18ndata-2.11.3-17.110.19.2 glibc-info-2.11.3-17.110.19.2 glibc-locale-2.11.3-17.110.19.2 glibc-profile-2.11.3-17.110.19.2 nscd-2.11.3-17.110.19.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 i686 ia64 ppc64 s390x x86_64): glibc-debuginfo-2.11.3-17.110.19.2 glibc-debugsource-2.11.3-17.110.19.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): glibc-debuginfo-32bit-2.11.3-17.110.19.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (ia64): glibc-debuginfo-x86-2.11.3-17.110.19.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 i686 s390x x86_64): glibc-debuginfo-2.11.3-17.110.19.2 glibc-debugsource-2.11.3-17.110.19.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): glibc-debuginfo-32bit-2.11.3-17.110.19.2 References: https://www.suse.com/security/cve/CVE-2015-5180.html https://www.suse.com/security/cve/CVE-2017-15670.html https://www.suse.com/security/cve/CVE-2017-15804.html https://bugzilla.suse.com/1058774 https://bugzilla.suse.com/1064580 https://bugzilla.suse.com/1064583 https://bugzilla.suse.com/941234 From sle-updates at lists.suse.com Wed Sep 26 10:27:17 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 18:27:17 +0200 (CEST) Subject: SUSE-RU-2018:2884-1: moderate: Recommended update for salt Message-ID: <20180926162717.6F543FCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for salt ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2884-1 Rating: moderate References: #1095942 #1102013 #1103530 #1104154 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for salt fixes the following issues: - Prepend current directory when path is just filename. (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0. - Decode file contents for python2. (bsc#1102013, bsc#1103530) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-2043=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2043=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): salt-api-2018.3.0-5.12.1 salt-cloud-2018.3.0-5.12.1 salt-master-2018.3.0-5.12.1 salt-proxy-2018.3.0-5.12.1 salt-ssh-2018.3.0-5.12.1 salt-syndic-2018.3.0-5.12.1 - SUSE Linux Enterprise Module for Server Applications 15 (noarch): salt-fish-completion-2018.3.0-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): python2-salt-2018.3.0-5.12.1 python3-salt-2018.3.0-5.12.1 salt-2018.3.0-5.12.1 salt-doc-2018.3.0-5.12.1 salt-minion-2018.3.0-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): salt-bash-completion-2018.3.0-5.12.1 salt-zsh-completion-2018.3.0-5.12.1 References: https://bugzilla.suse.com/1095942 https://bugzilla.suse.com/1102013 https://bugzilla.suse.com/1103530 https://bugzilla.suse.com/1104154 From sle-updates at lists.suse.com Wed Sep 26 10:29:00 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 26 Sep 2018 18:29:00 +0200 (CEST) Subject: SUSE-RU-2018:2886-1: moderate: Recommended update for gcc48 Message-ID: <20180926162900.F216CFCD2@maintenance.suse.de> SUSE Recommended Update: Recommended update for gcc48 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2886-1 Rating: moderate References: #1093797 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gcc48 fixes the following issues: - Fixed a reload bug on aarch64 causing a kernel miscompile. [bsc#1093797] Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-2038=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2038=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2038=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2038=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64): gcc48-gij-32bit-4.8.5-31.17.1 gcc48-gij-4.8.5-31.17.1 gcc48-gij-debuginfo-32bit-4.8.5-31.17.1 gcc48-gij-debuginfo-4.8.5-31.17.1 libgcj48-32bit-4.8.5-31.17.1 libgcj48-4.8.5-31.17.1 libgcj48-debuginfo-32bit-4.8.5-31.17.1 libgcj48-debuginfo-4.8.5-31.17.1 libgcj48-debugsource-4.8.5-31.17.1 libgcj48-jar-4.8.5-31.17.1 libgcj_bc1-4.8.5-31.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): gcc48-debuginfo-4.8.5-31.17.1 gcc48-debugsource-4.8.5-31.17.1 gcc48-fortran-4.8.5-31.17.1 gcc48-fortran-debuginfo-4.8.5-31.17.1 gcc48-gij-4.8.5-31.17.1 gcc48-gij-debuginfo-4.8.5-31.17.1 gcc48-java-4.8.5-31.17.1 gcc48-java-debuginfo-4.8.5-31.17.1 gcc48-obj-c++-4.8.5-31.17.1 gcc48-obj-c++-debuginfo-4.8.5-31.17.1 gcc48-objc-4.8.5-31.17.1 gcc48-objc-debuginfo-4.8.5-31.17.1 libffi48-debugsource-4.8.5-31.17.1 libffi48-devel-4.8.5-31.17.1 libgcj48-4.8.5-31.17.1 libgcj48-debuginfo-4.8.5-31.17.1 libgcj48-debugsource-4.8.5-31.17.1 libgcj48-devel-4.8.5-31.17.1 libgcj48-devel-debuginfo-4.8.5-31.17.1 libgcj48-jar-4.8.5-31.17.1 libgcj_bc1-4.8.5-31.17.1 libobjc4-4.8.5-31.17.1 libobjc4-debuginfo-4.8.5-31.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (s390x x86_64): gcc48-objc-32bit-4.8.5-31.17.1 libobjc4-32bit-4.8.5-31.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64): gcc48-4.8.5-31.17.1 gcc48-c++-4.8.5-31.17.1 gcc48-c++-debuginfo-4.8.5-31.17.1 gcc48-locale-4.8.5-31.17.1 libstdc++48-devel-4.8.5-31.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (x86_64): gcc48-ada-4.8.5-31.17.1 gcc48-ada-debuginfo-4.8.5-31.17.1 libada48-4.8.5-31.17.1 libada48-debuginfo-4.8.5-31.17.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (noarch): gcc48-info-4.8.5-31.17.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): cpp48-4.8.5-31.17.1 cpp48-debuginfo-4.8.5-31.17.1 gcc48-debuginfo-4.8.5-31.17.1 gcc48-debugsource-4.8.5-31.17.1 - SUSE Linux Enterprise Server 12-SP3 (ppc64le s390x x86_64): gcc48-4.8.5-31.17.1 gcc48-c++-4.8.5-31.17.1 gcc48-c++-debuginfo-4.8.5-31.17.1 gcc48-locale-4.8.5-31.17.1 libstdc++48-devel-4.8.5-31.17.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): gcc48-32bit-4.8.5-31.17.1 libstdc++48-devel-32bit-4.8.5-31.17.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): gcc48-info-4.8.5-31.17.1 - SUSE Linux Enterprise Server 12-SP3 (x86_64): libasan0-32bit-4.8.5-31.17.1 libasan0-4.8.5-31.17.1 libasan0-debuginfo-4.8.5-31.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): gcc48-info-4.8.5-31.17.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): cpp48-4.8.5-31.17.1 cpp48-debuginfo-4.8.5-31.17.1 gcc48-32bit-4.8.5-31.17.1 gcc48-4.8.5-31.17.1 gcc48-c++-4.8.5-31.17.1 gcc48-c++-debuginfo-4.8.5-31.17.1 gcc48-debuginfo-4.8.5-31.17.1 gcc48-debugsource-4.8.5-31.17.1 gcc48-gij-32bit-4.8.5-31.17.1 gcc48-gij-4.8.5-31.17.1 gcc48-gij-debuginfo-32bit-4.8.5-31.17.1 gcc48-gij-debuginfo-4.8.5-31.17.1 libasan0-32bit-4.8.5-31.17.1 libasan0-4.8.5-31.17.1 libasan0-debuginfo-4.8.5-31.17.1 libgcj48-32bit-4.8.5-31.17.1 libgcj48-4.8.5-31.17.1 libgcj48-debuginfo-32bit-4.8.5-31.17.1 libgcj48-debuginfo-4.8.5-31.17.1 libgcj48-debugsource-4.8.5-31.17.1 libgcj48-jar-4.8.5-31.17.1 libgcj_bc1-4.8.5-31.17.1 libstdc++48-devel-32bit-4.8.5-31.17.1 libstdc++48-devel-4.8.5-31.17.1 References: https://bugzilla.suse.com/1093797 From sle-updates at lists.suse.com Wed Sep 26 16:08:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 00:08:09 +0200 (CEST) Subject: SUSE-SU-2018:2887-1: moderate: Security update for php7 Message-ID: <20180926220809.02977FCD7@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2887-1 Rating: moderate References: #1108753 Cross-References: CVE-2018-17082 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php7 fixes the following issues: - CVE-2018-17082: The Apache2 component in PHP allowed XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade was mishandled in the php_handler function (bsc#1108753). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2046=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-2046=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.52.1 php7-debugsource-7.0.7-50.52.1 php7-devel-7.0.7-50.52.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-50.52.1 apache2-mod_php7-debuginfo-7.0.7-50.52.1 php7-7.0.7-50.52.1 php7-bcmath-7.0.7-50.52.1 php7-bcmath-debuginfo-7.0.7-50.52.1 php7-bz2-7.0.7-50.52.1 php7-bz2-debuginfo-7.0.7-50.52.1 php7-calendar-7.0.7-50.52.1 php7-calendar-debuginfo-7.0.7-50.52.1 php7-ctype-7.0.7-50.52.1 php7-ctype-debuginfo-7.0.7-50.52.1 php7-curl-7.0.7-50.52.1 php7-curl-debuginfo-7.0.7-50.52.1 php7-dba-7.0.7-50.52.1 php7-dba-debuginfo-7.0.7-50.52.1 php7-debuginfo-7.0.7-50.52.1 php7-debugsource-7.0.7-50.52.1 php7-dom-7.0.7-50.52.1 php7-dom-debuginfo-7.0.7-50.52.1 php7-enchant-7.0.7-50.52.1 php7-enchant-debuginfo-7.0.7-50.52.1 php7-exif-7.0.7-50.52.1 php7-exif-debuginfo-7.0.7-50.52.1 php7-fastcgi-7.0.7-50.52.1 php7-fastcgi-debuginfo-7.0.7-50.52.1 php7-fileinfo-7.0.7-50.52.1 php7-fileinfo-debuginfo-7.0.7-50.52.1 php7-fpm-7.0.7-50.52.1 php7-fpm-debuginfo-7.0.7-50.52.1 php7-ftp-7.0.7-50.52.1 php7-ftp-debuginfo-7.0.7-50.52.1 php7-gd-7.0.7-50.52.1 php7-gd-debuginfo-7.0.7-50.52.1 php7-gettext-7.0.7-50.52.1 php7-gettext-debuginfo-7.0.7-50.52.1 php7-gmp-7.0.7-50.52.1 php7-gmp-debuginfo-7.0.7-50.52.1 php7-iconv-7.0.7-50.52.1 php7-iconv-debuginfo-7.0.7-50.52.1 php7-imap-7.0.7-50.52.1 php7-imap-debuginfo-7.0.7-50.52.1 php7-intl-7.0.7-50.52.1 php7-intl-debuginfo-7.0.7-50.52.1 php7-json-7.0.7-50.52.1 php7-json-debuginfo-7.0.7-50.52.1 php7-ldap-7.0.7-50.52.1 php7-ldap-debuginfo-7.0.7-50.52.1 php7-mbstring-7.0.7-50.52.1 php7-mbstring-debuginfo-7.0.7-50.52.1 php7-mcrypt-7.0.7-50.52.1 php7-mcrypt-debuginfo-7.0.7-50.52.1 php7-mysql-7.0.7-50.52.1 php7-mysql-debuginfo-7.0.7-50.52.1 php7-odbc-7.0.7-50.52.1 php7-odbc-debuginfo-7.0.7-50.52.1 php7-opcache-7.0.7-50.52.1 php7-opcache-debuginfo-7.0.7-50.52.1 php7-openssl-7.0.7-50.52.1 php7-openssl-debuginfo-7.0.7-50.52.1 php7-pcntl-7.0.7-50.52.1 php7-pcntl-debuginfo-7.0.7-50.52.1 php7-pdo-7.0.7-50.52.1 php7-pdo-debuginfo-7.0.7-50.52.1 php7-pgsql-7.0.7-50.52.1 php7-pgsql-debuginfo-7.0.7-50.52.1 php7-phar-7.0.7-50.52.1 php7-phar-debuginfo-7.0.7-50.52.1 php7-posix-7.0.7-50.52.1 php7-posix-debuginfo-7.0.7-50.52.1 php7-pspell-7.0.7-50.52.1 php7-pspell-debuginfo-7.0.7-50.52.1 php7-shmop-7.0.7-50.52.1 php7-shmop-debuginfo-7.0.7-50.52.1 php7-snmp-7.0.7-50.52.1 php7-snmp-debuginfo-7.0.7-50.52.1 php7-soap-7.0.7-50.52.1 php7-soap-debuginfo-7.0.7-50.52.1 php7-sockets-7.0.7-50.52.1 php7-sockets-debuginfo-7.0.7-50.52.1 php7-sqlite-7.0.7-50.52.1 php7-sqlite-debuginfo-7.0.7-50.52.1 php7-sysvmsg-7.0.7-50.52.1 php7-sysvmsg-debuginfo-7.0.7-50.52.1 php7-sysvsem-7.0.7-50.52.1 php7-sysvsem-debuginfo-7.0.7-50.52.1 php7-sysvshm-7.0.7-50.52.1 php7-sysvshm-debuginfo-7.0.7-50.52.1 php7-tokenizer-7.0.7-50.52.1 php7-tokenizer-debuginfo-7.0.7-50.52.1 php7-wddx-7.0.7-50.52.1 php7-wddx-debuginfo-7.0.7-50.52.1 php7-xmlreader-7.0.7-50.52.1 php7-xmlreader-debuginfo-7.0.7-50.52.1 php7-xmlrpc-7.0.7-50.52.1 php7-xmlrpc-debuginfo-7.0.7-50.52.1 php7-xmlwriter-7.0.7-50.52.1 php7-xmlwriter-debuginfo-7.0.7-50.52.1 php7-xsl-7.0.7-50.52.1 php7-xsl-debuginfo-7.0.7-50.52.1 php7-zip-7.0.7-50.52.1 php7-zip-debuginfo-7.0.7-50.52.1 php7-zlib-7.0.7-50.52.1 php7-zlib-debuginfo-7.0.7-50.52.