From sle-container-updates at lists.suse.com  Fri Feb  2 08:04:22 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:04:22 +0100 (CET)
Subject: SUSE-CU-2024:420-1: Security update of bci/dotnet-aspnet
Message-ID: <20240202080422.3DBCFFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:420-1
Container Tags        : bci/dotnet-aspnet:6.0 , bci/dotnet-aspnet:6.0-21.15 , bci/dotnet-aspnet:6.0.26 , bci/dotnet-aspnet:6.0.26-21.15
Container Release     : 21.15
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Fri Feb  2 08:04:39 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:04:39 +0100 (CET)
Subject: SUSE-CU-2024:421-1: Security update of bci/dotnet-aspnet
Message-ID: <20240202080439.CF0E6FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:421-1
Container Tags        : bci/dotnet-aspnet:7.0 , bci/dotnet-aspnet:7.0-21.15 , bci/dotnet-aspnet:7.0.15 , bci/dotnet-aspnet:7.0.15-21.15
Container Release     : 21.15
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Fri Feb  2 08:04:40 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:04:40 +0100 (CET)
Subject: SUSE-CU-2024:422-1: Security update of bci/dotnet-aspnet
Message-ID: <20240202080440.EB8AFFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:422-1
Container Tags        : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0-3.9 , bci/dotnet-aspnet:8.0.1 , bci/dotnet-aspnet:8.0.1-3.9 , bci/dotnet-aspnet:latest
Container Release     : 3.9
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Fri Feb  2 08:04:42 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:04:42 +0100 (CET)
Subject: SUSE-CU-2024:423-1: Security update of bci/dotnet-sdk
Message-ID: <20240202080442.53213FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:423-1
Container Tags        : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0-3.9 , bci/dotnet-sdk:8.0.1 , bci/dotnet-sdk:8.0.1-3.9 , bci/dotnet-sdk:latest
Container Release     : 3.9
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Fri Feb  2 08:05:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:05:01 +0100 (CET)
Subject: SUSE-CU-2024:424-1: Security update of bci/dotnet-runtime
Message-ID: <20240202080501.1F371FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:424-1
Container Tags        : bci/dotnet-runtime:6.0 , bci/dotnet-runtime:6.0-20.15 , bci/dotnet-runtime:6.0.26 , bci/dotnet-runtime:6.0.26-20.15
Container Release     : 20.15
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Fri Feb  2 08:05:02 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  2 Feb 2024 09:05:02 +0100 (CET)
Subject: SUSE-CU-2024:425-1: Security update of bci/dotnet-runtime
Message-ID: <20240202080502.1CA19FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:425-1
Container Tags        : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0-3.9 , bci/dotnet-runtime:8.0.1 , bci/dotnet-runtime:8.0.1-3.9 , bci/dotnet-runtime:latest
Container Release     : 3.9
Severity              : moderate
Type                  : security
References            : 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.8.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:04:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:04:33 +0100 (CET)
Subject: SUSE-CU-2024:428-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240203080433.C9BA3FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:428-1
Container Tags        : bci/dotnet-aspnet:6.0 , bci/dotnet-aspnet:6.0-21.18 , bci/dotnet-aspnet:6.0.26 , bci/dotnet-aspnet:6.0.26-21.18
Container Release     : 21.18
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:04:57 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:04:57 +0100 (CET)
Subject: SUSE-CU-2024:429-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240203080457.4C8D1FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:429-1
Container Tags        : bci/dotnet-aspnet:7.0 , bci/dotnet-aspnet:7.0-21.18 , bci/dotnet-aspnet:7.0.15 , bci/dotnet-aspnet:7.0.15-21.18
Container Release     : 21.18
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:04:59 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:04:59 +0100 (CET)
Subject: SUSE-CU-2024:430-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240203080459.2896CFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:430-1
Container Tags        : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0-3.12 , bci/dotnet-aspnet:8.0.1 , bci/dotnet-aspnet:8.0.1-3.12 , bci/dotnet-aspnet:latest
Container Release     : 3.12
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:05:30 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:05:30 +0100 (CET)
Subject: SUSE-CU-2024:431-1: Security update of bci/dotnet-sdk
Message-ID: <20240203080530.33E2AFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:431-1
Container Tags        : bci/dotnet-sdk:6.0 , bci/dotnet-sdk:6.0-20.18 , bci/dotnet-sdk:6.0.26 , bci/dotnet-sdk:6.0.26-20.18
Container Release     : 20.18
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:05:54 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:05:54 +0100 (CET)
Subject: SUSE-CU-2024:432-1: Recommended update of bci/dotnet-runtime
Message-ID: <20240203080554.69ED6FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:432-1
Container Tags        : bci/dotnet-runtime:6.0 , bci/dotnet-runtime:6.0-20.18 , bci/dotnet-runtime:6.0.26 , bci/dotnet-runtime:6.0.26-20.18
Container Release     : 20.18
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:05:55 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:05:55 +0100 (CET)
Subject: SUSE-CU-2024:433-1: Recommended update of bci/dotnet-runtime
Message-ID: <20240203080555.DB14BFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:433-1
Container Tags        : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0-3.12 , bci/dotnet-runtime:8.0.1 , bci/dotnet-runtime:8.0.1-3.12 , bci/dotnet-runtime:latest
Container Release     : 3.12
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:06:08 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:06:08 +0100 (CET)
Subject: SUSE-CU-2024:434-1: Security update of bci/golang
Message-ID: <20240203080608.9D1F7FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:434-1
Container Tags        : bci/golang:1.20-openssl , bci/golang:1.20-openssl-11.19 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-11.19
Container Release     : 11.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:06:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:06:29 +0100 (CET)
Subject: SUSE-CU-2024:435-1: Security update of bci/golang
Message-ID: <20240203080629.7EB10FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:435-1
Container Tags        : bci/golang:1.21 , bci/golang:1.21-1.7.19 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.7.19
Container Release     : 7.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:06:39 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:06:39 +0100 (CET)
Subject: SUSE-CU-2024:436-1: Security update of bci/golang
Message-ID: <20240203080639.E0EF6FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:436-1
Container Tags        : bci/golang:1.21-openssl , bci/golang:1.21-openssl-11.19 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-11.19
Container Release     : 11.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:06:57 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:06:57 +0100 (CET)
Subject: SUSE-CU-2024:437-1: Security update of bci/bci-init
Message-ID: <20240203080657.7D282FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-init
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:437-1
Container Tags        : bci/bci-init:15.5 , bci/bci-init:15.5.13.19 , bci/bci-init:latest
Container Release     : 13.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/bci-init was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:07:17 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:07:17 +0100 (CET)
Subject: SUSE-CU-2024:438-1: Security update of bci/openjdk
Message-ID: <20240203080717.84C21FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:438-1
Container Tags        : bci/openjdk:11 , bci/openjdk:11-14.17
Container Release     : 14.17
Severity              : important
Type                  : security
References            : 1107342 1215434 1218571 1218903 1218905 1218906 1218907 1218909
                        1218911 1219238 CVE-2023-7207 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921
                        CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:321-1
Released:    Fri Feb  2 13:51:01 2024
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    important
References:  1218903,1218905,1218906,1218907,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20926,CVE-2024-20945,CVE-2024-20952
This update for java-11-openjdk fixes the following issues:

Updated to version 11.0.22 (January 2024 CPU):

  - CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
    due to a missing bounds check (bsc#1218907).
  - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
    file verifier (bsc#1218903).
  - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
    that could lead to corruption of JVM memory (bsc#1218905).
  - CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906).
  - CVE-2024-20945: Fixed a potential private key leak through debug
    logs (bsc#1218909).
  - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
    attack against TLS (bsc#1218911).

Find the full release notes at:

https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029215.html

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- java-11-openjdk-headless-11.0.22.0-150000.3.110.1 updated
- java-11-openjdk-11.0.22.0-150000.3.110.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:07:37 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:07:37 +0100 (CET)
Subject: SUSE-CU-2024:439-1: Security update of bci/php-apache
Message-ID: <20240203080737.1706AFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:439-1
Container Tags        : bci/php-apache:8 , bci/php-apache:8-11.17
Container Release     : 11.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/php-apache was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:07:55 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:07:55 +0100 (CET)
Subject: SUSE-CU-2024:440-1: Security update of bci/php-fpm
Message-ID: <20240203080755.33206FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-fpm
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:440-1
Container Tags        : bci/php-fpm:8 , bci/php-fpm:8-11.17
Container Release     : 11.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/php-fpm was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:08:14 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:08:14 +0100 (CET)
Subject: SUSE-CU-2024:441-1: Security update of bci/php
Message-ID: <20240203080814.4D311FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:441-1
Container Tags        : bci/php:8 , bci/php:8-11.16
Container Release     : 11.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/php was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:08:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:08:33 +0100 (CET)
Subject: SUSE-CU-2024:442-1: Security update of bci/ruby
Message-ID: <20240203080833.305F9FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:442-1
Container Tags        : bci/ruby:2 , bci/ruby:2-15.16 , bci/ruby:2.5 , bci/ruby:2.5-15.16 , bci/ruby:latest
Container Release     : 15.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- libstdc++6-devel-gcc7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-c++-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sat Feb  3 08:08:36 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat,  3 Feb 2024 09:08:36 +0100 (CET)
Subject: SUSE-CU-2024:443-1: Security update of
 bci/bci-sle15-kernel-module-devel
Message-ID: <20240203080836.2F41DFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:443-1
Container Tags        : bci/bci-sle15-kernel-module-devel:15.5 , bci/bci-sle15-kernel-module-devel:15.5.5.17 , bci/bci-sle15-kernel-module-devel:latest
Container Release     : 5.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:02:11 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:02:11 +0100 (CET)
Subject: SUSE-CU-2024:445-1: Recommended update of suse/ltss/sle15.3/sle15
Message-ID: <20240204080211.66B60FE84@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.3/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:445-1
Container Tags        : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.3.47 , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.3.47
Container Release     : 3.47
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:02:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:02:34 +0100 (CET)
Subject: SUSE-CU-2024:446-1: Security update of suse/389-ds
Message-ID: <20240204080234.A0D1BFE84@maintenance.suse.de>

SUSE Container Update Advisory: suse/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:446-1
Container Tags        : suse/389-ds:2.2 , suse/389-ds:2.2-19.20 , suse/389-ds:latest
Container Release     : 19.20
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:02:41 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:02:41 +0100 (CET)
Subject: SUSE-CU-2024:447-1: Security update of bci/nodejs
Message-ID: <20240204080241.44008FE84@maintenance.suse.de>

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:447-1
Container Tags        : bci/node:20 , bci/node:20-5.19 , bci/node:latest , bci/nodejs:20 , bci/nodejs:20-5.19 , bci/nodejs:latest
Container Release     : 5.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:02:48 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:02:48 +0100 (CET)
Subject: SUSE-CU-2024:448-1: Security update of suse/postgres
Message-ID: <20240204080248.0F8F1FE84@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:448-1
Container Tags        : suse/postgres:16 , suse/postgres:16-5.17 , suse/postgres:16.1 , suse/postgres:16.1-5.17 , suse/postgres:latest
Container Release     : 5.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:02:52 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:02:52 +0100 (CET)
Subject: SUSE-CU-2024:449-1: Security update of suse/rmt-mariadb-client
Message-ID: <20240204080252.827EBFE84@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb-client
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:449-1
Container Tags        : suse/mariadb-client:10.6 , suse/mariadb-client:10.6-14.16 , suse/mariadb-client:latest , suse/rmt-mariadb-client:10.6 , suse/rmt-mariadb-client:10.6-14.16 , suse/rmt-mariadb-client:latest
Container Release     : 14.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/rmt-mariadb-client was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:03:07 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:03:07 +0100 (CET)
Subject: SUSE-CU-2024:450-1: Security update of suse/rmt-server
Message-ID: <20240204080307.43041FE84@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:450-1
Container Tags        : suse/rmt-server:2.14 , suse/rmt-server:2.14-14.16 , suse/rmt-server:latest
Container Release     : 14.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/rmt-server was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Sun Feb  4 08:03:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun,  4 Feb 2024 09:03:29 +0100 (CET)
Subject: SUSE-CU-2024:451-1: Security update of bci/rust
Message-ID: <20240204080330.0088AFE84@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:451-1
Container Tags        : bci/rust:1.74 , bci/rust:1.74-2.3.16 , bci/rust:oldstable , bci/rust:oldstable-2.3.16
Container Release     : 3.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:37 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:37 +0100 (CET)
Subject: SUSE-CU-2024:455-1: Security update of rancher/elemental-operator
Message-ID: <20240206080137.21BBDFBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:455-1
Container Tags        : rancher/elemental-operator:1.3.5 , rancher/elemental-operator:1.3.5-4.5.27 , rancher/elemental-operator:latest
Container Release     : 4.5.27
Severity              : important
Type                  : security
References            : 1107342 1195391 1196647 1201384 1201519 1204844 1205161 1206480
                        1206480 1206684 1206684 1207778 1209998 1209998 1210004 1210557
                        1210557 1210660 1211418 1211419 1211427 1211427 1212101 1212101
                        1213240 1213915 1213915 1214052 1214052 1214140 1214460 1214460
                        1214806 1215215 1215286 1215313 1215427 1215434 1215891 1216123
                        1216129 1216174 1216378 1216664 1216862 1216922 1216987 1217212
                        1217573 1217574 1218014 CVE-2023-2137 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-4039 CVE-2023-4039 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853
                        CVE-2023-46218 CVE-2023-46219 CVE-2023-4641 CVE-2023-4813 CVE-2023-50495
                        CVE-2023-5678 
-----------------------------------------------------------------

The container rancher/elemental-operator was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3577-1
Released:    Mon Sep 11 15:04:01 2023
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    low
References:  1209998
This update for crypto-policies fixes the following issues:

- Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4110-1
Released:    Wed Oct 18 12:35:26 2023
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1215286,1215891,CVE-2023-4813
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

Also a regression from a previous update was fixed:

- elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4122-1
Released:    Thu Oct 19 08:24:34 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1215215
This update for openssl-1_1 fixes the following issues:

- Displays 'fips' in the version string (bsc#1215215)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4450-1
Released:    Wed Nov 15 10:55:20 2023
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    moderate
References:  1209998
This update for crypto-policies fixes the following issues:

  - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands
    (jsc#PED-5041)
  - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby
    and add a note for transactional systems
  - Ship the man pages for fips-mode-setup and fips-finish-install
  - Make the supported versions change in the update-crypto-policies(8) man page persistent
    (bsc#1209998)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.