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-50.52.1 php7-pear-Archive_Tar-7.0.7-50.52.1 References: https://www.suse.com/security/cve/CVE-2018-17082.html https://bugzilla.suse.com/1108753 From sle-updates at lists.suse.com Thu Sep 27 04:10:52 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 12:10:52 +0200 (CEST) Subject: SUSE-SU-2018:2888-1: moderate: Security update for gd Message-ID: <20180927101052.32D93FD16@maintenance.suse.de> SUSE Security Update: Security update for gd ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2888-1 Rating: moderate References: #1105434 Cross-References: CVE-2018-1000222 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gd fixes the following issues: Security issue fixed: - CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that could result in remote code execution. This could have been exploited via a specially crafted JPEG image files. (bsc#1105434) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2047=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2047=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): gd-2.2.5-4.3.1 gd-debuginfo-2.2.5-4.3.1 gd-debugsource-2.2.5-4.3.1 gd-devel-2.2.5-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): gd-debuginfo-2.2.5-4.3.1 gd-debugsource-2.2.5-4.3.1 libgd3-2.2.5-4.3.1 libgd3-debuginfo-2.2.5-4.3.1 References: https://www.suse.com/security/cve/CVE-2018-1000222.html https://bugzilla.suse.com/1105434 From sle-updates at lists.suse.com Thu Sep 27 07:08:24 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:08:24 +0200 (CEST) Subject: SUSE-SU-2018:2889-1: moderate: Security update for wireshark Message-ID: <20180927130824.ADE1CFD4A@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2889-1 Rating: moderate References: #1106514 Cross-References: CVE-2018-16056 CVE-2018-16057 CVE-2018-16058 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for wireshark to version 2.4.9 fixes the following issues: Security issues fixed (bsc#1106514): - CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44) - CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45) - CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46) Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.9.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2052=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2052=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-2.4.9-3.9.1 wireshark-debugsource-2.4.9-3.9.1 wireshark-devel-2.4.9-3.9.1 wireshark-ui-qt-2.4.9-3.9.1 wireshark-ui-qt-debuginfo-2.4.9-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libwireshark9-2.4.9-3.9.1 libwireshark9-debuginfo-2.4.9-3.9.1 libwiretap7-2.4.9-3.9.1 libwiretap7-debuginfo-2.4.9-3.9.1 libwscodecs1-2.4.9-3.9.1 libwscodecs1-debuginfo-2.4.9-3.9.1 libwsutil8-2.4.9-3.9.1 libwsutil8-debuginfo-2.4.9-3.9.1 wireshark-2.4.9-3.9.1 wireshark-debuginfo-2.4.9-3.9.1 wireshark-debugsource-2.4.9-3.9.1 References: https://www.suse.com/security/cve/CVE-2018-16056.html https://www.suse.com/security/cve/CVE-2018-16057.html https://www.suse.com/security/cve/CVE-2018-16058.html https://bugzilla.suse.com/1106514 From sle-updates at lists.suse.com Thu Sep 27 07:09:07 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:09:07 +0200 (CEST) Subject: SUSE-SU-2018:2890-1: important: Security update for MozillaFirefox Message-ID: <20180927130907.E339FFD4A@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2890-1 Rating: important References: #1107343 Cross-References: CVE-2017-16541 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379 CVE-2018-12381 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for MozillaFirefox to ESR 60.2 fixes several issues. These general changes are part of the version 60 release. - New browser engine with speed improvements - Redesigned graphical user interface elements - Unified address and search bar for new installations - New tab page listing top visited, recently visited and recommended pages - Support for configuration policies in enterprise deployments via JSON files - Support for Web Authentication, allowing the use of USB tokens for authentication to web sites The following changes affect compatibility: - Now exclusively supports extensions built using the WebExtension API. - Unsupported legacy extensions will no longer work in Firefox 60 ESR - TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted The "security.pki.distrust_ca_policy" preference can be set to 0 to reinstate trust in those certificates The following issues affect performance: - new format for storing private keys, certificates and certificate trust If the user home or data directory is on a network file system, it is recommended that users set the following environment variable to avoid slowdowns: NSS_SDB_USE_CACHE=yes This setting is not recommended for local, fast file systems. These security issues were fixed: - CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343). - CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343). - CVE-2018-12376: Various memory safety bugs (bsc#1107343). - CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343). - CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343). - CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2053=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64): MozillaFirefox-60.2.0-3.10.1 MozillaFirefox-branding-SLE-60-4.3.1 MozillaFirefox-debuginfo-60.2.0-3.10.1 MozillaFirefox-debugsource-60.2.0-3.10.1 MozillaFirefox-devel-60.2.0-3.10.1 MozillaFirefox-translations-common-60.2.0-3.10.1 MozillaFirefox-translations-other-60.2.0-3.10.1 References: https://www.suse.com/security/cve/CVE-2017-16541.html https://www.suse.com/security/cve/CVE-2018-12376.html https://www.suse.com/security/cve/CVE-2018-12377.html https://www.suse.com/security/cve/CVE-2018-12378.html https://www.suse.com/security/cve/CVE-2018-12379.html https://www.suse.com/security/cve/CVE-2018-12381.html https://bugzilla.suse.com/1107343 From sle-updates at lists.suse.com Thu Sep 27 07:09:49 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:09:49 +0200 (CEST) Subject: SUSE-SU-2018:2891-1: moderate: Security update for wireshark Message-ID: <20180927130949.CEA3AFD4A@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2891-1 Rating: moderate References: #1094301 #1101776 #1101777 #1101786 #1101788 #1101791 #1101794 #1101800 #1101802 #1101804 #1101810 #1106514 Cross-References: CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357 CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361 CVE-2018-11362 CVE-2018-14339 CVE-2018-14340 CVE-2018-14341 CVE-2018-14342 CVE-2018-14343 CVE-2018-14344 CVE-2018-14367 CVE-2018-14368 CVE-2018-14369 CVE-2018-14370 CVE-2018-16056 CVE-2018-16057 CVE-2018-16058 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 22 vulnerabilities is now available. Description: This update for wireshark to version 2.4.9 fixes the following issues: Wireshark was updated to 2.4.9 (bsc#1094301, bsc#1106514). Security issues fixed: - CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44) - CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45) - CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46) - CVE-2018-11355: Fix RTCP dissector crash (bsc#1094301). - CVE-2018-14370: IEEE 802.11 dissector crash (wnpa-sec-2018-43, bsc#1101802) - CVE-2018-14368: Bazaar dissector infinite loop (wnpa-sec-2018-40, bsc#1101794) - CVE-2018-11362: Fix LDSS dissector crash (bsc#1094301). - CVE-2018-11361: Fix IEEE 802.11 dissector crash (bsc#1094301). - CVE-2018-11360: Fix GSM A DTAP dissector crash (bsc#1094301). - CVE-2018-14342: BGP dissector large loop (wnpa-sec-2018-34, bsc#1101777) - CVE-2018-14343: ASN.1 BER dissector crash (wnpa-sec-2018-37, bsc#1101786) - CVE-2018-14340: Multiple dissectors could crash (wnpa-sec-2018-36, bsc#1101804) - CVE-2018-14341: DICOM dissector crash (wnpa-sec-2018-39, bsc#1101776) - CVE-2018-11358: Fix Q.931 dissector crash (bsc#1094301). - CVE-2018-14344: ISMP dissector crash (wnpa-sec-2018-35, bsc#1101788) - CVE-2018-11359: Fix multiple dissectors crashs (bsc#1094301). - CVE-2018-11356: Fix DNS dissector crash (bsc#1094301). - CVE-2018-14339: MMSE dissector infinite loop (wnpa-sec-2018-38, bsc#1101810) - CVE-2018-11357: Fix multiple dissectors that could consume excessive memory (bsc#1094301). - CVE-2018-14367: CoAP dissector crash (wnpa-sec-2018-42, bsc#1101791) - CVE-2018-11354: Fix IEEE 1905.1a dissector crash (bsc#1094301). - CVE-2018-14369: HTTP2 dissector crash (wnpa-sec-2018-41, bsc#1101800) Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.9.html Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2051=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2051=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2051=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2051=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2051=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2051=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2051=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-2051=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2051=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2051=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-devel-2.4.9-48.29.