The following package changes have been done:

- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- glibc-2.31-150300.63.1 updated
- libnghttp2-14-1.40.0-150200.12.1 updated
- libudev1-249.16-150400.8.35.5 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.16-150400.8.35.5 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- crypto-policies-20210917.c9d86d1-150400.3.6.1 updated
- openssl-1_1-1.1.1l-150400.7.60.2 updated
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:38 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:38 +0100 (CET)
Subject: SUSE-CU-2024:456-1: Security update of rancher/seedimage-builder
Message-ID: <20240206080138.839DCFBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:456-1
Container Tags        : rancher/seedimage-builder:1.3.5 , rancher/seedimage-builder:1.3.5-4.5.27 , rancher/seedimage-builder:latest
Container Release     : 4.5.27
Severity              : important
Type                  : security
References            : 1107342 1195391 1196647 1201384 1201519 1204844 1205161 1206480
                        1206480 1206684 1206684 1207778 1209998 1209998 1210004 1210557
                        1210557 1210660 1211418 1211419 1211427 1211427 1212101 1212101
                        1213240 1213915 1213915 1214052 1214052 1214140 1214460 1214460
                        1214806 1215215 1215286 1215313 1215427 1215434 1215891 1216123
                        1216129 1216174 1216378 1216664 1216862 1216922 1216987 1217212
                        1217573 1217574 1218014 CVE-2023-2137 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-4039 CVE-2023-4039 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853
                        CVE-2023-46218 CVE-2023-46219 CVE-2023-4641 CVE-2023-4813 CVE-2023-50495
                        CVE-2023-5678 
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3577-1
Released:    Mon Sep 11 15:04:01 2023
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    low
References:  1209998
This update for crypto-policies fixes the following issues:

- Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4110-1
Released:    Wed Oct 18 12:35:26 2023
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1215286,1215891,CVE-2023-4813
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

Also a regression from a previous update was fixed:

- elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4122-1
Released:    Thu Oct 19 08:24:34 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1215215
This update for openssl-1_1 fixes the following issues:

- Displays 'fips' in the version string (bsc#1215215)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4450-1
Released:    Wed Nov 15 10:55:20 2023
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    moderate
References:  1209998
This update for crypto-policies fixes the following issues:

  - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands
    (jsc#PED-5041)
  - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby
    and add a note for transactional systems
  - Ship the man pages for fips-mode-setup and fips-finish-install
  - Make the supported versions change in the update-crypto-policies(8) man page persistent
    (bsc#1209998)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.


The following package changes have been done:

- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- glibc-2.31-150300.63.1 updated
- libnghttp2-14-1.40.0-150200.12.1 updated
- libudev1-249.16-150400.8.35.5 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.16-150400.8.35.5 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- crypto-policies-20210917.c9d86d1-150400.3.6.1 updated
- curl-8.0.1-150400.5.41.1 updated
- openssl-1_1-1.1.1l-150400.7.60.2 updated
- libsemanage1-3.1-150400.1.65 removed
- libsepol1-3.1-150400.1.70 removed

From sle-container-updates at lists.suse.com  Tue Feb  6 08:02:15 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:02:15 +0100 (CET)
Subject: SUSE-CU-2024:459-1: Security update of suse/ltss/sle15.4/sle15
Message-ID: <20240206080215.AB908FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.4/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:459-1
Container Tags        : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.13 , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.13
Container Release     : 2.13
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cpio-2.13-150400.3.6.1 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:03:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:03:01 +0100 (CET)
Subject: SUSE-CU-2024:461-1: Security update of bci/dotnet-sdk
Message-ID: <20240206080301.8DCB2FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:461-1
Container Tags        : bci/dotnet-sdk:7.0 , bci/dotnet-sdk:7.0-22.19 , bci/dotnet-sdk:7.0.15 , bci/dotnet-sdk:7.0.15-22.19
Container Release     : 22.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:03:03 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:03:03 +0100 (CET)
Subject: SUSE-CU-2024:462-1: Recommended update of bci/dotnet-sdk
Message-ID: <20240206080303.5648EFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:462-1
Container Tags        : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0-3.13 , bci/dotnet-sdk:8.0.1 , bci/dotnet-sdk:8.0.1-3.13 , bci/dotnet-sdk:latest
Container Release     : 3.13
Severity              : moderate
Type                  : recommended
References            : 1107342 1215434 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:03:16 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:03:16 +0100 (CET)
Subject: SUSE-CU-2024:463-1: Security update of bci/golang
Message-ID: <20240206080316.91B0CFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:463-1
Container Tags        : bci/golang:1.20 , bci/golang:1.20-2.7.20 , bci/golang:oldstable , bci/golang:oldstable-2.7.20
Container Release     : 7.20
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- libasan4-7.5.0+r278197-150000.4.38.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.38.1 updated
- libubsan0-7.5.0+r278197-150000.4.38.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- gcc7-7.5.0+r278197-150000.4.38.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:03:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:03:29 +0100 (CET)
Subject: SUSE-CU-2024:464-1: Security update of suse/nginx
Message-ID: <20240206080329.1FA11FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/nginx
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:464-1
Container Tags        : suse/nginx:1.21 , suse/nginx:1.21-9.20 , suse/nginx:latest
Container Release     : 9.20
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/nginx was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:03:51 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:03:51 +0100 (CET)
Subject: SUSE-CU-2024:465-1: Security update of bci/openjdk-devel
Message-ID: <20240206080351.EF95AFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:465-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-13.39
Container Release     : 13.39
Severity              : important
Type                  : security
References            : 1107342 1215434 1218571 1218903 1218905 1218906 1218907 1218909
                        1218911 1219238 CVE-2023-7207 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921
                        CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:321-1
Released:    Fri Feb  2 13:51:01 2024
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    important
References:  1218903,1218905,1218906,1218907,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20926,CVE-2024-20945,CVE-2024-20952
This update for java-11-openjdk fixes the following issues:

Updated to version 11.0.22 (January 2024 CPU):

  - CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
    due to a missing bounds check (bsc#1218907).
  - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
    file verifier (bsc#1218903).
  - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
    that could lead to corruption of JVM memory (bsc#1218905).
  - CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906).
  - CVE-2024-20945: Fixed a potential private key leak through debug
    logs (bsc#1218909).
  - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
    attack against TLS (bsc#1218911).

Find the full release notes at:

https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029215.html

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- java-11-openjdk-headless-11.0.22.0-150000.3.110.1 updated
- java-11-openjdk-11.0.22.0-150000.3.110.1 updated
- java-11-openjdk-devel-11.0.22.0-150000.3.110.1 updated
- container:bci-openjdk-11-15.5.11-14.18 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:04:11 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:04:11 +0100 (CET)
Subject: SUSE-CU-2024:466-1: Security update of bci/openjdk-devel
Message-ID: <20240206080411.5BAB0FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:466-1
Container Tags        : bci/openjdk-devel:17 , bci/openjdk-devel:17-15.40 , bci/openjdk-devel:latest
Container Release     : 15.40
Severity              : important
Type                  : security
References            : 1107342 1215434 1218571 1218903 1218905 1218907 1218908 1218909
                        1218911 1219238 CVE-2023-7207 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921
                        CVE-2024-20932 CVE-2024-20945 CVE-2024-20952 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:325-1
Released:    Mon Feb  5 11:39:10 2024
Summary:     Security update for java-17-openjdk
Type:        security
Severity:    important
References:  1218903,1218905,1218907,1218908,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20932,CVE-2024-20945,CVE-2024-20952
This update for java-17-openjdk fixes the following issues:

Updated to version 17.0.10 (January 2024 CPU):

  - CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
    due to a missing bounds check (bsc#1218907).
  - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
    file verifier (bsc#1218903).
  - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
    that could lead to corruption of JVM memory (bsc#1218905).
  - CVE-2024-20932: Fixed an incorrect handling of ZIP files with
    duplicate entries (bsc#1218908).
  - CVE-2024-20945: Fixed a potential private key leak through debug
    logs (bsc#1218909).
  - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
    attack against TLS (bsc#1218911).

Find the full release notes at:

https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029089.html


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- java-17-openjdk-headless-17.0.10.0-150400.3.36.1 updated
- java-17-openjdk-17.0.10.0-150400.3.36.1 updated
- java-17-openjdk-devel-17.0.10.0-150400.3.36.1 updated
- container:bci-openjdk-17-15.5.17-15.19 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:04:28 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:04:28 +0100 (CET)
Subject: SUSE-CU-2024:467-1: Security update of bci/openjdk
Message-ID: <20240206080428.A1D24FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:467-1
Container Tags        : bci/openjdk:17 , bci/openjdk:17-15.19 , bci/openjdk:latest
Container Release     : 15.19
Severity              : important
Type                  : security
References            : 1107342 1215434 1218571 1218903 1218905 1218907 1218908 1218909
                        1218911 1219238 CVE-2023-7207 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921
                        CVE-2024-20932 CVE-2024-20945 CVE-2024-20952 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:325-1
Released:    Mon Feb  5 11:39:10 2024
Summary:     Security update for java-17-openjdk
Type:        security
Severity:    important
References:  1218903,1218905,1218907,1218908,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20932,CVE-2024-20945,CVE-2024-20952
This update for java-17-openjdk fixes the following issues:

Updated to version 17.0.10 (January 2024 CPU):

  - CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
    due to a missing bounds check (bsc#1218907).
  - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
    file verifier (bsc#1218903).
  - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
    that could lead to corruption of JVM memory (bsc#1218905).
  - CVE-2024-20932: Fixed an incorrect handling of ZIP files with
    duplicate entries (bsc#1218908).
  - CVE-2024-20945: Fixed a potential private key leak through debug
    logs (bsc#1218909).
  - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
    attack against TLS (bsc#1218911).

Find the full release notes at:

https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029089.html


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- java-17-openjdk-headless-17.0.10.0-150400.3.36.1 updated
- java-17-openjdk-17.0.10.0-150400.3.36.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:04:44 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:04:44 +0100 (CET)
Subject: SUSE-CU-2024:468-1: Security update of suse/postgres
Message-ID: <20240206080444.5641AFBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:468-1
Container Tags        : suse/postgres:15 , suse/postgres:15-16.18 , suse/postgres:15.5 , suse/postgres:15.5-16.18
Container Release     : 16.18
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:05:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:05:01 +0100 (CET)
Subject: SUSE-CU-2024:469-1: Security update of bci/python
Message-ID: <20240206080501.54A5EFBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:469-1
Container Tags        : bci/python:3 , bci/python:3-16.17 , bci/python:3.11 , bci/python:3.11-16.17 , bci/python:latest
Container Release     : 16.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:05:18 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:05:18 +0100 (CET)
Subject: SUSE-CU-2024:470-1: Security update of bci/python
Message-ID: <20240206080518.0F1B5FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:470-1
Container Tags        : bci/python:3 , bci/python:3-17.17 , bci/python:3.6 , bci/python:3.6-17.17
Container Release     : 17.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:05:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:05:20 +0100 (CET)
Subject: SUSE-CU-2024:471-1: Security update of suse/rmt-mariadb
Message-ID: <20240206080520.80180FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:471-1
Container Tags        : suse/mariadb:10.6 , suse/mariadb:10.6-17.16 , suse/mariadb:latest , suse/rmt-mariadb:10.6 , suse/rmt-mariadb:10.6-17.16 , suse/rmt-mariadb:latest
Container Release     : 17.16
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/rmt-mariadb was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:05:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:05:33 +0100 (CET)
Subject: SUSE-CU-2024:472-1: Security update of suse/sle15
Message-ID: <20240206080533.BABB6FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:472-1
Container Tags        : bci/bci-base:15.5 , bci/bci-base:15.5.36.11.2 , suse/sle15:15.5 , suse/sle15:15.5.36.11.2
Container Release     : 36.11.2
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cpio-2.13-150400.3.6.1 updated