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 - SUSE Enterprise Storage 4 (x86_64): libwireshark9-2.4.9-48.29.1 libwireshark9-debuginfo-2.4.9-48.29.1 libwiretap7-2.4.9-48.29.1 libwiretap7-debuginfo-2.4.9-48.29.1 libwscodecs1-2.4.9-48.29.1 libwscodecs1-debuginfo-2.4.9-48.29.1 libwsutil8-2.4.9-48.29.1 libwsutil8-debuginfo-2.4.9-48.29.1 wireshark-2.4.9-48.29.1 wireshark-debuginfo-2.4.9-48.29.1 wireshark-debugsource-2.4.9-48.29.1 wireshark-gtk-2.4.9-48.29.1 wireshark-gtk-debuginfo-2.4.9-48.29.1 References: https://www.suse.com/security/cve/CVE-2018-11354.html https://www.suse.com/security/cve/CVE-2018-11355.html https://www.suse.com/security/cve/CVE-2018-11356.html https://www.suse.com/security/cve/CVE-2018-11357.html https://www.suse.com/security/cve/CVE-2018-11358.html https://www.suse.com/security/cve/CVE-2018-11359.html https://www.suse.com/security/cve/CVE-2018-11360.html https://www.suse.com/security/cve/CVE-2018-11361.html https://www.suse.com/security/cve/CVE-2018-11362.html https://www.suse.com/security/cve/CVE-2018-14339.html https://www.suse.com/security/cve/CVE-2018-14340.html https://www.suse.com/security/cve/CVE-2018-14341.html https://www.suse.com/security/cve/CVE-2018-14342.html https://www.suse.com/security/cve/CVE-2018-14343.html https://www.suse.com/security/cve/CVE-2018-14344.html https://www.suse.com/security/cve/CVE-2018-14367.html https://www.suse.com/security/cve/CVE-2018-14368.html https://www.suse.com/security/cve/CVE-2018-14369.html https://www.suse.com/security/cve/CVE-2018-14370.html https://www.suse.com/security/cve/CVE-2018-16056.html https://www.suse.com/security/cve/CVE-2018-16057.html https://www.suse.com/security/cve/CVE-2018-16058.html https://bugzilla.suse.com/1094301 https://bugzilla.suse.com/1101776 https://bugzilla.suse.com/1101777 https://bugzilla.suse.com/1101786 https://bugzilla.suse.com/1101788 https://bugzilla.suse.com/1101791 https://bugzilla.suse.com/1101794 https://bugzilla.suse.com/1101800 https://bugzilla.suse.com/1101802 https://bugzilla.suse.com/1101804 https://bugzilla.suse.com/1101810 https://bugzilla.suse.com/1106514 From sle-updates at lists.suse.com Thu Sep 27 07:16:29 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:16:29 +0200 (CEST) Subject: SUSE-RU-2018:2892-1: moderate: Recommended update for autoyast2 Message-ID: <20180927131629.CCCC3FD4A@maintenance.suse.de> SUSE Recommended Update: Recommended update for autoyast2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2892-1 Rating: moderate References: #1095113 #1098794 #1104655 #1105711 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for autoyast2 provides the following fixes: - AutoInstallRules: Fix a crash while merging profiles. (bsc#1105711) - AutoInstallRules: Increase the default maxdepth for not crashing with a big software package list. (bsc#1104655) - Installation/Update: Do not call registration if module yast2-registration is not available in inst-sys. (bsc#1098794) - Autoyast configuration module: Report XML errors while reading an Autoyast configuration file. (bsc#1098794) - Added additional search keys to desktop file. (fate#321043) - Show AutoYaST configuration file errors just once. (bsc#1095113) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2049=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (noarch): autoyast2-4.0.61-3.3.1 autoyast2-installation-4.0.61-3.3.1 References: https://bugzilla.suse.com/1095113 https://bugzilla.suse.com/1098794 https://bugzilla.suse.com/1104655 https://bugzilla.suse.com/1105711 From sle-updates at lists.suse.com Thu Sep 27 07:18:31 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:18:31 +0200 (CEST) Subject: SUSE-RU-2018:2893-1: moderate: Recommended update for powerpc-utils Message-ID: <20180927131831.C20A5FD4A@maintenance.suse.de> SUSE Recommended Update: Recommended update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2893-1 Rating: moderate References: #1099910 Affected Products: SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for powerpc-utils fixes the following issues: - Display logical name using bootlist -o option (bsc#1099910) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2048=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (ppc64le): powerpc-utils-1.3.3-7.6.2 powerpc-utils-debuginfo-1.3.3-7.6.2 powerpc-utils-debugsource-1.3.3-7.6.2 References: https://bugzilla.suse.com/1099910 From sle-updates at lists.suse.com Thu Sep 27 07:19:31 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:19:31 +0200 (CEST) Subject: SUSE-SU-2018:2894-1: important: Security update for mgetty Message-ID: <20180927131931.DCB2FFD41@maintenance.suse.de> SUSE Security Update: Security update for mgetty ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2894-1 Rating: important References: #1108752 #1108756 #1108757 #1108761 #1108762 Cross-References: CVE-2018-16741 CVE-2018-16742 CVE-2018-16743 CVE-2018-16744 CVE-2018-16745 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mgetty fixes the following issues: - CVE-2018-16741: The function do_activate() did not properly sanitize shell metacharacters to prevent command injection (bsc#1108752). - CVE-2018-16745: The mail_to parameter was not sanitized, leading to a buffer overflow if long untrusted input reached it (bsc#1108756). - CVE-2018-16744: The mail_to parameter was not sanitized, leading to command injection if untrusted input reached reach it (bsc#1108757). - CVE-2018-16742: Prevent stack-based buffer overflow that could have been triggered via a command-line parameter (bsc#1108762). - CVE-2018-16743: The command-line parameter username wsa passed unsanitized to strcpy(), which could have caused a stack-based buffer overflow (bsc#1108761). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2054=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): g3utils-1.1.37-3.3.2 g3utils-debuginfo-1.1.37-3.3.2 mgetty-1.1.37-3.3.2 mgetty-debuginfo-1.1.37-3.3.2 mgetty-debugsource-1.1.37-3.3.2 References: https://www.suse.com/security/cve/CVE-2018-16741.html https://www.suse.com/security/cve/CVE-2018-16742.html https://www.suse.com/security/cve/CVE-2018-16743.html https://www.suse.com/security/cve/CVE-2018-16744.html https://www.suse.com/security/cve/CVE-2018-16745.html https://bugzilla.suse.com/1108752 https://bugzilla.suse.com/1108756 https://bugzilla.suse.com/1108757 https://bugzilla.suse.com/1108761 https://bugzilla.suse.com/1108762 From sle-updates at lists.suse.com Thu Sep 27 07:21:54 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 15:21:54 +0200 (CEST) Subject: SUSE-RU-2018:2896-1: moderate: Recommended update for mozjs52 Message-ID: <20180927132154.DCD43FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for mozjs52 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2896-1 Rating: moderate References: #1082720 #1093033 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for mozjs52 provides the following fixes: - Fix building failing on PowerPC due to memory constraints. - Fix build errors on ppc64 (BE). (bsc#1093033) - Fix armv6 build by fixing armv6 detection. - Use system zlib instead of the bundled one to avoid potential problems when trying to use system zlib while mozjs52-devel is installed. (bsc#1082720) - Drop unused dependency on zip. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2050=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2050=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): mozjs52-debuginfo-52.6.0-3.3.2 mozjs52-debugsource-52.6.0-3.3.2 mozjs52-devel-52.6.0-3.3.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libmozjs-52-52.6.0-3.3.2 libmozjs-52-debuginfo-52.6.0-3.3.2 mozjs52-debuginfo-52.6.0-3.3.2 mozjs52-debugsource-52.6.0-3.3.2 References: https://bugzilla.suse.com/1082720 https://bugzilla.suse.com/1093033 From sle-updates at lists.suse.com Thu Sep 27 10:09:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:09:03 +0200 (CEST) Subject: SUSE-SU-2018:2898-1: important: Security update for smt, yast2-smt Message-ID: <20180927160903.48AA6FD41@maintenance.suse.de> SUSE Security Update: Security update for smt, yast2-smt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2898-1 Rating: important References: #1006984 #1006989 #1037811 #1097560 #1097824 #1103809 #1103810 #1104076 #977043 Cross-References: CVE-2018-12470 CVE-2018-12471 CVE-2018-12472 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Public Cloud 12 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves three vulnerabilities and has 6 fixes is now available. Description: This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues: These security issues were fixed in SMT: - CVE-2018-12471: Xml External Entity processing in the RegistrationSharing modules allowed to read arbitrary file read (bsc#1103809). - CVE-2018-12470: SQL injection in RegistrationSharing module allows remote attackers to run arbitrary SQL statements (bsc#1103810). - CVE-2018-12472: Authentication bypass in sibling check facilitated further attacks on SMT (bsc#1104076). SUSE would like to thank Jake Miller for reporting these issues to us. These non-security issues were fixed in SMT: - Fix cron jobs randomization (bsc#1097560) - Fix duplicate migration paths (bsc#1097824) This non-security issue was fixed in yast2-smt: - Remove cron job rescheduling (bsc#1097560) - Added missing translation marks (bsc#1037811) - Explicitly mention "Organization Credentials" (fate#321759) - Rearrange the SMT set-up dialog (bsc#977043) - Make the Filter button default (bsc#1006984) - Prevent exiting the repo selection dialog via hitting Enter in the repository filter (bsc#1006984) - report when error occurs during repo mirroring (bsc#1006989) - Use TextEntry-based filter for repos (fate#319777) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2056=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2056=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2056=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2056=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2056=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2056=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2056=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2056=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): yast2-smt-3.0.14-10.6.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): yast2-smt-3.0.14-10.6.2 - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): smt-ha-3.0.37-52.23.6 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): perl-File-Touch-0.11-3.2.2 - SUSE Enterprise Storage 4 (x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 References: https://www.suse.com/security/cve/CVE-2018-12470.html https://www.suse.com/security/cve/CVE-2018-12471.html https://www.suse.com/security/cve/CVE-2018-12472.html https://bugzilla.suse.com/1006984 https://bugzilla.suse.com/1006989 https://bugzilla.suse.com/1037811 https://bugzilla.suse.com/1097560 https://bugzilla.suse.com/1097824 https://bugzilla.suse.com/1103809 https://bugzilla.suse.com/1103810 https://bugzilla.suse.com/1104076 https://bugzilla.suse.com/977043 From sle-updates at lists.suse.com Thu Sep 27 10:12:05 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:12:05 +0200 (CEST) Subject: SUSE-SU-2018:2899-1: important: Security update for smt Message-ID: <20180927161205.2F714FD4A@maintenance.suse.de> SUSE Security Update: Security update for smt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2899-1 Rating: important References: #1072921 #1074608 #1103809 #1103810 #1104076 Cross-References: CVE-2018-12470 CVE-2018-12471 CVE-2018-12472 Affected Products: Subscription Management Tool for SUSE Linux Enterprise 11-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for smt to 2.0.34 fixes the following issues: These security issues were fixed: - CVE-2018-12471: Xml External Entity processing in the RegistrationSharing modules allowed to read arbitrary file read (bsc#1103809) - CVE-2018-12470: SQL injection in RegistrationSharing module allows remote attackers to run arbitary SQL statements (bsc#1103810) - CVE-2018-12472: Authentication bypass in sibling check facilitated further attacks on SMT (bsc#1104076) SUSE would like to thank Jake Miller for reporting these issues to us. This non-security issue was fixed: - More verbose incomplete registration logging (bsc#1072921, bsc#1074608) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - Subscription Management Tool for SUSE Linux Enterprise 11-SP3: zypper in -t patch slesmtsp3-smt-13798=1 Package List: - Subscription Management Tool for SUSE Linux Enterprise 11-SP3 (i586 s390x x86_64): res-signingkeys-2.0.34-50.8.1 smt-2.0.34-50.8.1 smt-support-2.0.34-50.8.1 References: https://www.suse.com/security/cve/CVE-2018-12470.html https://www.suse.com/security/cve/CVE-2018-12471.html https://www.suse.com/security/cve/CVE-2018-12472.html https://bugzilla.suse.com/1072921 https://bugzilla.suse.com/1074608 https://bugzilla.suse.com/1103809 https://bugzilla.suse.com/1103810 https://bugzilla.suse.com/1104076 From sle-updates at lists.suse.com Thu Sep 27 10:13:41 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:13:41 +0200 (CEST) Subject: SUSE-RU-2018:2900-1: moderate: Recommended update for openldap2 Message-ID: <20180927161341.3A95EFD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2900-1 Rating: moderate References: #1089640 Affected Products: SUSE Linux Enterprise Module for Legacy Software 15 SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Legacy Software 15: zypper in -t patch SUSE-SLE-Module-Legacy-15-2018-2055=1 - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-2055=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2055=1 Package List: - SUSE Linux Enterprise Module for Legacy Software 15 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.3.1 openldap2-back-meta-2.4.46-9.3.1 openldap2-back-meta-debuginfo-2.4.46-9.3.1 openldap2-back-perl-2.4.46-9.3.1 openldap2-back-perl-debuginfo-2.4.46-9.3.1 openldap2-debuginfo-2.4.46-9.3.1 openldap2-debugsource-2.4.46-9.3.1 - SUSE Linux Enterprise Module for Development Tools 15 (x86_64): openldap2-debugsource-2.4.46-9.3.1 openldap2-devel-32bit-2.4.46-9.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.3.1 libldap-2_4-2-debuginfo-2.4.46-9.3.1 openldap2-client-2.4.46-9.3.1 openldap2-client-debuginfo-2.4.46-9.3.1 openldap2-debuginfo-2.4.46-9.3.1 openldap2-debugsource-2.4.46-9.3.1 openldap2-devel-2.4.46-9.3.1 openldap2-devel-static-2.4.46-9.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libldap-2_4-2-32bit-2.4.46-9.3.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.3.1 References: https://bugzilla.suse.com/1089640 From sle-updates at lists.suse.com Thu Sep 27 10:14:58 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:14:58 +0200 (CEST) Subject: SUSE-SU-2018:2902-1: important: Security update for yast2-smt Message-ID: <20180927161458.4646CFD41@maintenance.suse.de> SUSE Security Update: Security update for yast2-smt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2902-1 Rating: important References: #1037811 #1097560 #977043 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes the following issues in yast2-smt: - Explicitly mention "Organization Credentials" (fate#321759) - Rearrange the SMT set-up dialog (bsc#977043) - Added missing translation marks (bsc#1037811) - Remove cron job rescheduling (bsc#1097560) This update is a requirement for the security update for SMT. Because of that it is tagged as security to ensure that all users, even those that only install security updates, install it. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2059=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2059=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2059=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2059=1 Package List: - SUSE OpenStack Cloud 7 (noarch): yast2-smt-3.0.14-17.3.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): yast2-smt-3.0.14-17.3.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): yast2-smt-3.0.14-17.3.2 - SUSE Enterprise Storage 4 (noarch): yast2-smt-3.0.14-17.3.2 References: https://bugzilla.suse.com/1037811 https://bugzilla.suse.com/1097560 https://bugzilla.suse.com/977043 From sle-updates at lists.suse.com Thu Sep 27 10:16:08 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:16:08 +0200 (CEST) Subject: SUSE-RU-2018:2903-1: moderate: Recommended update for SAPHanaSR-ScaleOut Message-ID: <20180927161608.AF00CFD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for SAPHanaSR-ScaleOut ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2903-1 Rating: moderate References: #1098979 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for SAPHanaSR-ScaleOut provides the following fix: - Allow virtual host names in SAPHanaTopology and SAPHanaController to prevent a wrong promotion scoring. (bsc#1098979) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2061=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): SAPHanaSR-ScaleOut-0.163.2-3.8.1 References: https://bugzilla.suse.com/1098979 From sle-updates at lists.suse.com Thu Sep 27 10:16:48 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:16:48 +0200 (CEST) Subject: SUSE-SU-2018:2904-1: important: Security update for yast2-smt Message-ID: <20180927161648.75E19FD41@maintenance.suse.de> SUSE Security Update: Security update for yast2-smt ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2904-1 Rating: important References: #1097560 Affected Products: SUSE Linux Enterprise Server 12-SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update fixes the following issue in yast2-smt: - Remove cron job rescheduling (bsc#1097560) This update is a requirement for the security update for SMT. Because of that it is tagged as security to ensure that all users, even those that only install security updates, install it. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2058=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (noarch): yast2-smt-3.0.14-3.3.1 References: https://bugzilla.suse.com/1097560 From sle-updates at lists.suse.com Thu Sep 27 10:18:03 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 18:18:03 +0200 (CEST) Subject: SUSE-RU-2018:2906-1: moderate: Recommended update for SAPHanaSR-ScaleOut Message-ID: <20180927161803.92EADFD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for SAPHanaSR-ScaleOut ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2906-1 Rating: moderate References: #1098979 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for SAPHanaSR-ScaleOut provides the following fix: - Allow virtual host names in SAPHanaTopology and SAPHanaController to prevent a wrong promotion scoring. (bsc#1098979) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2018-2060=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15 (noarch): SAPHanaSR-ScaleOut-0.163.2-3.6.2 SAPHanaSR-ScaleOut-doc-0.163.2-3.6.2 References: https://bugzilla.suse.com/1098979 From sle-updates at lists.suse.com Thu Sep 27 13:08:12 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 21:08:12 +0200 (CEST) Subject: SUSE-SU-2018:2907-1: important: Security update for the Linux Kernel Message-ID: <20180927190812.4990FFD4A@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2907-1 Rating: important References: #1057199 #1087081 #1092903 #1102517 #1103119 #1104367 #1104684 #1104818 #1105100 #1105296 #1105322 #1105323 #1105536 #1106369 #1106509 #1106511 #1107001 #1107689 #1108912 Cross-References: CVE-2018-10902 CVE-2018-10940 CVE-2018-14634 CVE-2018-14734 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has 11 fixes is now available. Description: The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912). - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322). - CVE-2018-14734: ucma_leave_multicast accessed a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bsc#1103119). The following non-security bugs were fixed: - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: x86: Free vmx_msr_bitmap_longmode while kvm_init failed (bsc#1104367). - Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch (bsc#1105100). - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - ptrace: fix PTRACE_LISTEN race corrupting task->state (bnc#1107001). - rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199) - x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536). - xen x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536). - xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536). - xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818). - xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-kernel-13799=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-13799=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-kernel-13799=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-kernel-13799=1 Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.47.106.50.1 kernel-default-base-3.0.101-0.47.106.50.1 kernel-default-devel-3.0.101-0.47.106.50.1 kernel-source-3.0.101-0.47.106.50.1 kernel-syms-3.0.101-0.47.106.50.1 kernel-trace-3.0.101-0.47.106.50.1 kernel-trace-base-3.0.101-0.47.106.50.1 kernel-trace-devel-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.47.106.50.1 kernel-ec2-base-3.0.101-0.47.106.50.1 kernel-ec2-devel-3.0.101-0.47.106.50.1 kernel-xen-3.0.101-0.47.106.50.1 kernel-xen-base-3.0.101-0.47.106.50.1 kernel-xen-devel-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): kernel-bigsmp-3.0.101-0.47.106.50.1 kernel-bigsmp-base-3.0.101-0.47.106.50.1 kernel-bigsmp-devel-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x): kernel-default-man-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): kernel-pae-3.0.101-0.47.106.50.1 kernel-pae-base-3.0.101-0.47.106.50.1 kernel-pae-devel-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-bigsmp-extra-3.0.101-0.47.106.50.1 kernel-trace-extra-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): kernel-default-3.0.101-0.47.106.50.1 kernel-default-base-3.0.101-0.47.106.50.1 kernel-default-devel-3.0.101-0.47.106.50.1 kernel-ec2-3.0.101-0.47.106.50.1 kernel-ec2-base-3.0.101-0.47.106.50.1 kernel-ec2-devel-3.0.101-0.47.106.50.1 kernel-pae-3.0.101-0.47.106.50.1 kernel-pae-base-3.0.101-0.47.106.50.1 kernel-pae-devel-3.0.101-0.47.106.50.1 kernel-source-3.0.101-0.47.106.50.1 kernel-syms-3.0.101-0.47.106.50.1 kernel-trace-3.0.101-0.47.106.50.1 kernel-trace-base-3.0.101-0.47.106.50.1 kernel-trace-devel-3.0.101-0.47.106.50.1 kernel-xen-3.0.101-0.47.106.50.1 kernel-xen-base-3.0.101-0.47.106.50.1 kernel-xen-devel-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.47.106.50.1 kernel-default-debugsource-3.0.101-0.47.106.50.1 kernel-trace-debuginfo-3.0.101-0.47.106.50.1 kernel-trace-debugsource-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.47.106.50.1 kernel-ec2-debugsource-3.0.101-0.47.106.50.1 kernel-xen-debuginfo-3.0.101-0.47.106.50.1 kernel-xen-debugsource-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64): kernel-bigsmp-debuginfo-3.0.101-0.47.106.50.1 kernel-bigsmp-debugsource-3.0.101-0.47.106.50.