From sle-container-updates at lists.suse.com  Wed Feb  7 08:01:48 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:01:48 +0100 (CET)
Subject: SUSE-CU-2024:474-1: Security update of suse/sle-micro-iso/5.5
Message-ID: <20240207080148.65856FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro-iso/5.5
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:474-1
Container Tags        : suse/sle-micro-iso/5.5:2.0.2 , suse/sle-micro-iso/5.5:2.0.2-4.2.27 , suse/sle-micro-iso/5.5:latest
Container Release     : 4.2.27
Severity              : important
Type                  : security
References            : 1201627 1207534 1211124 1211430 1212475 1212496 1212613 1213472
                        1213487 1213517 1213853 1214054 1214071 1214458 1214768 1215215
                        1215291 1215596 1216006 1216378 CVE-2022-4304 CVE-2023-2650 CVE-2023-3446
                        CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-45853 
-----------------------------------------------------------------

The container suse/sle-micro-iso/5.5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 29171
Released:    Tue Jun 20 12:29:00 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect tests (bsc#1201627)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2901-1
Released:    Thu Jul 20 09:49:16 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1212613
This update for lvm2 fixes the following issues:

- multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2934-1
Released:    Fri Jul 21 12:46:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs
- Remove obsolete Requires(post): util-linux-systemd
- Add registry.suse.com to the unqualified-search-registries

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2965-1
Released:    Tue Jul 25 12:30:22 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2966-1
Released:    Tue Jul 25 14:26:14 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  
This update for libxml2 fixes the following issues:

- Build also for modern python version (jsc#PED-68)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3088-1
Released:    Tue Aug  1 09:52:03 2023
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1212496
This update for systemd-presets-common-SUSE fixes the following issues:

- Fix systemctl being called with an empty argument (bsc#1212496)
- Don't call systemctl list-unit-files with an empty argument (bsc#1212496)
- Add wtmpdb-update-boot.service and wtmpdb-rotate.timer

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3102-1
Released:    Tue Aug  1 14:11:53 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1213517
This update for openssl-1_1 fixes the following issues:

- Dont pass zero length input to EVP_Cipher (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3242-1
Released:    Tue Aug  8 18:19:40 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3276-1
Released:    Fri Aug 11 10:20:40 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1213472
This update for apparmor fixes the following issues:

- Add pam_apparmor README (bsc#1213472)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3325-1
Released:    Wed Aug 16 08:26:08 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3485-1
Released:    Tue Aug 29 14:20:56 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1214071
This update for lvm2 fixes the following issues:

- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3666-1
Released:    Mon Sep 18 21:52:18 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3717-1
Released:    Thu Sep 21 06:51:51 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1214458
This update for apparmor fixes the following issues:

- Update zgrep profile to allow egrep helper use (bsc#1214458)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3798-1
Released:    Wed Sep 27 10:32:31 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SLE products,
  and not just SLES. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4003-1
Released:    Mon Oct  9 08:29:33 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1215596
This update for apparmor fixes the following issues:

- Handle pam-config errors in pam_apparmor %post and %postun scripts (bsc#1215596)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4073-1
Released:    Fri Oct 13 11:40:26 2023
Summary:     Recommended update for rpm
Type:        recommended
Severity:    low
References:  
This update for rpm fixes the following issue:

- Enables build for all python modules (jsc#PED-68, jsc#PED-1988)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4076-1
Released:    Fri Oct 13 14:02:51 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4105-1
Released:    Wed Oct 18 08:15:40 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1215215
This update for openssl-1_1 fixes the following issues:

- Displays 'fips' in the version string (bsc#1215215)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4215-1
Released:    Thu Oct 26 12:19:25 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).


The following package changes have been done:

- filesystem-15.0-150500.1.1 updated
- libsemanage-conf-3.4-150500.1.12 updated
- libz1-1.2.13-150500.4.3.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libsepol2-3.4-150500.1.18 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libapparmor1-3.0.4-150500.11.9.1 updated
- libselinux1-3.4-150500.1.12 updated
- libxml2-2-2.10.3-150500.5.11.1 updated
- libopenssl1_1-1.1.1l-150500.17.22.1 updated
- libgcrypt20-1.9.4-150500.10.19 updated
- libp11-kit0-0.23.22-150500.8.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libsemanage2-3.4-150500.1.12 updated
- libmount1-2.37.4-150500.9.3.1 updated
- krb5-1.20.1-150500.3.3.1 updated
- login_defs-4.8.1-150500.1.10 updated
- libdevmapper1_03-2.03.22_1.02.196-150500.7.9.1 updated
- systemd-presets-common-SUSE-15-150500.20.3.1 updated
- rpm-4.14.3-150400.59.3.1 added
- shadow-4.8.1-150500.1.10 updated
- util-linux-2.37.4-150500.9.3.1 updated
- libsasl2-3-2.1.28-150500.1.1 updated
- cni-1.1.2-150500.3.2.1 updated
- libcontainers-sles-mounts-20230214-150500.4.6.1 updated
- libslirp0-4.7.0+44-150500.2.1 updated
- runc-1.1.10-150000.55.1 updated
- libcontainers-common-20230214-150500.4.6.1 updated
- perl-5.26.1-150300.17.14.1 added
- slirp4netns-1.2.0-150500.1.1 updated
- container:suse-sle-micro-5.5-latest-- added
- container:bci-bci-busybox-15.5-- added
- container:bci-bci-busybox-15.4-- removed
- container:rancher-elemental-teal-5.4-latest-- removed
- libicu-suse65_1-65.1-150200.4.10.1 removed
- libicu65_1-ledata-65.1-150200.4.10.1 removed

From sle-container-updates at lists.suse.com  Wed Feb  7 08:01:51 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:01:51 +0100 (CET)
Subject: SUSE-CU-2024:477-1: Security update of rancher/elemental-operator
Message-ID: <20240207080151.85D1BFBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:477-1
Container Tags        : rancher/elemental-operator:1.4.2 , rancher/elemental-operator:1.4.2-3.2.1 , rancher/elemental-operator:latest
Container Release     : 3.2.1
Severity              : important
Type                  : security
References            : 1029961 1120610 1120610 1130496 1130496 1177047 1180713 1181131
                        1181131 1184124 1186642 1198062 1198922 1200657 1200657 1201627
                        1202436 1202436 1202436 1203600 1207534 1207753 1211188 1211190
                        1211430 1213487 1213517 1213853 1214054 1214668 1214768 1215215
                        1215241 1215496 1216378 1217000 1217460 1217969 1218126 1218186
                        1218209 1218475 1218571 CVE-2018-20482 CVE-2018-20482 CVE-2019-9923
                        CVE-2019-9923 CVE-2021-20193 CVE-2021-20193 CVE-2022-1271 CVE-2022-4304
                        CVE-2022-48303 CVE-2023-1667 CVE-2023-2283 CVE-2023-2650 CVE-2023-3446
                        CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-39804 CVE-2023-45853
                        CVE-2023-48795 CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-22365
-----------------------------------------------------------------

The container rancher/elemental-operator was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released:    Wed Apr 10 16:33:12 2019
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released:    Mon Dec 14 17:39:19 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  
This update for gzip fixes the following issue:

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
  
  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released:    Mon Mar 29 19:31:27 2021
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1181131,CVE-2021-20193
This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1018-1
Released:    Tue Apr  6 14:29:13 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1180713
This update for gzip fixes the following issues:

- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1289-1
Released:    Wed Apr 21 14:02:46 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1177047
This update for gzip fixes the following issues:

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1935-1
Released:    Thu Jun 10 10:45:09 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1186642

This update for gzip fixes the following issue:

- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
  to migration issues. (bsc#1186642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released:    Mon Jun 28 18:38:43 2021
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1184124
This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released:    Thu May  5 16:45:28 2022
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges

- Update to GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite

- Update to GNU 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the '-K NAME' option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1617-1
Released:    Tue May 10 14:40:12 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  1198062,1198922,CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2735-1
Released:    Wed Aug 10 04:31:41 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657
This update for tar fixes the following issues:

- Fix race condition while creating intermediate subdirectories (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2844-1
Released:    Thu Aug 18 14:41:25 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    important
References:  1202436
This update for tar fixes the following issues:

- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released:    Fri Dec  2 11:16:47 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657,1203600
This update for tar fixes the following issues:

- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released:    Thu Jan 26 21:54:30 2023
Summary:     Recommended update for tar
Type:        recommended
Severity:    low
References:  1202436
This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released:    Mon Feb 20 16:33:39 2023
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). 

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

-----------------------------------------------------------------
Advisory ID: 29171
Released:    Tue Jun 20 12:29:00 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect tests (bsc#1201627)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2965-1
Released:    Tue Jul 25 12:30:22 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2966-1
Released:    Tue Jul 25 14:26:14 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  
This update for libxml2 fixes the following issues:

- Build also for modern python version (jsc#PED-68)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3102-1
Released:    Tue Aug  1 14:11:53 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1213517
This update for openssl-1_1 fixes the following issues:

- Dont pass zero length input to EVP_Cipher (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3242-1
Released:    Tue Aug  8 18:19:40 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3325-1
Released:    Wed Aug 16 08:26:08 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3666-1
Released:    Mon Sep 18 21:52:18 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4105-1
Released:    Wed Oct 18 08:15:40 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1215215
This update for openssl-1_1 fixes the following issues:

- Displays 'fips' in the version string (bsc#1215215)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4215-1
Released:    Thu Oct 26 12:19:25 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libz1-1.2.13-150500.4.3.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libsasl2-3-2.1.28-150500.1.1 updated
- libgcrypt20-1.9.4-150500.10.19 updated
- libgcrypt20-hmac-1.9.4-150500.10.19 updated
- libudev1-249.17-150400.8.40.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- cpio-2.13-150400.3.3.1 updated
- libxml2-2-2.10.3-150500.5.11.1 updated
- libopenssl1_1-1.1.1l-150500.17.22.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated
- libmount1-2.37.4-150500.9.3.1 updated
- krb5-1.20.1-150500.3.3.1 updated
- libssh4-0.9.8-150400.3.3.1 updated
- pam-1.3.0-150000.6.66.1 updated
- util-linux-2.37.4-150500.9.3.1 updated
- tar-1.34-150000.3.34.1 added
- gzip-1.10-150200.10.1 added
- openssl-1_1-1.1.1l-150500.17.22.1 updated
- libp11-kit0-0.23.22-150500.8.3.1 updated
- p11-kit-0.23.22-150500.8.3.1 updated
- p11-kit-tools-0.23.22-150500.8.3.1 updated
- container:suse-sle15-15.5-- added
- container:suse-sle15-15.4-- removed

From sle-container-updates at lists.suse.com  Wed Feb  7 08:01:53 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:01:53 +0100 (CET)
Subject: SUSE-CU-2024:478-1: Security update of rancher/seedimage-builder
Message-ID: <20240207080153.C37B0FBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:478-1
Container Tags        : rancher/seedimage-builder:1.4.2 , rancher/seedimage-builder:1.4.2-3.2.2 , rancher/seedimage-builder:latest
Container Release     : 3.2.2
Severity              : important
Type                  : security
References            : 1029961 1120610 1120610 1130496 1130496 1177047 1180713 1181131
                        1181131 1184124 1186642 1198062 1198922 1200657 1200657 1201627
                        1202436 1202436 1202436 1203600 1207534 1207753 1211188 1211190
                        1211430 1213487 1213517 1213853 1214054 1214668 1214768 1215215
                        1215241 1215496 1216378 1217000 1217460 1217969 1218126 1218186
                        1218209 1218475 1218571 CVE-2018-20482 CVE-2018-20482 CVE-2019-9923
                        CVE-2019-9923 CVE-2021-20193 CVE-2021-20193 CVE-2022-1271 CVE-2022-4304
                        CVE-2022-48303 CVE-2023-1667 CVE-2023-2283 CVE-2023-2650 CVE-2023-3446
                        CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-39804 CVE-2023-45853
                        CVE-2023-48795 CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-22365
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:926-1
Released:    Wed Apr 10 16:33:12 2019
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1120610,1130496,CVE-2018-20482,CVE-2019-9923
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released:    Mon Dec 14 17:39:19 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  
This update for gzip fixes the following issue:

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
  
  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released:    Mon Mar 29 19:31:27 2021
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1181131,CVE-2021-20193
This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1018-1
Released:    Tue Apr  6 14:29:13 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1180713
This update for gzip fixes the following issues:

- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1289-1
Released:    Wed Apr 21 14:02:46 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1177047
This update for gzip fixes the following issues:

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1935-1
Released:    Thu Jun 10 10:45:09 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1186642

This update for gzip fixes the following issue:

- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
  to migration issues. (bsc#1186642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released:    Mon Jun 28 18:38:43 2021
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1184124
This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released:    Thu May  5 16:45:28 2022
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges

- Update to GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite

- Update to GNU 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the '-K NAME' option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1617-1
Released:    Tue May 10 14:40:12 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  1198062,1198922,CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2735-1
Released:    Wed Aug 10 04:31:41 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657
This update for tar fixes the following issues:

- Fix race condition while creating intermediate subdirectories (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2844-1
Released:    Thu Aug 18 14:41:25 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    important
References:  1202436
This update for tar fixes the following issues:

- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4312-1
Released:    Fri Dec  2 11:16:47 2022
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1200657,1203600
This update for tar fixes the following issues:

- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:179-1
Released:    Thu Jan 26 21:54:30 2023
Summary:     Recommended update for tar
Type:        recommended
Severity:    low
References:  1202436
This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:463-1
Released:    Mon Feb 20 16:33:39 2023
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). 

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

-----------------------------------------------------------------
Advisory ID: 29171
Released:    Tue Jun 20 12:29:00 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect tests (bsc#1201627)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2965-1
Released:    Tue Jul 25 12:30:22 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2966-1
Released:    Tue Jul 25 14:26:14 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  
This update for libxml2 fixes the following issues:

- Build also for modern python version (jsc#PED-68)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3102-1
Released:    Tue Aug  1 14:11:53 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1213517
This update for openssl-1_1 fixes the following issues:

- Dont pass zero length input to EVP_Cipher (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3242-1
Released:    Tue Aug  8 18:19:40 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3325-1
Released:    Wed Aug 16 08:26:08 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3666-1
Released:    Mon Sep 18 21:52:18 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4105-1
Released:    Wed Oct 18 08:15:40 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1215215
This update for openssl-1_1 fixes the following issues:

- Displays 'fips' in the version string (bsc#1215215)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4215-1
Released:    Thu Oct 26 12:19:25 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libz1-1.2.13-150500.4.3.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libsasl2-3-2.1.28-150500.1.1 updated
- libgcrypt20-1.9.4-150500.10.19 updated
- libgcrypt20-hmac-1.9.4-150500.10.19 updated
- libudev1-249.17-150400.8.40.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- cpio-2.13-150400.3.3.1 updated
- libxml2-2-2.10.3-150500.5.11.1 updated
- libopenssl1_1-1.1.1l-150500.17.22.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated
- libmount1-2.37.4-150500.9.3.1 updated
- krb5-1.20.1-150500.3.3.1 updated
- libssh4-0.9.8-150400.3.3.1 updated
- pam-1.3.0-150000.6.66.1 updated
- util-linux-2.37.4-150500.9.3.1 updated
- tar-1.34-150000.3.34.1 added
- gzip-1.10-150200.10.1 added
- openssl-1_1-1.1.1l-150500.17.22.1 updated
- libp11-kit0-0.23.22-150500.8.3.1 updated
- p11-kit-0.23.22-150500.8.3.1 updated
- p11-kit-tools-0.23.22-150500.8.3.1 updated
- container:suse-sle15-15.5-- added
- container:suse-sle15-15.4-- removed

From sle-container-updates at lists.suse.com  Wed Feb  7 08:02:19 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:02:19 +0100 (CET)
Subject: SUSE-CU-2024:479-1: Security update of suse/sle-micro/5.5/toolbox
Message-ID: <20240207080219.64BD2FBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:479-1
Container Tags        : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.150 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 2.2.150
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cpio-2.13-150400.3.6.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Wed Feb  7 08:03:50 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:03:50 +0100 (CET)
Subject: SUSE-CU-2024:480-1: Security update of bci/dotnet-runtime
Message-ID: <20240207080350.1F950FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:480-1
Container Tags        : bci/dotnet-runtime:7.0 , bci/dotnet-runtime:7.0-22.19 , bci/dotnet-runtime:7.0.15 , bci/dotnet-runtime:7.0.15-22.19
Container Release     : 22.19
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Wed Feb  7 08:04:09 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:04:09 +0100 (CET)
Subject: SUSE-CU-2024:481-1: Security update of bci/nodejs
Message-ID: <20240207080409.C0504FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:481-1
Container Tags        : bci/node:18 , bci/node:18-15.20 , bci/nodejs:18 , bci/nodejs:18-15.20
Container Release     : 15.20
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Wed Feb  7 08:04:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:04:34 +0100 (CET)
Subject: SUSE-CU-2024:482-1: Security update of suse/pcp
Message-ID: <20240207080434.0C6CDFBA4@maintenance.suse.de>

SUSE Container Update Advisory: suse/pcp
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:482-1
Container Tags        : suse/pcp:5 , suse/pcp:5-21.30 , suse/pcp:5.2 , suse/pcp:5.2-21.30 , suse/pcp:5.2.5 , suse/pcp:5.2.5-21.30 , suse/pcp:latest
Container Release     : 21.30
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1216488 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container suse/pcp was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:303-1
Released:    Thu Feb  1 15:21:30 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1216488
This update for gcc7 fixes the following issues:

- Avoid crash when hitting a broken pattern in the s390 backend.
- Avoid creating recursive DIE references through DW_AT_abstract_origin when using LTO.  [bsc#1216488]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cpp7-7.5.0+r278197-150000.4.38.1 updated
- container:bci-bci-init-15.5-15.5-13.20 updated

From sle-container-updates at lists.suse.com  Wed Feb  7 08:04:52 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed,  7 Feb 2024 09:04:52 +0100 (CET)
Subject: SUSE-CU-2024:483-1: Security update of bci/rust
Message-ID: <20240207080452.E6030FBA4@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:483-1
Container Tags        : bci/rust:1.75 , bci/rust:1.75-1.3.17 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.17
Container Release     : 3.17
Severity              : moderate
Type                  : security
References            : 1107342 1215434 1218571 1219238 CVE-2023-7207 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- container:sles15-image-15.0.0-36.11.2 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:31 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:31 +0100 (CET)
Subject: SUSE-CU-2024:452-1: Security update of rancher/elemental-teal-iso/5.4
Message-ID: <20240206080131.8FF81FBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-teal-iso/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:452-1
Container Tags        : rancher/elemental-teal-iso/5.4:1.2.3 , rancher/elemental-teal-iso/5.4:1.2.3-4.5.90 , rancher/elemental-teal-iso/5.4:latest
Container Release     : 4.5.90
Severity              : important
Type                  : security
References            : 1103893 1107342 1112183 1168481 1187364 1187364 1187365 1187366
                        1187366 1187367 1187367 1195391 1196647 1198773 1198773 1200441
                        1200441 1200528 1201384 1201519 1201551 1201551 1204844 1205161
                        1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
                        1208074 1208962 1209884 1209888 1210004 1210298 1210557 1210557
                        1210660 1211079 1211124 1211188 1211190 1211418 1211419 1211427
                        1211427 1211578 1212101 1212101 1212475 1212475 1212475 1213240
                        1213915 1213915 1214025 1214052 1214052 1214140 1214460 1214460
                        1214668 1214806 1215229 1215241 1215291 1215313 1215323 1215427
                        1215434 1215496 1216006 1216123 1216129 1216174 1216378 1216664
                        1216862 1216922 1216987 1217000 1217212 1217460 1217472 1217573
                        1217574 1217969 1218014 1218126 1218186 1218209 1218475 1218571
                        1218894 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594
                        CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2022-1996 CVE-2023-1667
                        CVE-2023-2137 CVE-2023-2283 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-27561 CVE-2023-28642 CVE-2023-39804 CVE-2023-4039 CVE-2023-4039
                        CVE-2023-4156 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-46218
                        CVE-2023-46219 CVE-2023-4641 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678
                        CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365
-----------------------------------------------------------------

The container rancher/elemental-teal-iso/5.4 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:


* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released:    Tue Aug 29 07:33:16 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1103893,1112183
This update for icu fixes the following issues:

- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released:    Fri Sep 22 20:30:59 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
  and not just SUSE Linux Enterprise Server. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released:    Tue Oct  3 20:06:23 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1212475

This update of runc fixes the following issues:

- Update to runc v1.1.8.

  Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released:    Fri Oct 20 10:06:58 2023
Summary:     Recommended update for containerd, runc
Type:        recommended
Severity:    moderate
References:  1215323
This update for containerd, runc fixes the following issues:

runc was updated to v1.1.9. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.1.9

containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released:    Wed Nov 29 20:33:38 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1217472

This update of icu fixes the following issue:

- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released:    Tue Dec 12 12:27:39 2023
Summary:     Security update for catatonit, containerd, runc
Type:        security
Severity:    important
References:  1200528,CVE-2022-1996

This update of runc and containerd fixes the following issues:

containerd:

- Update to containerd v1.7.8. Upstream release notes:
  https://github.com/containerd/containerd/releases/tag/v1.7.8

    * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)

catatonit:

- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.

- Update to catatont v0.1.7
  * This release adds the ability for catatonit to be used as the only
    process in a pause container, by passing the -P flag (in this mode no
    subprocess is spawned and thus no signal forwarding is done).

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).

runc:

- Update to runc v1.1.10. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.10


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libsemanage2-3.4-150400.1.8 added
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libmount1-2.37.2-150400.8.23.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- util-linux-systemd-2.37.2-150400.8.20.1 removed