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586): kernel-pae-debuginfo-3.0.101-0.47.106.50.1 kernel-pae-debugsource-3.0.101-0.47.106.50.1 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-14634.html https://www.suse.com/security/cve/CVE-2018-14734.html https://www.suse.com/security/cve/CVE-2018-15572.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1057199 https://bugzilla.suse.com/1087081 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1102517 https://bugzilla.suse.com/1103119 https://bugzilla.suse.com/1104367 https://bugzilla.suse.com/1104684 https://bugzilla.suse.com/1104818 https://bugzilla.suse.com/1105100 https://bugzilla.suse.com/1105296 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1105536 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1107001 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1108912 From sle-updates at lists.suse.com Thu Sep 27 13:13:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 27 Sep 2018 21:13:02 +0200 (CEST) Subject: SUSE-SU-2018:2908-1: important: Security update for the Linux Kernel Message-ID: <20180927191302.067C3FD4A@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2908-1 Rating: important References: #1012382 #1024788 #1062604 #1064233 #1065999 #1090534 #1090955 #1091171 #1092903 #1096547 #1097104 #1097108 #1099811 #1099813 #1099844 #1099845 #1099846 #1099849 #1099863 #1099864 #1099922 #1100001 #1102870 #1103445 #1104319 #1104495 #1104818 #1104906 #1105100 #1105322 #1105323 #1105396 #1106095 #1106369 #1106509 #1106511 #1107689 #1108912 Cross-References: CVE-2018-10853 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10940 CVE-2018-12896 CVE-2018-13093 CVE-2018-14617 CVE-2018-14634 CVE-2018-16276 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555 Affected Products: SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 19 vulnerabilities and has 19 fixes is now available. Description: The SUSE Linux Enterprise 12 SP1 kernel was updated receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912) - CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870) - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in yurex_read allowed local attackers to use user access read/writes to crash the kernel or potentially escalate privileges (bsc#1106095) - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922) - CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001) - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903) - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689) - CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511) - CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509) - CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322) - CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844) - CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863) - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845) - CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849) - CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864) - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846) - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811) - CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813) - CVE-2018-10853: The KVM hypervisor did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could have used this flaw to potentially escalate privileges inside guest (bsc#1097104). The following non-security bugs were fixed: - KEYS: prevent creating a different user's keyrings (bnc#1065999). - KVM: MMU: always terminate page walks at level 1 (bsc#1062604). - KVM: MMU: simplify last_pte_bitmap (bsc#1062604). - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369). - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369). - KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604). - Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch (bsc#1105100). - Do not report CPU affected by L1TF when ARCH_CAP_RDCL_NO bit is set (bsc#1104906). - Revert "- Disable patches.arch/x86-mm-Simplify-p-g4um-d_page-macros.patch" (bnc#1104818) - bcache: avoid unncessary cache prefetch bch_btree_node_get(). - bcache: calculate the number of incremental GC nodes according to the total of btree nodes. - bcache: display rate debug parameters to 0 when writeback is not running. - bcache: do not check return value of debugfs_create_dir(). - bcache: finish incremental GC. - bcache: fix I/O significant decline while backend devices registering. - bcache: fix error setting writeback_rate through sysfs interface (bsc#1064233). - bcache: free heap cache_set->flush_btree in bch_journal_free. - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section. - bcache: release dc->writeback_lock properly in bch_writeback_thread(). - bcache: set max writeback rate when I/O request is idle (bsc#1064233). - bcache: simplify the calculation of the total amount of flash dirty data. - cifs: Fix infinite loop when using hard mount option (bsc#1091171). - ext4: check for allocation block validity with block group locked (bsc#1104495). - ext4: do not update checksum of new initialized bitmaps (bnc#1012382). - ext4: fix check to prevent initializing reserved inodes (bsc#1104319). - ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445). - restore cond_resched() in shrink_dcache_parent(). - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547). - x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104818). - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369). - xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104818). - xfs: Remove dead code from inode recover function (bsc#1105396). - xfs: convert XFS_AGFL_SIZE to a helper function (bsc#1090955, bsc#1090534). - xfs: detect agfl count corruption and reset agfl (bsc#1090955, bsc#1090534). - xfs: do not log/recover swapext extent owner changes for deleted inodes (bsc#1090955). - xfs: protect inode ->di_dmstate with a spinlock (bsc#1024788). - xfs: repair malformed inode items during log recovery (bsc#1105396). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2063=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2063=1 Package List: - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): kernel-default-3.12.74-60.64.104.1 kernel-default-base-3.12.74-60.64.104.1 kernel-default-base-debuginfo-3.12.74-60.64.104.1 kernel-default-debuginfo-3.12.74-60.64.104.1 kernel-default-debugsource-3.12.74-60.64.104.1 kernel-default-devel-3.12.74-60.64.104.1 kernel-syms-3.12.74-60.64.104.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): kernel-devel-3.12.74-60.64.104.1 kernel-macros-3.12.74-60.64.104.1 kernel-source-3.12.74-60.64.104.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kernel-xen-3.12.74-60.64.104.1 kernel-xen-base-3.12.74-60.64.104.1 kernel-xen-base-debuginfo-3.12.74-60.64.104.1 kernel-xen-debuginfo-3.12.74-60.64.104.1 kernel-xen-debugsource-3.12.74-60.64.104.1 kernel-xen-devel-3.12.74-60.64.104.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x): kernel-default-man-3.12.74-60.64.104.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.74-60.64.104.1 kernel-ec2-debuginfo-3.12.74-60.64.104.1 kernel-ec2-debugsource-3.12.74-60.64.104.1 kernel-ec2-devel-3.12.74-60.64.104.1 kernel-ec2-extra-3.12.74-60.64.104.1 kernel-ec2-extra-debuginfo-3.12.74-60.64.104.1 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-10876.html https://www.suse.com/security/cve/CVE-2018-10877.html https://www.suse.com/security/cve/CVE-2018-10878.html https://www.suse.com/security/cve/CVE-2018-10879.html https://www.suse.com/security/cve/CVE-2018-10880.html https://www.suse.com/security/cve/CVE-2018-10881.html https://www.suse.com/security/cve/CVE-2018-10882.html https://www.suse.com/security/cve/CVE-2018-10883.html https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10940.html https://www.suse.com/security/cve/CVE-2018-12896.html https://www.suse.com/security/cve/CVE-2018-13093.html https://www.suse.com/security/cve/CVE-2018-14617.html https://www.suse.com/security/cve/CVE-2018-14634.html https://www.suse.com/security/cve/CVE-2018-16276.html https://www.suse.com/security/cve/CVE-2018-16658.html https://www.suse.com/security/cve/CVE-2018-6554.html https://www.suse.com/security/cve/CVE-2018-6555.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1024788 https://bugzilla.suse.com/1062604 https://bugzilla.suse.com/1064233 https://bugzilla.suse.com/1065999 https://bugzilla.suse.com/1090534 https://bugzilla.suse.com/1090955 https://bugzilla.suse.com/1091171 https://bugzilla.suse.com/1092903 https://bugzilla.suse.com/1096547 https://bugzilla.suse.com/1097104 https://bugzilla.suse.com/1097108 https://bugzilla.suse.com/1099811 https://bugzilla.suse.com/1099813 https://bugzilla.suse.com/1099844 https://bugzilla.suse.com/1099845 https://bugzilla.suse.com/1099846 https://bugzilla.suse.com/1099849 https://bugzilla.suse.com/1099863 https://bugzilla.suse.com/1099864 https://bugzilla.suse.com/1099922 https://bugzilla.suse.com/1100001 https://bugzilla.suse.com/1102870 https://bugzilla.suse.com/1103445 https://bugzilla.suse.com/1104319 https://bugzilla.suse.com/1104495 https://bugzilla.suse.com/1104818 https://bugzilla.suse.com/1104906 https://bugzilla.suse.com/1105100 https://bugzilla.suse.com/1105322 https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1105396 https://bugzilla.suse.com/1106095 https://bugzilla.suse.com/1106369 https://bugzilla.suse.com/1106509 https://bugzilla.suse.com/1106511 https://bugzilla.suse.com/1107689 https://bugzilla.suse.com/1108912 From sle-updates at lists.suse.com Thu Sep 27 16:08:19 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 00:08:19 +0200 (CEST) Subject: SUSE-RU-2018:2909-1: moderate: Recommended update for snapper Message-ID: <20180927220819.DDBC4FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for snapper ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2909-1 Rating: moderate References: #1096208 #1096401 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for snapper fixes the following issues: - Fixed logging during shutdown of snapperd to avoid core dumps. (bsc#1096401) - Fix fails to build with new Boost library due to missing pthread library during link. (bsc#1096208) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2067=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libsnapper-devel-0.5.6-5.3.1 libsnapper4-0.5.6-5.3.1 libsnapper4-debuginfo-0.5.6-5.3.1 pam_snapper-0.5.6-5.3.1 pam_snapper-debuginfo-0.5.6-5.3.1 snapper-0.5.6-5.3.1 snapper-debuginfo-0.5.6-5.3.1 snapper-debugsource-0.5.6-5.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): snapper-zypp-plugin-0.5.6-5.3.1 References: https://bugzilla.suse.com/1096208 https://bugzilla.suse.com/1096401 From sle-updates at lists.suse.com Thu Sep 27 16:09:17 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 00:09:17 +0200 (CEST) Subject: SUSE-RU-2018:2910-1: important: Recommended update for kdump Message-ID: <20180927220917.328A3FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for kdump ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2910-1 Rating: important References: #1002617 #1058202 #1081646 #1091186 #1101730 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for kdump fixes the following issues: - Block initrd-parse-etc.service until dump is saved (bsc#1091186). - Always copy timezone data into kdumprd (bsc#1081646). - Bail out of kdump_check_net if no default interface is found (bsc#1058202). - fadump: avoid multipath optimizations that break regular boot (bsc#1101730). - cmdline: split kdump cmdline purpose wise (bsc#1101730). - fadump: fix network bring up issue during default boot (bsc#1101730). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2064=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2064=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): kdump-0.8.16-7.14.2 kdump-debuginfo-0.8.16-7.14.2 kdump-debugsource-0.8.16-7.14.2 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): kdump-0.8.16-7.14.2 kdump-debuginfo-0.8.16-7.14.2 kdump-debugsource-0.8.16-7.14.2 - SUSE CaaS Platform ALL (x86_64): kdump-0.8.16-7.14.2 kdump-debuginfo-0.8.16-7.14.2 kdump-debugsource-0.8.16-7.14.2 - SUSE CaaS Platform 3.0 (x86_64): kdump-0.8.16-7.14.2 kdump-debuginfo-0.8.16-7.14.2 kdump-debugsource-0.8.16-7.14.2 References: https://bugzilla.suse.com/1002617 https://bugzilla.suse.com/1058202 https://bugzilla.suse.com/1081646 https://bugzilla.suse.com/1091186 https://bugzilla.suse.com/1101730 From sle-updates at lists.suse.com Thu Sep 27 16:15:21 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 00:15:21 +0200 (CEST) Subject: SUSE-RU-2018:2916-1: moderate: Recommended update for powerpc-utils Message-ID: <20180927221521.0F98DFD4A@maintenance.suse.de> SUSE Recommended Update: Recommended update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2916-1 Rating: moderate References: #1099910 Affected Products: SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for powerpc-utils fixes the following issues: - Display logical name using bootlist -o option. (bsc#1099910) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-powerpc-utils-13800=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-powerpc-utils-13800=1 Package List: - SUSE Linux Enterprise Server 11-SP4 (ppc64): powerpc-utils-1.3.2-10.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): powerpc-utils-debuginfo-1.3.2-10.6.1 powerpc-utils-debugsource-1.3.2-10.6.1 References: https://bugzilla.suse.com/1099910 From sle-updates at lists.suse.com Thu Sep 27 16:17:46 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 00:17:46 +0200 (CEST) Subject: SUSE-RU-2018:2919-1: moderate: Recommended update for grub2 Message-ID: <20180927221746.D66B3FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2919-1 Rating: moderate References: #1063443 #1084508 #1088830 #1102515 #1105163 #1106381 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for grub2 provides the following fixes: - Fix overflow in sector count calculation. (bsc#1105163) - Fix config_directory on btrfs to follow path scheme. (bsc#1063443) - Fix setparams doesn't work as expected in boot-last-label. (bsc#1088830) - Suggest instead of libburnia-tools to not pull in tcl/tk and half of the x11 stack automatically. (bsc#1102515) - Fix broken network interface with random address and same name. (bsc#1084508) - Fix outputting invalid btrfs subvolume path on non btrfs filesystem due to bogus return code handling. (bsc#1106381) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-2065=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2065=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (x86_64): grub2-debuginfo-2.02-19.9.1 grub2-debugsource-2.02-19.9.1 grub2-x86_64-xen-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): grub2-2.02-19.9.1 grub2-debuginfo-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 s390x x86_64): grub2-debugsource-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64): grub2-arm64-efi-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (ppc64le): grub2-powerpc-ieee1275-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): grub2-i386-pc-2.02-19.9.1 grub2-x86_64-efi-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): grub2-snapper-plugin-2.02-19.9.1 grub2-systemd-sleep-plugin-2.02-19.9.1 - SUSE Linux Enterprise Module for Basesystem 15 (s390x): grub2-s390x-emu-2.02-19.9.1 References: https://bugzilla.suse.com/1063443 https://bugzilla.suse.com/1084508 https://bugzilla.suse.com/1088830 https://bugzilla.suse.com/1102515 https://bugzilla.suse.com/1105163 https://bugzilla.suse.com/1106381 From sle-updates at lists.suse.com Fri Sep 28 04:11:11 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 12:11:11 +0200 (CEST) Subject: SUSE-SU-2018:2928-1: moderate: Security update for openssl Message-ID: <20180928101111.88854FD4A@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2928-1 Rating: moderate References: #1089039 #1101246 #1101470 #1104789 #1106197 #997043 Cross-References: CVE-2018-0737 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 SUSE CaaS Platform ALL SUSE CaaS Platform 3.0 OpenStack Cloud Magnum Orchestration 7 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for openssl fixes the following issues: These security issues were fixed: - Prevent One&Done side-channel attack on RSA that allowed physically near attackers to use EM emanations to recover information (bsc#1104789) - CVE-2018-0737: The RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could have recovered the private key (bsc#1089039) These non-security issues were fixed: - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) - Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246, bsc#997043) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2069=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2069=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2069=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2069=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2069=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2069=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2069=1 - SUSE CaaS Platform ALL: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - OpenStack Cloud Magnum Orchestration 7: zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-2069=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE OpenStack Cloud 7 (noarch): openssl-doc-1.0.2j-60.39.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): libopenssl-devel-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): openssl-doc-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP3 (s390x x86_64): libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP3 (noarch): openssl-doc-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): openssl-doc-1.0.2j-60.39.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Enterprise Storage 4 (x86_64): libopenssl-devel-1.0.2j-60.39.1 libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-32bit-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.39.1 libopenssl1_0_0-hmac-1.0.2j-60.39.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE Enterprise Storage 4 (noarch): openssl-doc-1.0.2j-60.39.1 - SUSE CaaS Platform ALL (x86_64): libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - SUSE CaaS Platform 3.0 (x86_64): libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 - OpenStack Cloud Magnum Orchestration 7 (x86_64): libopenssl1_0_0-1.0.2j-60.39.1 libopenssl1_0_0-debuginfo-1.0.2j-60.39.1 openssl-1.0.2j-60.39.1 openssl-debuginfo-1.0.2j-60.39.1 openssl-debugsource-1.0.2j-60.39.1 References: https://www.suse.com/security/cve/CVE-2018-0737.html https://bugzilla.suse.com/1089039 https://bugzilla.suse.com/1101246 https://bugzilla.suse.com/1101470 https://bugzilla.suse.com/1104789 https://bugzilla.suse.com/1106197 https://bugzilla.suse.com/997043 From sle-updates at lists.suse.com Fri Sep 28 04:13:04 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 12:13:04 +0200 (CEST) Subject: SUSE-SU-2018:2930-1: moderate: Security update for gnutls Message-ID: <20180928101304.AB4E8FD41@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2930-1 Rating: moderate References: #1047002 #1105437 #1105459 #1105460 Cross-References: CVE-2017-10790 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2070=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2070=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64): gnutls-debugsource-3.6.2-6.3.1 libgnutls30-32bit-3.6.2-6.3.1 libgnutls30-32bit-debuginfo-3.6.2-6.