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:34 +0100 (CET)
Subject: SUSE-CU-2024:453-1: Security update of rancher/elemental-teal-rt/5.4
Message-ID: <20240206080134.20D2FFBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-teal-rt/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:453-1
Container Tags        : rancher/elemental-teal-rt/5.4:1.2.3 , rancher/elemental-teal-rt/5.4:1.2.3-2.2.63 , rancher/elemental-teal-rt/5.4:latest
Container Release     : 2.2.63
Severity              : important
Type                  : security
References            : 1023051 1065729 1065729 1084909 1103893 1107342 1109158 1112183
                        1120059 1142685 1150305 1152472 1152489 1155798 1160435 1168481
                        1172073 1174777 1177719 1179610 1182142 1183045 1187364 1187364
                        1187365 1187366 1187366 1187367 1187367 1187829 1188885 1189998
                        1189998 1189998 1189999 1191731 1192986 1193285 1193412 1193629
                        1193629 1193629 1193629 1194869 1194869 1194869 1194869 1194869
                        1194869 1195391 1195655 1195921 1196647 1197093 1198400 1198773
                        1198773 1200441 1200441 1200441 1200441 1200528 1201300 1201384
                        1201519 1201551 1201551 1202845 1203039 1203200 1203325 1203906
                        1204844 1205161 1205462 1205650 1205756 1205758 1205760 1205762
                        1205803 1206024 1206346 1206346 1206418 1206480 1206480 1206552
                        1206578 1206649 1206684 1206684 1206891 1206992 1207004 1207088
                        1207129 1207168 1207185 1207553 1207574 1207778 1207894 1207987
                        1208050 1208074 1208076 1208364 1208410 1208510 1208600 1208602
                        1208604 1208737 1208758 1208788 1208815 1208829 1208845 1208902
                        1208902 1208949 1208962 1209039 1209052 1209118 1209256 1209282
                        1209284 1209287 1209288 1209290 1209292 1209307 1209366 1209367
                        1209495 1209532 1209547 1209556 1209572 1209600 1209615 1209634
                        1209635 1209636 1209681 1209684 1209687 1209693 1209739 1209779
                        1209788 1209798 1209799 1209799 1209804 1209805 1209856 1209871
                        1209884 1209888 1209927 1209982 1209999 1210004 1210034 1210048
                        1210050 1210158 1210165 1210202 1210203 1210206 1210294 1210298
                        1210299 1210301 1210329 1210335 1210336 1210337 1210439 1210447
                        1210448 1210449 1210450 1210453 1210454 1210469 1210498 1210506
                        1210533 1210551 1210557 1210557 1210565 1210584 1210627 1210629
                        1210647 1210660 1210725 1210741 1210762 1210763 1210764 1210765
                        1210766 1210767 1210768 1210769 1210770 1210771 1210775 1210780
                        1210783 1210791 1210793 1210806 1210816 1210817 1210827 1210853
                        1210940 1210943 1210947 1210953 1210986 1211025 1211037 1211043
                        1211044 1211079 1211089 1211105 1211113 1211124 1211131 1211131
                        1211162 1211188 1211190 1211205 1211226 1211243 1211263 1211280
                        1211281 1211299 1211307 1211346 1211387 1211410 1211414 1211418
                        1211419 1211427 1211427 1211449 1211465 1211519 1211564 1211578
                        1211590 1211592 1211686 1211687 1211688 1211689 1211690 1211691
                        1211692 1211693 1211714 1211738 1211796 1211804 1211807 1211808
                        1211811 1211847 1211852 1211855 1211867 1211960 1212051 1212091
                        1212101 1212101 1212129 1212142 1212154 1212155 1212158 1212265
                        1212301 1212350 1212423 1212448 1212475 1212475 1212475 1212475
                        1212475 1212494 1212502 1212504 1212513 1212526 1212540 1212561
                        1212563 1212564 1212584 1212584 1212592 1212603 1212604 1212605
                        1212606 1212619 1212701 1212741 1212835 1212838 1212842 1212846
                        1212857 1212861 1212869 1212873 1212892 1212901 1212905 1213010
                        1213011 1213012 1213013 1213014 1213015 1213016 1213017 1213018
                        1213019 1213020 1213021 1213024 1213025 1213026 1213032 1213034
                        1213035 1213036 1213037 1213038 1213039 1213040 1213041 1213059
                        1213061 1213087 1213088 1213089 1213090 1213092 1213093 1213094
                        1213095 1213096 1213098 1213099 1213100 1213102 1213103 1213104
                        1213105 1213106 1213107 1213108 1213109 1213110 1213111 1213112
                        1213113 1213114 1213123 1213134 1213167 1213240 1213245 1213247
                        1213252 1213258 1213259 1213263 1213264 1213272 1213286 1213287
                        1213304 1213523 1213524 1213543 1213546 1213580 1213585 1213586
                        1213588 1213601 1213620 1213653 1213666 1213705 1213713 1213715
                        1213747 1213756 1213757 1213759 1213759 1213772 1213777 1213808
                        1213810 1213812 1213856 1213857 1213863 1213867 1213870 1213871
                        1213915 1213915 1213916 1213921 1213927 1213946 1213968 1213970
                        1213971 1214000 1214019 1214025 1214052 1214052 1214120 1214140
                        1214149 1214180 1214238 1214285 1214286 1214297 1214299 1214350
                        1214368 1214370 1214371 1214372 1214380 1214386 1214392 1214393
                        1214397 1214428 1214451 1214460 1214460 1214635 1214659 1214661
                        1214668 1214729 1214742 1214743 1214747 1214756 1214806 1214823
                        1214928 1214940 1214941 1214942 1214943 1214944 1214950 1214951
                        1214954 1214957 1214976 1214980 1214986 1214988 1214992 1214993
                        1215124 1215229 1215237 1215241 1215291 1215292 1215313 1215322
                        1215323 1215420 1215427 1215434 1215458 1215496 1215522 1215523
                        1215552 1215553 1215696 1215710 1215806 1215806 1215823 1215831
                        1215877 1215885 1215894 1215895 1215896 1215911 1215915 1215916
                        1215935 1215936 1215955 1216006 1216006 1216010 1216057 1216058
                        1216062 1216075 1216105 1216123 1216129 1216174 1216253 1216259
                        1216378 1216512 1216559 1216584 1216664 1216693 1216759 1216761
                        1216776 1216844 1216861 1216862 1216909 1216922 1216959 1216965
                        1216976 1216987 1217000 1217031 1217036 1217036 1217068 1217086
                        1217124 1217140 1217195 1217200 1217205 1217212 1217217 1217237
                        1217250 1217332 1217366 1217460 1217472 1217515 1217573 1217574
                        1217598 1217599 1217602 1217609 1217687 1217692 1217731 1217773
                        1217775 1217780 1217790 1217801 1217933 1217938 1217946 1217947
                        1217969 1217980 1217981 1217982 1218014 1218056 1218126 1218139
                        1218184 1218186 1218209 1218234 1218253 1218258 1218335 1218357
                        1218447 1218475 1218515 1218559 1218569 1218571 1218659 1218894
                        CVE-2017-5753 CVE-2020-26555 CVE-2021-26345 CVE-2021-3592 CVE-2021-3592
                        CVE-2021-3593 CVE-2021-3594 CVE-2021-3594 CVE-2021-3595 CVE-2021-3595
                        CVE-2021-46766 CVE-2021-46774 CVE-2022-1996 CVE-2022-2196 CVE-2022-23820
                        CVE-2022-23830 CVE-2022-40982 CVE-2022-4269 CVE-2022-45884 CVE-2022-45885
                        CVE-2022-45886 CVE-2022-45887 CVE-2022-45919 CVE-2022-4744 CVE-2023-0386
                        CVE-2023-0394 CVE-2023-0459 CVE-2023-0778 CVE-2023-1077 CVE-2023-1079
                        CVE-2023-1192 CVE-2023-1206 CVE-2023-1249 CVE-2023-1281 CVE-2023-1380
                        CVE-2023-1382 CVE-2023-1513 CVE-2023-1582 CVE-2023-1611 CVE-2023-1637
                        CVE-2023-1652 CVE-2023-1667 CVE-2023-1670 CVE-2023-1829 CVE-2023-1838
                        CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-1998
                        CVE-2023-2002 CVE-2023-2006 CVE-2023-2007 CVE-2023-2008 CVE-2023-2019
                        CVE-2023-20519 CVE-2023-20521 CVE-2023-20526 CVE-2023-20533 CVE-2023-20566
                        CVE-2023-20569 CVE-2023-20588 CVE-2023-20592 CVE-2023-20593 CVE-2023-21102
                        CVE-2023-2124 CVE-2023-2137 CVE-2023-21400 CVE-2023-2156 CVE-2023-2156
                        CVE-2023-2162 CVE-2023-2163 CVE-2023-2166 CVE-2023-2176 CVE-2023-2177
                        CVE-2023-2235 CVE-2023-2269 CVE-2023-2283 CVE-2023-23001 CVE-2023-23006
                        CVE-2023-2483 CVE-2023-2513 CVE-2023-25775 CVE-2023-25809 CVE-2023-2602
                        CVE-2023-2603 CVE-2023-27561 CVE-2023-28327 CVE-2023-28410 CVE-2023-28464
                        CVE-2023-28466 CVE-2023-28642 CVE-2023-2985 CVE-2023-3006 CVE-2023-30456
                        CVE-2023-30772 CVE-2023-3090 CVE-2023-31083 CVE-2023-31084 CVE-2023-31085
                        CVE-2023-3111 CVE-2023-3117 CVE-2023-31248 CVE-2023-3141 CVE-2023-31436
                        CVE-2023-3161 CVE-2023-3212 CVE-2023-32233 CVE-2023-3268 CVE-2023-33288
                        CVE-2023-3357 CVE-2023-3358 CVE-2023-3389 CVE-2023-3390 CVE-2023-34319
                        CVE-2023-34324 CVE-2023-35001 CVE-2023-3567 CVE-2023-35788 CVE-2023-35823
                        CVE-2023-35828 CVE-2023-3609 CVE-2023-3610 CVE-2023-3611 CVE-2023-37453
                        CVE-2023-3772 CVE-2023-3776 CVE-2023-3777 CVE-2023-3812 CVE-2023-3863
                        CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-39197
                        CVE-2023-39198 CVE-2023-39804 CVE-2023-4004 CVE-2023-4039 CVE-2023-4039
                        CVE-2023-4128 CVE-2023-4133 CVE-2023-4134 CVE-2023-4147 CVE-2023-4155
                        CVE-2023-4156 CVE-2023-4194 CVE-2023-4244 CVE-2023-4273 CVE-2023-42753
                        CVE-2023-42754 CVE-2023-4387 CVE-2023-4389 CVE-2023-44487 CVE-2023-4459
                        CVE-2023-45322 CVE-2023-4563 CVE-2023-4569 CVE-2023-45853 CVE-2023-45862
                        CVE-2023-45863 CVE-2023-45871 CVE-2023-46218 CVE-2023-46219 CVE-2023-4622
                        CVE-2023-4623 CVE-2023-4641 CVE-2023-46813 CVE-2023-46862 CVE-2023-4692
                        CVE-2023-4693 CVE-2023-48795 CVE-2023-4881 CVE-2023-4921 CVE-2023-50495
                        CVE-2023-5158 CVE-2023-51779 CVE-2023-5178 CVE-2023-5345 CVE-2023-5678
                        CVE-2023-5717 CVE-2023-6004 CVE-2023-6039 CVE-2023-6121 CVE-2023-6176
                        CVE-2023-6531 CVE-2023-6546 CVE-2023-6606 CVE-2023-6610 CVE-2023-6622
                        CVE-2023-6918 CVE-2023-6931 CVE-2023-6932 CVE-2023-7207 CVE-2024-21626
                        CVE-2024-22365 
-----------------------------------------------------------------

The container rancher/elemental-teal-rt/5.4 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1814-1
Released:    Tue Apr 11 14:40:34 2023
Summary:     Security update for podman
Type:        security
Severity:    important
References:  1197093,1208364,1208510,1209495,CVE-2023-0778
This update for podman fixes the following issues:

Update to version 4.4.4:

  * libpod: always use direct mapping
  * macos pkginstaller: do not fail when podman-mac-helper fails
  * podman-mac-helper: install: do not error if already installed

- podman.spec: Bump required version for libcontainers-common (bsc#1209495)

Update to version 4.4.3:

  * compat: /auth: parse server address correctly
  * vendor github.com/containers/common at v0.51.1
  * pkginstaller: bump Qemu to version 7.2.0
  * podman machine: Adjust Chrony makestep config
  * [v4.4] fix --health-on-failure=restart in transient unit
  * podman logs passthrough driver support --cgroups=split
  * journald logs: simplify entry parsing
  * podman logs: read journald with passthrough
  * journald: remove initializeJournal()
  * netavark: only use aardvark ip as nameserver
  * compat API: network create return 409 for duplicate
  * fix 'podman logs --since --follow' flake
  * system service --log-level=trace: support hijack
  * podman-mac-helper: exit 1 on error
  * bump golang.org/x/net to v0.8.0
  * Fix package restore
  * Quadlet - use the default runtime

Update to version 4.4.2:

  * Revert 'CI: Temporarily disable all AWS EC2-based tasks'
  * kube play: only enforce passthrough in Quadlet
  * Emergency fix for man pages: check for broken includes
  * CI: Temporarily disable all AWS EC2-based tasks
  * quadlet system tests: add useful defaults, logging
  * volume,container: chroot to source before exporting content
  * install sigproxy before start/attach
  * Update to c/image 5.24.1
  * events + container inspect test: RHEL fixes

- podman.spec: add `crun` requirement for quadlet
- podman.spec: set PREFIX at build stage (bsc#1208510)

- CVE-2023-0778: Fixed symlink exchange attack in podman export volume  (bsc#1208364)

Update to version 4.4.1:

  * kube play: do not teardown unconditionally on error
  * Resolve symlink path for qemu directory if possible
  * events: document journald identifiers
  * Quadlet: exit 0 when there are no files to process
  * Cleanup podman-systemd.unit file
  * Install podman-systemd.unit  man page, make quadlet discoverable
  * Add missing return after errors
  * oci: bind mount /sys with --userns=(auto|pod:)
  * docs: specify order preference for FROM
  * Cirrus: Fix & remove GraphQL API tests
  * test: adapt test to work on cgroupv1
  * make hack/markdown-preprocess parallel-safe
  * Fix default handling of pids-limit
  * system tests: fix volume exec/noexec test

Update to version 4.4.0:

  * Emergency fix for RHEL8 gating tests
  * Do not mount /dev/tty into rootless containers
  * Fixes port collision issue on use of --publish-all
  * Fix usage of absolute windows paths with --image-path
  * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux
  * podman-events: document verbose create events
  * Making gvproxy.exe optional for building Windows installer
  * Add gvproxy to Windows packages
  * Match VT device paths to be blocked from mounting exactly
  * Clean up more language for inclusiveness
  * Set runAsNonRoot=true in gen kube
  * quadlet: Add device support for .volume files
  * fix: running check error when podman is default in wsl
  * fix: don't output 'ago' when container is currently up and running
  * journald: podman logs only show logs for current user
  * journald: podman events only show events for current user
  * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
  * DB: make loading container states optional
  * ps: do not sync container
  * Allow --device-cgroup-rule to be passed in by docker API
  * Create release notes for v4.4.0
  * Cirrus: Update operating branch
  * fix APIv2 python attach test flake
  * ps: query health check in batch mode
  * make example volume import, not import volume
  * Correct output when inspecting containers created with --ipc
  * Vendor containers/(storage, image, common, buildah)
  * Get correct username in pod when using --userns=keep-id
  * ps: get network data in batch mode
  * build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0
  * add hack/perf for comparing two container engines
  * systems: retrofit dns options test to honor other search domains
  * ps: do not create copy of container config
  * libpod: set search domain independently of nameservers
  * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server
  * podman: relay custom DNS servers to network stack
  * (fix) mount_program is in storage.options.overlay
  * Change example target to default in doc
  * network create: do not allow `default` as name
  * kube-play: add support for HostPID in podSpec
  * build(deps): bump github.com/docker/docker
  * Let's see if #14653 is fixed or not
  * Add support for podman build --group-add
  * vendor in latests containers/(storage, common, build, image)
  * unskip network update test
  * do not install swagger by default
  * pasta: skip 'Local forwarder, IPv4' test
  * add testbindings Makefile target
  * update CI images to include pasta
  * [CI:DOCS] Add CNI deprecation notices to documentation
  * Cirrus: preserve podman-server logs
  * waitPidStop: reduce sleep time to 10ms
  * StopContainer: return if cleanup process changed state
  * StopSignal: add a comment
  * StopContainer: small refactor
  * waitPidStop: simplify code
  * e2e tests: reenable long-skipped build test
  * Add openssh-clients to podmanimage
  * Reworks Windows smoke test to tunnel through interactive session.
  * fix bud-multiple-platform-with-base-as-default-arg flake
  * Remove ReservedAnnotations from kube generate specification
  * e2e: update test/README.md
  * e2e: use isRootless() instead of rootless.IsRootless()
  * Cleanup documentation on --userns=auto
  * Vendor in latest c/common
  * sig-proxy system test: bump timeout
  * build(deps): bump github.com/containernetworking/plugins
  * rootless: rename auth-scripts to preexec-hooks
  * Docs: version-check updates
  * commit: use libimage code to parse changes
  * [CI:DOCS] Remove experimental mac tutorial
  * man: Document the interaction between --systemd and --privileged
  * Make rootless privileged containers share the same tty devices as rootfull ones
  * container kill: handle stopped/exited container
  * Vendor in latest containers/(image,ocicrypt)
  * add a comment to container removal
  * Vendor in latest containers/storage
  * Cirrus: Run machine tests on PR merge
  * fix flake in kube system test
  * kube play: complete container spec
  * E2E Tests: Use inspect instead of actual data to avoid UDP flake
  * Use containers/storage/pkg/regexp in place of regexp
  * Vendor in latest containers/storage
  * Cirrus: Support using updated/latest NV/AV in PRs
  * Limit replica count to 1 when deploying from kubernetes YAML
  * Set StoppedByUser earlier in the process of stopping
  * podman-play system test: refactor
  * network: add support for podman network update and --network-dns-server
  * service container: less verbose error logs
  * Quadlet Kube - add support for PublishPort key
  * e2e: fix systemd_activate_test
  * Compile regex on demand not in init
  * [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.
  * E2E Test: Play Kube set deadline to connection to avoid hangs
  * Only prevent VTs to be mounted inside privileged systemd containers
  * e2e: fix play_kube_test
  * Updated error message for supported VolumeSource types
  * Introduce pkg retry logic in win installer task
  * logformatter: include base SHA, with history link
  * Network tests: ping redhat.com, not podman.io
  * cobra: move engine shutdown to Execute
  * Updated options for QEMU on Windows hosts
  * Update Mac installer to use gvproxy v0.5.0
  * podman: podman rm -f doesn't leave processes
  * oci: check for valid PID before kill(pid, 0)
  * linux: add /sys/fs/cgroup if /sys is a bind mount
  * Quadlet: Add support for ConfigMap key in Kube section
  * remove service container _after_ pods
  * Kube Play - allow setting and overriding published host ports
  * oci: terminate all container processes on cleanup
  * Update win-sshproxy to 0.5.0 gvisor tag
  * Vendor in latest containers/common
  * Fix a potential defer logic error around locking
  * logformatter: nicer formatting for bats failures
  * logformatter: refactor verbose line-print
  * e2e tests: stop using UBI images
  * k8s-file: podman logs --until --follow exit after time
  * journald: podman logs --until --follow exit after time
  * journald: seek to time when --since is used
  * podman logs: journald fix --since and --follow
  * Preprocess files in UTF-8 mode
  * Vendor in latest containers/(common, image, storage)
  * Switch to C based msi hooks for win installer
  * hack/bats: improve usage message
  * hack/bats: add --remote option
  * hack/bats: fix root/rootless logic
  * Describe copy volume options
  * Support sig-proxy for podman-remote attach and start
  * libpod: fix race condition rm'ing stopping containers
  * e2e: fix run_volume_test
  * Add support for Windows ARM64
  * Add shared --compress to man pages
  * Add container error message to ContainerState
  * Man page checker: require canonical name in SEE ALSO
  * system df: improve json output code
  * kube play: fix the error logic with --quiet
  * System tests: quadlet network test
  * Fix: List container with volume filter
  * adding -dryrun flag
  * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost
  * Kube Play: use passthrough as the default log-driver if service-container is set
  * System tests: add missing cleanup
  * System tests: fix unquoted question marks
  * Build and use a newer systemd image
  * Quadlet Network - Fix the name of the required network service
  * System Test Quadlet - Volume dependency test did not test the dependency
  * fix `podman system connection - tcp` flake
  * vendor: bump c/storage to a747b27
  * Fix instructions about setting storage driver on command-line
  * Test README - point users to hack/bats
  * System test: quadlet kube basic test
  * Fixed `podman update --pids-limit`
  * podman-remote,bindings: trim context path correctly when its emptydir
  * Quadlet Doc: Add section for .kube files
  * e2e: fix containers_conf_test
  * Allow '/' to prefix container names to match Docker
  * Remove references to qcow2
  * Fix typos in man page regarding transient storage mode.
  * make: Use PYTHON var for .install.pre-commit
  * Add containers.conf read-only flag support
  * Explain that relabeling/chowning of volumes can take along time
  * events: support 'die' filter
  * infra/abi: refactor ContainerRm
  * When in transient store mode, use rundir for bundlepath
  * quadlet: Support Type=oneshot container files
  * hacks/bats: keep QUADLET env var in test env
  * New system tests for conflicting options
  * Vendor in latest containers/(buildah, image, common)
  * Output Size and Reclaimable in human form for json output
  * podman service: close duplicated /dev/null fd
  * ginkgo tests: apply ginkgolinter fixes
  * Add support for hostPath and configMap subpath usage
  * export: use io.Writer instead of file
  * rootless: always create userns with euid != 0
  * rootless: inhibit copy mapping for euid != 0
  * pkg/domain/infra/abi: introduce `type containerWrapper`
  * vendor: bump to buildah ca578b290144 and use new cache API
  * quadlet: Handle booleans that have defaults better
  * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault
  * Add podman-clean-transient.service service
  * Stop recording annotations set to false
  * Unify --noheading and -n to be consistent on all commands
  * pkg/domain/infra/abi: add `getContainers`
  * Update vendor of containters/(common, image)
  * specfile: Drop user-add depedency from quadlet subpackage.
  * quadlet: Default BINDIR to /usr/bin if tag not specified
  * Quadlet: add network support
  * Add comment for jsonMarshal command
  * Always allow pushing from containers-storage
  * libpod: move NetNS into state db instead of extra bucket
  * Add initial system tests for quadlets
  * quadlet: Add --user option
  * libpod: remove CNI word were no longer applicable
  * libpod: fix header length in http attach with logs
  * podman-kube@ template: use `podman kube`
  * build(deps): bump github.com/docker/docker
  * wait: add --ignore option
  * qudlet: Respect $PODMAN env var for podman binary
  * e2e: Add assert-key-is-regex check to quadlet e2e testsuite
  * e2e: Add some assert to quadlet test to make sure testcases are sane
  * remove unmapped ports from inspect port bindings
  * update podman-network-create for clarity
  * Vendor in latest containers/common with default capabilities
  * pkg/rootless: Change error text ...
  * rootless: add cli validator
  * rootless: define LIBEXECPODMAN
  * doc: fix documentation for idmapped mounts
  * bump golangci-lint to v1.50.1
  * build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2
  * [CI:DOCS] podman-mount: s/umount/unmount/
  * create/pull --help: list pull policies
  * Network Create: Add --ignore flag to support idempotent script
  * Make qemu security model none
  * libpod: use OCI idmappings for mounts
  * stop reporting errors removing containers that don't exist
  * test: added test from wait endpoint with to long label
  * quadlet: Default VolatileTmp to off
  * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11
  * docs/options/ipc: fix list syntax
  * Docs: Add dedicated DOWNLOAD doc w/ links to bins
  * Make a consistently-named windows installer
  * checkpoint restore: fix --ignore-static-ip/mac
  * add support for subpath in play kube for named volumes
  * build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
  * golangci-lint: remove three deprecated linters
  * parse-localbenchmarks: separate standard deviation
  * build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0
  * podman play kube support container startup probe
  * Add podman buildx version support
  * Cirrus: Collect benchmarks on machine instances
  * Cirrus: Remove escape codes from log files
  * [CI:DOCS] Clarify secret target behavior
  * Fix typo on network docs
  * podman-remote build add --volume support
  * remote: allow --http-proxy for remote clients
  * Cleanup kube play workloads if error happens
  * health check: ignore dependencies of transient systemd units/timers
  * fix: event read from syslog
  * Fixes secret (un)marshaling for kube play.
  * Remove 'you' from man pages
  * build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools
  * [CI:DOCS] test/README.md: run tests with podman-remote
  * e2e: keeps the http_proxy value
  * Makefile: Add podman-mac-helper to darwin client zip
  * test/e2e: enable 'podman run with ipam none driver' for nv
  * [skip-ci] GHA/Cirrus-cron: Fix execution order
  * kube sdnotify: run proxies for the lifespan of the service
  * Update containers common package
  * podman manpage: Use man-page links instead of file names
  * e2e: fix e2e tests in proxy environment
  * Fix test
  * disable healthchecks automatically on non systemd systems
  * Quadlet Kube: Add support for userns flag
  * [CI:DOCS] Add warning about --opts,o with mount's -o
  * Add podman system prune --external
  * Add some tests for transient store
  * runtime: In transient_store mode, move bolt_state.db to rundir
  * runtime: Handle the transient store options
  * libpod: Move the creation of TmpDir to an earlier time
  * network create: support '-o parent=XXX' for ipvlan
  * compat API: allow MacAddress on container config
  * Quadlet Kube: Add support for relative path for YAML file
  * notify k8s system test: move sending message into exec
  * runtime: do not chown idmapped volumes
  * quadlet: Drop ExecStartPre=rm %t/%N.cid
  * Quadlet Kube: Set SyslogIdentifier if was not set
  * Add a FreeBSD cross build to the cirrus alt build task
  * Add completion for --init-ctr
  * Fix handling of readonly containers when defined in kube.yaml
  * Build cross-compilation fixes
  * libpod: Track healthcheck API changes in healthcheck_unsupported.go
  * quadlet: Use same default capability set as podman run
  * quadlet: Drop --pull=never
  * quadlet: Change default of ReadOnly to no
  * quadlet: Change RunInit default to no
  * quadlet: Change NoNewPrivileges default to false
  * test: podman run with checkpoint image
  * Enable 'podman run' for checkpoint images
  * test: Add tests for checkpoint images
  * CI setup: simplify environment passthrough code
  * Init containers should not be restarted
  * Update c/storage after https://github.com/containers/storage/pull/1436
  * Set the latest release explicitly
  * add friendly comment
  * fix an overriding logic and load config problem
  * Update the issue templates
  * Update vendor of containers/(image, buildah)
  * [CI:DOCS] Skip windows-smoke when not useful
  * [CI:DOCS] Remove broken gate-container docs
  * OWNERS: add Jason T. Greene
  * hack/podmansnoop: print arguments
  * Improve atomicity of VM state persistence on Windows
  * [CI:BUILD] copr: enable podman-restart.service on rpm installation
  * macos: pkg: Use -arm64 suffix instead of -aarch64
  * linux: Add -linux suffix to podman-remote-static binaries
  * linux: Build amd64 and arm64 podman-remote-static binaries
  * container create: add inspect data to event
  * Allow manual override of install location
  * Run codespell on code
  * Add missing parameters for checkpoint/restore endpoint
  * Add support for startup healthchecks
  * Add information on metrics to the `network create` docs
  * Introduce podman machine os commands
  * Document that ignoreRootFS depends on export/import
  * Document ignoreVolumes in checkpoint/restore endpoint
  * Remove leaveRunning from swagger restore endpoint
  * libpod: Add checks to avoid nil pointer dereference if network setup fails
  * Address golangci-lint issues
  * Documenting Hyper-V QEMU acceleration settings
  * Kube Play: fix the handling of the optional field of SecretVolumeSource
  * Update Vendor of containers/(common, image, buildah)
  * Fix swapped NetInput/-Output stats
  * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory
  * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template
  * test/tools: rebuild when files are changed
  * ginkgo tests: apply ginkgolinter fixes
  * ginkgo: restructure install work flow
  * Fix manpage emphasis
  * specgen: support CDI devices from containers.conf
  * vendor: update containers/common
  * pkg/trust: Take the default policy path from c/common/pkg/config
  * Add validate-in-container target
  * Adding encryption decryption feature
  * container restart: clean up healthcheck state
  * Add support for podman-remote manifest annotate
  * Quadlet: Add support for .kube files
  * Update vendor of containers/(buildah, common, storage, image)
  * specgen: honor user namespace value
  * [CI:DOCS] Migrate OSX Cross to M1
  * quadlet: Rework uid/gid remapping
  * GHA: Fix cirrus re-run workflow for other repos.
  * ssh system test: skip until it becomes a test
  * shell completion: fix hard coded network drivers
  * libpod: Report network setup errors properly on FreeBSD
  * E2E Tests: change the registry for the search test to avoid authentication
  * pkginstaller: install podman-mac-helper by default
  * Fix language. Mostly spelling a -> an
  * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.
  * [CI:DOCS] Fix spelling and typos
  * Modify man page of '--pids-limit' option to correct a default value.
  * Update docs/source/markdown/podman-remote.1.md
  * Update pkg/bindings/connection.go
  * Add more documentation on UID/GID Mappings with --userns=keep-id
  * support podman-remote to connect tcpURL with proxy
  * Removing the RawInput from the API output
  * fix port issues for CONTAINER_HOST
  * CI: Package versions: run in the 'main' step
  * build(deps): bump github.com/rootless-containers/rootlesskit
  * pkg/domain: Make checkExecPreserveFDs platform-specific
  * e2e tests: fix restart race
  * Fix podman --noout to suppress all output
  * remove pod if creation has failed
  * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD
  * Fix more podman-logs flakes
  * healthcheck system tests: try to fix flake
  * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT
  * GHA: Configure workflows for reuse
  * compat,build: handle docker's preconfigured cacheTo,cacheFrom
  * docs: deprecate pasta network name
  * utils: Enable cgroup utils for FreeBSD
  * pkg/specgen: Disable kube play tests on FreeBSD
  * libpod/lock: Fix build and tests for SHM locks on FreeBSD
  * podman cp: fix copying with '.' suffix
  * pkginstaller: bump Qemu to version 7.1.0
  * specgen,wasm: switch to crun-wasm wherever applicable
  * vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1
  * libpod: Make unit test for statToPercent Linux only
  * Update vendor of containers/storage
  * fix connection usage with containers.conf
  * Add --quiet and --no-info flags to podman machine start
  * Add hidden podman manifest inspect -v option
  * Add podman volume create -d short option for driver
  * Vendor in latest containers/(common,image,storage)
  * Add podman system events alias to podman events
  * Fix search_test to return correct version of alpine
  * GHA: Fix undefined secret env. var.
  * Release notes for 4.3.1
  * GHA: Fix make_email-body script reference
  * Add release keys to README
  * GHA: Fix typo setting output parameter
  * GHA: Fix typo.
  * New tool, docs/version-check
  * Formalize our compare-against-docker mechanism
  * Add restart-sec for container service files
  * test/tools: bump module to go 1.17
  * contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor
  * build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools
  * libpod: Add FreeBSD support in packageVersion
  * Allow podman manigest push --purge|-p as alias for --rm
  * [CI:DOCS] Add performance tutorial
  * [CI:DOCS] Fix build targets in build_osx.md.
  * fix --format {{json .}} output to match docker
  * remote: fix manifest add --annotation
  * Skip test if `--events-backend` is necessary with podman-remote
  * kube play: update the handling of PersistentVolumeClaim
  * system tests: fix a system test in proxy environment
  * Use single unqualified search registry on Windows
  * test/system: Add, use tcp_port_probe() to check for listeners rather than binds
  * test/system: Add tests for pasta(1) connectivity
  * test/system: Move network-related helpers to helpers.network.bash
  * test/system: Use procfs to find bound ports, with optional address and protocol
  * test/system: Use port_is_free() from wait_for_port()
  * libpod: Add pasta networking mode
  * More log-flake work
  * Fix test flakes caused by improper podman-logs
  * fix incorrect systemd booted check
  * Cirrus: Add tests for GHA scripts
  * GHA: Update scripts to pass shellcheck
  * Cirrus: Shellcheck github-action scripts
  * Cirrus: shellcheck support for github-action scripts
  * GHA: Fix cirrus-cron scripts
  * Makefile: don't install to tmpfiles.d on FreeBSD
  * Make sure we can build and read each line of docker py's api client
  * Docker compat build api - make sure only one line appears per flush
  * Run codespell on code
  * Update vendor of containers/(image, storage, common)
  * Allow namespace path network option for pods.
  * Cirrus: Never skip running Windows Cross task
  * GHA: Auto. re-run failed cirrus-cron builds once
  * GHA: Migrate inline script to file
  * GHA: Simplify script reference
  * test/e2e: do not use apk in builds
  * remove container/pod id file along with container/pod
  * Cirrus: Synchronize windows image
  * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect
  * runtime: add check for valid pod systemd cgroup
  * CI: set and verify DESIRED_NETWORK (netavark, cni)
  * [CI:DOCS] troubleshooting: document keep-id options
  * Man pages: refactor common options: --security-opt
  * Cirrus: Guarantee CNI testing w/o nv/av present
  * Cirrus: temp. disable all Ubuntu testing
  * Cirrus: Update to F37beta
  * buildah bud tests: better handling of remote
  * quadlet: Warn in generator if using short names
  * Add Windows Smoke Testing
  * Add podman kube apply command
  * docs: offer advice on installing test dependencies
  * Fix documentation on read-only-tmpfs
  * version bump to 4.4.0-dev
  * deps: bump go-criu to v6
  * Makefile: Add cross build targets for freebsd
  * pkg/machine: Make this build on FreeBSD/arm64
  * pkg/rctl: Remove unused cgo dependency
  * man pages: assorted underscore fixes
  * Upgrade GitHub actions packages from v2 to v3
  * vendor github.com/godbus/dbus/v5 at 4b691ce
  * [CI:DOCS] fix --tmpdir typos
  * Do not report that /usr/share/containers/storage.conf has been edited.
  * Eval symlinks on XDG_RUNTIME_DIR
  * hack/podmansnoop
  * rootless: support keep-id with one mapping
  * rootless: add argument to GetConfiguredMappings
  * Update vendor containers/(common,storage,buildah,image)
  * Fix deadlock between 'podman ps' and 'container inspect' commands
  * Add information about where the libpod/boltdb database lives
  * Consolidate the dependencies for the IsTerminal() API
  * Ensure that StartAndAttach locks while sending signals
  * ginkgo testing: fix podman usernamespace join
  * Test runners: nuke podman from $PATH before tests
  * volumes: Fix idmap not working for volumes
  * FIXME: Temporary workaround for ubi8 CI breakage
  * System tests: teardown: clean up volumes
  * update api versions on docs.podman.io
  * system tests: runlabel: use podman-under-test
  * system tests: podman network create: use random port
  * sig-proxy test: bump timeout
  * play kube: Allow the user to import the contents of a tar file into a volume
  * Clarify the docs on DropCapability
  * quadlet tests: Disable kmsg logging while testing
  * quadlet: Support multiple Network=
  * quadlet: Add support for Network=...
  * Fix manpage for podman run --network option
  * quadlet: Add support for AddDevice=
  * quadlet: Add support for setting seccomp profile
  * quadlet: Allow multiple elements on each Add/DropCaps line
  * quadlet: Embed the correct binary name in the generated comment
  * quadlet: Drop the SocketActivated key
  * quadlet: Switch log-driver to passthrough
  * quadlet: Change ReadOnly to default to enabled
  * quadlet tests: Run the tests even for (exected) failed tests
  * quadlet tests: Fix handling of stderr checks
  * Remove unused script file
  * notifyproxy: fix container watcher
  * container/pod id file: truncate instead of throwing an error
  * quadlet: Use the new podman create volume --ignore
  * Add podman volume create --ignore
  * logcollector: include aardvark-dns
  * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1
  * build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1
  * docs: generate systemd: point to kube template
  * docs: kube play: mention restart policy
  * Fixes: 15858 (podman system reset --force destroy machine)
  * fix search flake
  * use cached containers.conf
  * adding regex support to the ancestor ps filter function
  * Fix `system df` issues with `-f` and `-v`
  * markdown-preprocess: cross-reference where opts are used
  * Default qemu flags for Windows amd64
  * build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0
  * Update main to reflect v4.3.0 release
  * build(deps): bump github.com/docker/docker
  * move quadlet packages into pkg/systemd
  * system df: fix image-size calculations
  * Add man page for quadlet
  * Fix small typo
  * testimage: add iproute2 & socat, for pasta networking
  * Set up minikube for k8s testing
  * Makefile: don't install systemd generator binaries on FreeBSD
  * [CI:BUILD] copr: podman rpm should depend on containers-common-extra
  * Podman image: Set default_sysctls to empty for rootless containers
  * Don't use  github.com/docker/distribution
  * libpod: Add support for 'podman top' on FreeBSD
  * libpod: Factor out jail name construction from stats_freebsd.go
  * pkg/util: Add pid information descriptors for FreeBSD
  * Initial quadlet version integrated in golang
  * bump golangci-lint to v1.49.0
  * Update vendor containers/(common,image,storage)
  * Allow volume mount dups, iff source and dest dirs
  * rootless: fix return value handling
  * Change to correct break statements
  * vendor containers/psgo at v1.8.0
  * Clarify that MacOSX docs are client specific
  * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit
  * Add swagger install + allow version updates in CI
  * Cirrus: Fix windows clone race
  * build(deps): bump github.com/docker/docker
  * kill: wait for the container
  * generate systemd: set --stop-timeout for stopping containers
  * hack/tree_status.sh: print diff at the end
  * Fix markdown header typo
  * markdown-preprocess: add generic include mechanism
  * markdown-preprocess: almost complete OO rewrite
  * Update tests for changed error messages
  * Update c/image after https://github.com/containers/image/pull/1299
  * Man pages: refactor common options (misc)
  * Man pages: Refactor common options: --detach-keys
  * vendor containers/storage at main
  * Man pages: refactor common options: --attach
  * build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0
  * KillContainer: improve error message
  * docs: add missing options
  * Man pages: refactor common options: --annotation (manifest)
  * build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0
  * system tests: health-on-failure: fix broken logic
  * build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8
  * build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1
  * ContainerEngine.SetupRootless(): Avoid calling container.Config()
  * Container filters: Avoid use of ctr.Config()
  * Avoid unnecessary calls to Container.Spec()
  * Add and use Container.LinuxResource() helper
  * play kube: notifyproxy: listen before starting the pod
  * play kube: add support for configmap binaryData
  * Add and use libpod/Container.Terminal() helper
  * Revert 'Add checkpoint image tests'
  * Revert 'cmd/podman: add support for checkpoint images'
  * healthcheck: fix --on-failure=stop
  * Man pages: Add mention of behavior due to XDG_CONFIG_HOME
  * build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6
  * Avoid unnecessary timeout of 250msec when waiting on container shutdown
  * health checks: make on-failure action retry aware
  * libpod: Remove 100msec delay during shutdown
  * libpod: Add support for 'podman pod' on FreeBSD
  * libpod: Factor out cgroup validation from (*Runtime).NewPod
  * libpod: Move runtime_pod_linux.go to runtime_pod_common.go
  * specgen/generate: Avoid a nil dereference in MakePod
  * libpod: Factor out cgroups handling from (*Pod).refresh
  * Adds a link to OSX docs in CONTRIBUTING.md
  * Man pages: refactor common options: --os-version
  * Create full path to a directory when DirectoryOrCreate is used with play kube
  * Return error in podman system service if URI scheme is not unix/tcp
  * Man pages: refactor common options: --time
  * man pages: document some --format options: images
  * Clean up when stopping pods
  * Update vendor of containers/buildah v1.28.0
  * Proof of concept: nightly dependency treadmill

- Make the priority for picking the storage driver configurable (bsc#1197093)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:


* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1992-1
Released:    Tue Apr 25 13:38:03 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1109158,1189998,1193629,1194869,1198400,1203200,1206552,1207168,1207185,1207574,1208602,1208815,1208829,1208902,1209052,1209118,1209256,1209290,1209292,1209366,1209532,1209547,1209556,1209572,1209600,1209634,1209635,1209636,1209681,1209684,1209687,1209779,1209788,1209798,1209799,1209804,1209805,1210050,1210203,CVE-2017-5753,CVE-2022-4744,CVE-2023-0394,CVE-2023-1281,CVE-2023-1513,CVE-2023-1582,CVE-2023-1611,CVE-2023-1637,CVE-2023-1652,CVE-2023-1838,CVE-2023-23001,CVE-2023-28327,CVE-2023-28464,CVE-2023-28466

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-5753: Fixed spectre V1 vulnerability on netlink (bsc#1209547).
- CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256).
- CVE-2022-4744: Fixed double-free that could lead to DoS or privilege escalation in TUN/TAP device driver functionality (bsc#1209635).
- CVE-2023-0394: Fixed a null pointer dereference flaw in the network subcomponent in the Linux kernel which could lead to system crash (bsc#1207168).
- CVE-2023-1281: Fixed use after free that could lead to privilege escalation in tcindex (bsc#1209634).
- CVE-2023-1513: Fixed an uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak (bsc#1209532).
- CVE-2023-1582: Fixed soft lockup in __page_mapcount (bsc#1209636).
- CVE-2023-1611: Fixed an use-after-free flaw in btrfs_search_slot (bsc#1209687).
- CVE-2023-1637: Fixed vulnerability that could lead to unauthorized access to CPU memory after resuming CPU from suspend-to-RAM (bsc#1209779, bsc#1198400).
- CVE-2023-1652: Fixed use-after-free that could lead to DoS and information leak in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c (bsc#1209788).
- CVE-2023-1838: Fixed an use-after-free flaw in virtio network subcomponent. This flaw could allow a local attacker to crash the system and lead to a kernel information leak problem. (bsc#1210203).
- CVE-2023-23001: Fixed misinterpretation of regulator_get return value in drivers/scsi/ufs/ufs-mediatek.c (bsc#1208829).
- CVE-2023-28327: Fixed DoS in in_skb in unix_diag_get_exact() (bsc#1209290).
- CVE-2023-28464: Fixed user-after-free that could lead to privilege escalation in hci_conn_cleanup in net/bluetooth/hci_conn.c (bsc#1209052).
- CVE-2023-28466: Fixed race condition that could lead to use-after-free or NULL pointer dereference in do_tls_getsockopt in net/tls/tls_main.c (bsc#1209366).