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): gnutls-3.6.2-6.3.1 gnutls-debuginfo-3.6.2-6.3.1 gnutls-debugsource-3.6.2-6.3.1 libgnutls-devel-3.6.2-6.3.1 libgnutls30-3.6.2-6.3.1 libgnutls30-debuginfo-3.6.2-6.3.1 libgnutlsxx-devel-3.6.2-6.3.1 libgnutlsxx28-3.6.2-6.3.1 libgnutlsxx28-debuginfo-3.6.2-6.3.1 References: https://www.suse.com/security/cve/CVE-2017-10790.html https://www.suse.com/security/cve/CVE-2018-10844.html https://www.suse.com/security/cve/CVE-2018-10845.html https://www.suse.com/security/cve/CVE-2018-10846.html https://bugzilla.suse.com/1047002 https://bugzilla.suse.com/1105437 https://bugzilla.suse.com/1105459 https://bugzilla.suse.com/1105460 From sle-updates at lists.suse.com Fri Sep 28 04:14:24 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 12:14:24 +0200 (CEST) Subject: SUSE-RU-2018:2932-1: moderate: Recommended update for multiple yast2 packages Message-ID: <20180928101424.E5048FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for multiple yast2 packages ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2932-1 Rating: moderate References: #1087957 #1099691 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update addresses issues in several yast2 packages: Feature added to all packages: - Added additional searchkeys to desktop file (fate#321043, bsc#1099691) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2068=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): yast2-control-center-4.0.4-3.3.1 yast2-control-center-debugsource-4.0.4-3.3.1 yast2-control-center-qt-4.0.4-3.3.1 yast2-control-center-qt-debuginfo-4.0.4-3.3.1 yast2-country-4.0.23-3.3.1 yast2-country-data-4.0.23-3.3.1 yast2-kdump-4.0.4-3.3.1 yast2-nis-client-4.0.3-3.3.1 yast2-nis-client-debuginfo-4.0.3-3.3.1 yast2-nis-client-debugsource-4.0.3-3.3.1 yast2-sound-4.0.1-3.3.1 yast2-sound-debuginfo-4.0.1-3.3.1 yast2-sound-debugsource-4.0.1-3.3.1 yast2-squid-4.0.2-3.3.1 yast2-squid-debuginfo-4.0.2-3.3.1 yast2-squid-debugsource-4.0.2-3.3.1 yast2-tune-4.0.1-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 s390x x86_64): yast2-vm-4.0.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): yast2-apparmor-4.0.5-3.3.1 yast2-boot-server-4.0.1-3.3.1 yast2-dhcp-server-4.0.1-3.3.4 yast2-dns-server-4.0.3-3.3.2 yast2-fcoe-client-4.0.1-3.3.1 yast2-firewall-4.0.26-3.3.1 yast2-iscsi-lio-server-4.0.11-3.3.1 yast2-mail-4.0.4-3.3.1 yast2-multipath-4.0.1-3.3.1 yast2-nfs-common-4.0.1-3.3.1 yast2-nfs-server-4.0.1-3.3.1 yast2-nis-server-4.0.1-3.3.2 yast2-online-update-4.0.1-3.3.1 yast2-online-update-configuration-4.0.1-3.3.1 yast2-online-update-frontend-4.0.1-3.3.1 yast2-proxy-4.0.2-3.3.1 yast2-rdp-4.0.2-3.3.1 yast2-samba-server-4.0.2-3.3.1 yast2-sudo-4.0.0-3.3.1 yast2-sysconfig-4.0.1-3.3.1 yast2-tftp-server-4.0.3-3.3.1 References: https://bugzilla.suse.com/1087957 https://bugzilla.suse.com/1099691 From sle-updates at lists.suse.com Fri Sep 28 07:08:14 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 15:08:14 +0200 (CEST) Subject: SUSE-SU-2018:2933-1: important: Security update for the Linux Kernel (Live Patch 3 for SLE 15) Message-ID: <20180928130814.1CC3CFD4A@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 3 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2933-1 Rating: important References: #1097108 #1103203 #1105026 Cross-References: CVE-2018-10853 CVE-2018-15471 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-25_11 fixes several issues. The following security issues were fixed: - CVE-2018-15471: An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c. The Linux netback driver allowed frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks (bsc#1105026). - CVE-2018-10853: A KVM guest userspace to guest kernel write was fixed, which could be used by guest users to crash the guest kernel (bsc#1097108). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-2072=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-25_13-default-2-2.2 kernel-livepatch-4_12_14-25_13-default-debuginfo-2-2.2 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-15471.html https://bugzilla.suse.com/1097108 https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1105026 From sle-updates at lists.suse.com Fri Sep 28 07:09:12 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 15:09:12 +0200 (CEST) Subject: SUSE-SU-2018:2934-1: moderate: Security update for xorg-x11-libX11 Message-ID: <20180928130912.5E31CFD4A@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2934-1 Rating: moderate References: #1102062 #1102068 #1102073 Cross-References: CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for xorg-x11-libX11 fixes the following issues: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-xorg-x11-libX11-13801=1 - SUSE Linux Enterprise Server 11-SP4: zypper in -t patch slessp4-xorg-x11-libX11-13801=1 - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xorg-x11-libX11-13801=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xorg-x11-libX11-13801=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libX11-13801=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xorg-x11-libX11-13801=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-devel-7.4-5.11.72.9.1 - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64): xorg-x11-libX11-devel-32bit-7.4-5.11.72.9.1 - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-7.4-5.11.72.9.1 - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64): xorg-x11-libX11-32bit-7.4-5.11.72.9.1 - SUSE Linux Enterprise Server 11-SP4 (ia64): xorg-x11-libX11-x86-7.4-5.11.72.9.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64): xorg-x11-libX11-7.4-5.11.72.9.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (s390x x86_64): xorg-x11-libX11-32bit-7.4-5.11.72.9.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xorg-x11-libX11-7.4-5.11.72.9.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): xorg-x11-libX11-debuginfo-7.4-5.11.72.9.1 xorg-x11-libX11-debugsource-7.4-5.11.72.9.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xorg-x11-libX11-debuginfo-7.4-5.11.72.9.1 xorg-x11-libX11-debugsource-7.4-5.11.72.9.1 References: https://www.suse.com/security/cve/CVE-2018-14598.html https://www.suse.com/security/cve/CVE-2018-14599.html https://www.suse.com/security/cve/CVE-2018-14600.html https://bugzilla.suse.com/1102062 https://bugzilla.suse.com/1102068 https://bugzilla.suse.com/1102073 From sle-updates at lists.suse.com Fri Sep 28 10:08:01 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:08:01 +0200 (CEST) Subject: SUSE-SU-2018:2935-1: important: Security update for the Linux Kernel (Live Patch 3 for SLE 15) Message-ID: <20180928160801.98DB9FD41@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 3 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2935-1 Rating: important References: #1097108 #1103203 #1105026 #1106191 Cross-References: CVE-2018-10853 CVE-2018-10938 CVE-2018-15471 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-25_13 fixes several issues. The following security issues were fixed: - CVE-2018-10938: It was found that a crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system an attacker could leverage this flaw (bsc#1106191). - CVE-2018-15471: It was found that the netback driver allowed frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may caused the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks (bsc#1105026). - CVE-2018-10853: It was found that the KVM hypervisor emulated instructions did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bsc#1097108). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-2076=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-25_13-default-3-2.3 kernel-livepatch-4_12_14-25_13-default-debuginfo-3-2.3 References: https://www.suse.com/security/cve/CVE-2018-10853.html https://www.suse.com/security/cve/CVE-2018-10938.html https://www.suse.com/security/cve/CVE-2018-15471.html https://bugzilla.suse.com/1097108 https://bugzilla.suse.com/1103203 https://bugzilla.suse.com/1105026 https://bugzilla.suse.com/1106191 From sle-updates at lists.suse.com Fri Sep 28 10:09:09 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:09:09 +0200 (CEST) Subject: SUSE-RU-2018:2936-1: important: Recommended update for pidentd Message-ID: <20180928160909.59524FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for pidentd ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2936-1 Rating: important References: #1101107 #1101600 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for pidentd fixes the following issues: - IPv6 support was accidentally dropped when upgrading to 3.0.19. This update reenables IPv6 support. (bsc#1101600) - Drop uname -r of buildhost from binary for reproducible builds (bsc#1101107) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-2077=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): pidentd-3.0.19-3.3.1 pidentd-debuginfo-3.0.19-3.3.1 pidentd-debugsource-3.0.19-3.3.1 References: https://bugzilla.suse.com/1101107 https://bugzilla.suse.com/1101600 From sle-updates at lists.suse.com Fri Sep 28 10:09:54 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:09:54 +0200 (CEST) Subject: SUSE-RU-2018:2937-1: moderate: Recommended update for linux-glibc-devel Message-ID: <20180928160954.71FC5FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for linux-glibc-devel ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2937-1 Rating: moderate References: #1103375 Affected Products: SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for linux-glibc-devel provides the following fix: - elf: Add powerpc specific core note sections. (fate#318470, bsc#1103375) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2079=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2079=1 Package List: - SUSE Linux Enterprise Server 12-SP3 (noarch): linux-glibc-devel-4.4-16.3.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): linux-glibc-devel-4.4-16.3.1 References: https://bugzilla.suse.com/1103375 From sle-updates at lists.suse.com Fri Sep 28 10:10:27 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:10:27 +0200 (CEST) Subject: SUSE-SU-2018:2938-1: important: Security update for the Linux Kernel (Live Patch 2 for SLE 15) Message-ID: <20180928161027.E297EFD41@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 2 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2938-1 Rating: important References: #1106191 Cross-References: CVE-2018-10938 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-25_6 fixes one issue. The following security issue was fixed: - CVE-2018-10938: It was found that a crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system an attacker could leverage this flaw (bsc#1106191). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-2075=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-25_6-default-4-2.1 kernel-livepatch-4_12_14-25_6-default-debuginfo-4-2.1 References: https://www.suse.com/security/cve/CVE-2018-10938.html https://bugzilla.suse.com/1106191 From sle-updates at lists.suse.com Fri Sep 28 10:10:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:10:59 +0200 (CEST) Subject: SUSE-RU-2018:2939-1: moderate: Recommended update for sapconf Message-ID: <20180928161059.9B347FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for sapconf ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2939-1 Rating: moderate References: #1093843 #1093844 #1096498 #1099101 Affected Products: SUSE Linux Enterprise Module for Server Applications 15 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for sapconf provides the following fixes: - Sapconf should not change the system settings for kernel.sem, so remove the variables SEM* from it. (bsc#1099101) - Correct the SAP Note references in the man pages and in the sysconfig file of the sapconf package. (bsc#1096498) - Avoid stopping or disabling uuidd.socket in sapconf as it is mandatory for every SAP application running. (bsc#1093843) - Remove hardcoded default value for VSZ_TMPFS_PERCENT. This allows an admin to exclude VSZ_TMPFS settings from the sysconfig file, so the current system value will remain untouched. This value only got used in the previous version, if the variable VSZ_TMPFS_PERCENT was removed from the sapconf configuration file /etc/sysconfig/sapconf. If the value of the variable was only changed (increased or decreased) in the sapconf configuration file everything works fine. (bsc#1093844) - Remove the no longer needed sysconfig file. - Remove the pagecache references from the sysconfig file. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-2078=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15 (noarch): sapconf-4.2.1-7.3.2 References: https://bugzilla.suse.com/1093843 https://bugzilla.suse.com/1093844 https://bugzilla.suse.com/1096498 https://bugzilla.suse.com/1099101 From sle-updates at lists.suse.com Fri Sep 28 10:12:02 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 28 Sep 2018 18:12:02 +0200 (CEST) Subject: SUSE-SU-2018:2940-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 15) Message-ID: <20180928161202.0D43DFD41@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 1 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2940-1 Rating: important References: #1105323 #1106191 Cross-References: CVE-2018-10902 CVE-2018-10938 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-25_3 fixes several issues. The following security issues were fixed: - CVE-2018-10938: It was found that a crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system an attacker could leverage this flaw. - CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which lead to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(), allowing a malicious local attacker to use this for privilege escalation (bsc#1105323). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2018-2073=1 SUSE-SLE-Module-Live-Patching-15-2018-2074=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-23-default-4-10.2 kernel-livepatch-4_12_14-23-default-debuginfo-4-10.2 kernel-livepatch-4_12_14-25_3-default-4-2.1 kernel-livepatch-4_12_14-25_3-default-debuginfo-4-2.1 kernel-livepatch-SLE15_Update_0-debugsource-4-10.2 References: https://www.suse.com/security/cve/CVE-2018-10902.html https://www.suse.com/security/cve/CVE-2018-10938.html https://bugzilla.suse.com/1105323 https://bugzilla.suse.com/1106191 From sle-updates at lists.suse.com Fri Sep 28 16:08:22 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 29 Sep 2018 00:08:22 +0200 (CEST) Subject: SUSE-OU-2018:2945-1: Initial release of the translated SUSE Enterprise Storage 5 manuals Message-ID: <20180928220822.44F2EFD41@maintenance.suse.de> SUSE Optional Update: Initial release of the translated SUSE Enterprise Storage 5 manuals ______________________________________________________________________________ Announcement ID: SUSE-OU-2018:2945-1 Rating: low References: #1109318 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update provides the following translations for the SUSE Enterprise Storage 5 manuals: - Brazilian Portuguese - French - German - Italian - Japanese - Simplified Chinese - Spanish - Traditional Chinese Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-2081=1 Package List: - SUSE Enterprise Storage 5 (noarch): ses-admin_de-pdf-5-1.3.1 ses-admin_es-pdf-5-1.3.1 ses-admin_fr-pdf-5-1.3.1 ses-admin_it-pdf-5-1.3.1 ses-admin_ja-pdf-5-1.3.1 ses-admin_pt_br-pdf-5-1.3.1 ses-admin_zh_cn-pdf-5-1.3.1 ses-admin_zh_tw-pdf-5-1.3.1 ses-deployment_de-pdf-5-1.3.1 ses-deployment_es-pdf-5-1.3.1 ses-deployment_fr-pdf-5-1.3.1 ses-deployment_it-pdf-5-1.3.1 ses-deployment_ja-pdf-5-1.3.1 ses-deployment_pt_br-pdf-5-1.3.1 ses-deployment_zh_cn-pdf-5-1.3.1 ses-deployment_zh_tw-pdf-5-1.3.1 ses-manual_de-5-1.3.1 ses-manual_es-5-1.3.1 ses-manual_fr-5-1.3.1 ses-manual_it-5-1.3.1 ses-manual_ja-5-1.3.1 ses-manual_pt_br-5-1.3.1 ses-manual_zh_cn-5-1.3.1 ses-manual_zh_tw-5-1.3.1 References: https://bugzilla.suse.com/1109318 From sle-updates at lists.suse.com Fri Sep 28 16:08:53 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 29 Sep 2018 00:08:53 +0200 (CEST) Subject: SUSE-RU-2018:2946-1: Recommended update for the SUSE Linux Enterprise Storage manual Message-ID: <20180928220853.AE148FD41@maintenance.suse.de> SUSE Recommended Update: Recommended update for the SUSE Linux Enterprise Storage manual ______________________________________________________________________________ Announcement ID: SUSE-RU-2018:2946-1 Rating: low References: #1095609 #1099448 #1099453 #1099687 #1100701 #1101478 #1102212 #1102467 #1102904 #1103242 #1104092 #1105739 #1107090 #1107624 #1107625 #1108495 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has 16 recommended fixes can now be installed. Description: This update for the SUSE Linux Enterprise Storage manual fixes the following issues: - Fix simple HTTPS configuration. (bsc#1095609, bsc#1102904) - Fix path to cluster.yml file in "Running Deployment Stages". (bsc#1099448) - Add hint to use a second terminal to start "deepsea monitor". (bsc#1099453) - Update "Item Filtering" and "Role Assignment" for Storage 5. (bsc#1099687) - Add missing salt command in "Removing Broken OSDs Forcefully". (bsc#1100701) - Update CTDB/Samba documentation for 5.5. (bsc#1101478) - Add "tier" to the command in "Migrating Replicated to Erasue Coded Pool". (bsc#1102212) - Update "Using libvirt with Ceph/Configuring Ceph" section. (bsc#1102467) - Document new default to update without reboot. (bsc#1103242) - Fix documentation for adding rgw users. (bsc#1105739) - Improved auto-replacement OSDs procedure. (bsc#1107090) - Add new section for supported operations by nfs-rgw interface. (bsc#1107624) - Disable kernel NFS on role-ganesha in ganesha preparation requirements. (bsc#1107625) - Fix upgrade documentation. (bsc#1108495) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2018-2080=1 Package List: - SUSE Enterprise Storage 5 (noarch): ses-admin_en-pdf-5-22.6.2 ses-deployment_en-pdf-5-22.6.2 ses-manual_en-5-22.6.2 References: https://bugzilla.suse.com/1095609 https://bugzilla.suse.com/1099448 https://bugzilla.suse.com/1099453 https://bugzilla.suse.com/1099687 https://bugzilla.suse.com/1100701 https://bugzilla.suse.com/1101478 https://bugzilla.suse.com/1102212 https://bugzilla.suse.com/1102467 https://bugzilla.suse.com/1102904 https://bugzilla.suse.com/1103242 https://bugzilla.suse.com/1104092 https://bugzilla.suse.com/1105739 https://bugzilla.suse.com/1107090 https://bugzilla.suse.com/1107624 https://bugzilla.suse.com/1107625 https://bugzilla.suse.com/1108495 From sle-updates at lists.suse.com Sun Sep 30 10:08:01 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sun, 30 Sep 2018 18:08:01 +0200 (CEST) Subject: SUSE-SU-2018:2955-1: moderate: Security update for libX11 Message-ID: <20180930160801.066A2FD4A@maintenance.suse.de> SUSE Security Update: Security update for libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2955-1 Rating: moderate References: #1102062 #1102068 #1102073 Cross-References: CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libX11 fixes the following security issues: - CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062) - CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068) - CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2082=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libX11-6-1.6.5-3.3.1 libX11-6-debuginfo-1.6.5-3.3.1 libX11-debugsource-1.6.5-3.3.1 libX11-devel-1.6.5-3.3.1 libX11-xcb1-1.6.5-3.3.1 libX11-xcb1-debuginfo-1.6.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libX11-data-1.6.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libX11-6-32bit-1.6.5-3.3.1 libX11-6-32bit-debuginfo-1.6.5-3.3.1 libX11-xcb1-32bit-1.6.5-3.3.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.3.1 References: https://www.suse.com/security/cve/CVE-2018-14598.html https://www.suse.com/security/cve/CVE-2018-14599.html https://www.suse.com/security/cve/CVE-2018-14600.html https://bugzilla.suse.com/1102062 https://bugzilla.suse.com/1102068 https://bugzilla.suse.com/1102073 From sle-updates at lists.suse.com Sun Sep 30 10:08:59 2018 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sun, 30 Sep 2018 18:08:59 +0200 (CEST) Subject: SUSE-SU-2018:2956-1: moderate: Security update for openssl-1_1 Message-ID: <20180930160859.D67ACFD41@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2956-1 Rating: moderate References: #1097158 #1101470 Cross-References: CVE-2018-0732 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2083=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-4.9.2 libopenssl1_1-1.1.0i-4.9.2 libopenssl1_1-debuginfo-1.1.0i-4.9.2 libopenssl1_1-hmac-1.1.0i-4.9.2 openssl-1_1-1.1.0i-4.9.2 openssl-1_1-debuginfo-1.1.0i-4.9.2 openssl-1_1-debugsource-1.1.0i-4.9.2 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): libopenssl-devel-1.1.0i-3.3.1 openssl-1.1.0i-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (x86_64): libopenssl1_1-32bit-1.1.0i-4.9.2 libopenssl1_1-32bit-debuginfo-1.1.0i-4.9.2 libopenssl1_1-hmac-32bit-1.1.0i-4.9.2 References: https://www.suse.com/security/cve/CVE-2018-0732.html https://bugzilla.suse.com/1097158 https://bugzilla.suse.com/1101470