The following non-security bugs were fixed:

- ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable (git-fixes).
- ALSA: asihpi: check pao in control_message() (git-fixes).
- ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() (git-fixes).
- ALSA: hda/conexant: Partial revert of a quirk for Lenovo (git-fixes).
- ALSA: hda/realtek: Add quirk for Clevo X370SNW (git-fixes).
- ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z (git-fixes).
- ALSA: hda/realtek: Add quirks for some Clevo laptops (git-fixes).
- ALSA: hda/realtek: Fix support for Dell Precision 3260 (git-fixes).
- ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro (git-fixes).
- ALSA: hda/realtek: fix mute/micmute LEDs do not work for a HP platform (git-fixes).
- ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook (git-fixes).
- ALSA: hda: intel-dsp-config: add MTL PCI id (git-fixes).
- ALSA: usb-audio: Fix recursive locking at XRUN during syncing (git-fixes).
- ALSA: usb-audio: Fix regression on detection of Roland VS-100 (git-fixes).
- ALSA: ymfpci: Fix BUG_ON in probe function (git-fixes).
- ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl (git-fixes).
- ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl (git-fixes).
- ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds (git-fixes).
- Bluetooth: L2CAP: Fix responding with wrong PDU type (git-fixes).
- Bluetooth: btqcomsmd: Fix command timeout after setting BD address (git-fixes).
- Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work (git-fixes).
- Fix error path in pci-hyperv to unlock the mutex state_lock
- HID: cp2112: Fix driver not registering GPIO IRQ chip as threaded (git-fixes).
- HID: intel-ish-hid: ipc: Fix potential use-after-free in work function (git-fixes).
- Input: alps - fix compatibility with -funsigned-char (bsc#1209805).
- Input: focaltech - use explicitly signed char type (git-fixes).
- Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table (git-fixes).
- KABI FIX FOR: NFSv4: keep state manager thread active if swap is enabled (Never, kabi).
- KVM: x86: fix sending PV IPI (git-fixes).
- NFS: Fix an Oops in nfs_d_automount() (git-fixes).
- NFS: fix disabling of swap (git-fixes).
- NFSD: Protect against filesystem freezing (git-fixes).
- NFSD: fix leaked reference count of nfsd4_ssc_umount_item (git-fixes).
- NFSD: fix problems with cleanup on errors in nfsd4_copy (git-fixes).
- NFSD: fix use-after-free in nfsd4_ssc_setup_dul() (git-fixes).
- NFSd: fix handling of readdir in v4root vs. mount upcall timeout (git-fixes).
- NFSd: fix race to check ls_layouts (git-fixes).
- NFSd: shut down the NFSv4 state objects before the filecache (git-fixes).
- NFSd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure (git-fixes).
- NFSd: zero out pointers after putting nfsd_files on COPY setup error (git-fixes).
- NFSv4.1 provide mount option to toggle trunking discovery (git-fixes).
- NFSv4.2: Fix initialisation of struct nfs4_label (git-fixes).
- NFSv4.x: Fail client initialisation if state manager thread can't run (git-fixes).
- NFSv4: Fix a credential leak in _nfs4_discover_trunking() (git-fixes).
- NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn (git-fixes).
- NFSv4: Fix hangs when recovering open state after a server reboot (git-fixes).
- NFSv4: fix state manager flag printing (git-fixes).
- NFSv4: keep state manager thread active if swap is enabled (git-fixes).
- PCI/DPC: Await readiness of secondary bus after reset (git-fixes).
- PCI: hv: Add a per-bus mutex state_lock (bsc#1207185).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic (bsc#1207185).
- PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev (bsc#1207185).
- PCI: hv: Use async probing to reduce boot time (bsc#1207185).
- PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1207185).
- SUNRPC: Fix a server shutdown leak (git-fixes).
- SUNRPC: Fix missing release socket in rpc_sockname() (git-fixes).
- SUNRPC: ensure the matching upcall is in-flight upon downcall (git-fixes).
- USB: cdns3: Fix issue with using incorrect PCI device function (git-fixes).
- USB: cdnsp: Fixes error: uninitialized symbol 'len' (git-fixes).
- USB: cdnsp: Fixes issue with redundant Status Stage (git-fixes).
- USB: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver (git-fixes).
- USB: chipdea: core: fix return -EINVAL if request role is the same with current role (git-fixes).
- USB: chipidea: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: dwc2: fix a devres leak in hw_enable upon suspend resume (git-fixes).
- USB: dwc3: Fix a typo in field name (git-fixes).
- USB: dwc3: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: dwc3: gadget: Add 1ms delay after end transfer command without IOC (git-fixes).
- USB: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: fotg210: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: gr_udc: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: pxa25x_udc: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: gadget: u_audio: do not let userspace block driver unbind (git-fixes).
- USB: isp116x: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: isp1362: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: sl811: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: typec: altmodes/displayport: Fix configure initial pin assignment (git-fixes).
- USB: typec: tcpm: fix warning when handle discover_identity message (git-fixes).
- USB: ucsi: Fix NULL pointer deref in ucsi_connector_change() (git-fixes).
- USB: ucsi: Fix ucsi->connector race (git-fixes).
- USB: uhci: fix memory leak with using debugfs_lookup() (git-fixes).
- USB: xhci: tegra: fix sleep in atomic call (git-fixes).
- alarmtimer: Prevent starvation by small intervals and SIG_IGN (git-fixes)
- arch: fix broken BuildID for arm64 and riscv (bsc#1209798).
- arm64/cpufeature: Fix field sign for DIT hwcap detection (git-fixes)
- arm64: dts: freescale: Fix pca954x i2c-mux node names (git-fixes)
- arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name (git-fixes).
- arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes (git-fixes).
- arm64: dts: imx8mp-phycore-som: Remove invalid PMIC property (git-fixes)
- arm64: dts: imx8mp: correct usb clocks (git-fixes)
- arm64: dts: imx8mq: add mipi csi phy and csi bridge descriptions (git-fixes)
- arm64: dts: imx8mq: fix mipi_csi bidirectional port numbers (git-fixes)
- arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent (git-fixes).
- atm: idt77252: fix kmemleak when rmmod idt77252 (git-fixes).
- ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() (git-fixes).
- ca8210: fix mac_len negative array access (git-fixes).
- can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write (git-fixes).
- can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events (git-fixes).
- can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access (git-fixes).
- cifs: Fix smb2_set_path_size() (git-fixes).
- cifs: Move the in_send statistic to __smb_send_rqst() (git-fixes).
- cifs: append path to open_enter trace event (bsc#1193629).
- cifs: avoid race conditions with parallel reconnects (bsc#1193629).
- cifs: avoid races in parallel reconnects in smb1 (bsc#1193629).
- cifs: check only tcon status on tcon related functions (bsc#1193629).
- cifs: do not poll server interfaces too regularly (bsc#1193629).
- cifs: double lock in cifs_reconnect_tcon() (git-fixes).
- cifs: dump pending mids for all channels in DebugData (bsc#1193629).
- cifs: empty interface list when server does not support query interfaces (bsc#1193629).
- cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL (bsc#1193629).
- cifs: fix dentry lookups in directory handle cache (bsc#1193629).
- cifs: fix missing unload_nls() in smb2_reconnect() (bsc#1193629).
- cifs: fix use-after-free bug in refresh_cache_worker() (bsc#1193629).
- cifs: generate signkey for the channel that's reconnecting (bsc#1193629).
- cifs: get rid of dead check in smb2_reconnect() (bsc#1193629).
- cifs: lock chan_lock outside match_session (bsc#1193629).
- cifs: prevent infinite recursion in CIFSGetDFSRefer() (bsc#1193629).
- cifs: print session id while listing open files (bsc#1193629).
- cifs: return DFS root session id in DebugData (bsc#1193629).
- cifs: set DFS root session in cifs_get_smb_ses() (bsc#1193629).
- cifs: use DFS root session instead of tcon ses (bsc#1193629).
- clocksource/drivers/mediatek: Optimize systimer irq clear flow on shutdown (git-fixes).
- debugfs: add debugfs_lookup_and_remove() (git-fixes).
- drivers/base: Fix unsigned comparison to -1 in CPUMAP_FILE_MAX_BYTES (bsc#1208815).
- drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist (bsc#1208815).
- drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub (git-fixes).
- drm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes (git-fixes).
- drm/amdkfd: Fix an illegal memory access (git-fixes).
- drm/bridge: lt8912b: return EPROBE_DEFER if bridge is not found (git-fixes).
- drm/etnaviv: fix reference leak when mmaping imported buffer (git-fixes).
- drm/i915/active: Fix missing debug object activation (git-fixes).
- drm/i915/active: Fix misuse of non-idle barriers as fence trackers (git-fixes).
- drm/i915/display/psr: Handle plane and pipe restrictions at every page flip (git-fixes).
- drm/i915/display/psr: Use drm damage helpers to calculate plane damaged area (git-fixes).
- drm/i915/display: Workaround cursor left overs with PSR2 selective fetch enabled (git-fixes).
- drm/i915/display: clean up comments (git-fixes).
- drm/i915/gt: perform uc late init after probe error injection (git-fixes).
- drm/i915/psr: Use calculated io and fast wake lines (git-fixes).
- drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state (git-fixes).
- drm/i915: Do not use BAR mappings for ring buffers with LLC (git-fixes).
- drm/i915: Do not use stolen memory for ring buffers with LLC (git-fixes).
- drm/i915: Preserve crtc_state->inherited during state clearing (git-fixes).
- drm/i915: Remove unused bits of i915_vma/active api (git-fixes).
- drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path (git-fixes).
- dt-bindings: serial: renesas,scif: Fix 4th IRQ for 4-IRQ SCIFs (git-fixes).
- efi: sysfb_efi: Fix DMI quirks not working for simpledrm (git-fixes).
- fbdev: au1200fb: Fix potential divide by zero (git-fixes).
- fbdev: intelfb: Fix potential divide by zero (git-fixes).
- fbdev: lxfb: Fix potential divide by zero (git-fixes).
- fbdev: nvidia: Fix potential divide by zero (git-fixes).
- fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks (git-fixes).
- fbdev: tgafb: Fix potential divide by zero (git-fixes).
- firmware: arm_scmi: Fix device node validation for mailbox transport (git-fixes).
- fotg210-udc: Add missing completion handler (git-fixes).
- ftrace: Fix invalid address access in lookup_rec() when index is 0 (git-fixes).
- ftrace: Fix issue that 'direct->addr' not restored in modify_ftrace_direct() (git-fixes).
- ftrace: Mark get_lock_parent_ip() __always_inline (git-fixes).
- gpio: GPIO_REGMAP: select REGMAP instead of depending on it (git-fixes).
- gpio: davinci: Add irq chip flag to skip set wake (git-fixes).
- hwmon: fix potential sensor registration fail if of_node is missing (git-fixes).
- i2c: hisi: Only use the completion interrupt to finish the transfer (git-fixes).
- i2c: imx-lpi2c: check only for enabled interrupt flags (git-fixes).
- i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (git-fixes).
- iio: adc: ad7791: fix IRQ flags (git-fixes).
- iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip (git-fixes).
- iio: adis16480: select CONFIG_CRC32 (git-fixes).
- iio: dac: cio-dac: Fix max DAC write value check for 12-bit (git-fixes).
- iio: light: cm32181: Unregister second I2C client if present (git-fixes).
- kABI workaround for xhci (git-fixes).
- kABI: x86/msr: Remove .fixup usage (kabi).
- kconfig: Update config changed flag before calling callback (git-fixes).
- keys: Do not cache key in task struct if key is requested from kernel thread (git-fixes).
- lan78xx: Add missing return code checks (git-fixes).
- lan78xx: Fix exception on link speed change (git-fixes).
- lan78xx: Fix memory allocation bug (git-fixes).
- lan78xx: Fix partial packet errors on suspend/resume (git-fixes).
- lan78xx: Fix race condition in disconnect handling (git-fixes).
- lan78xx: Fix race conditions in suspend/resume handling (git-fixes).
- lan78xx: Fix white space and style issues (git-fixes).
- lan78xx: Remove unused pause frame queue (git-fixes).
- lan78xx: Remove unused timer (git-fixes).
- lan78xx: Set flow control threshold to prevent packet loss (git-fixes).
- lockd: set file_lock start and end when decoding nlm4 testargs (git-fixes).
- locking/rwbase: Mitigate indefinite writer starvation (bsc#1189998 (PREEMPT_RT prerequisite backports), bsc#1206552).
- mm: memcg: fix swapcached stat accounting (bsc#1209804).
- mm: mmap: remove newline at the end of the trace (git-fixes).
- mmc: atmel-mci: fix race between stop command and start of next command (git-fixes).
- mtd: rawnand: meson: fix bitmask for length in command word (git-fixes).
- mtd: rawnand: meson: invalidate cache on polling ECC bit (git-fixes).
- mtd: rawnand: stm32_fmc2: remove unsupported EDO mode (git-fixes).
- mtd: rawnand: stm32_fmc2: use timings.mode instead of checking tRC_min (git-fixes).
- mtdblock: tolerate corrected bit-flips (git-fixes).
- net: asix: fix modprobe 'sysfs: cannot create duplicate filename' (git-fixes).
- net: mdio: thunder: Add missing fwnode_handle_put() (git-fixes).
- net: phy: Ensure state transitions are processed from phy_stop() (git-fixes).
- net: phy: dp83869: fix default value for tx-/rx-internal-delay (git-fixes).
- net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit (git-fixes).
- net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails (git-fixes).
- net: qcom/emac: Fix use after free bug in emac_remove due to race condition (git-fixes).
- net: usb: asix: remove redundant assignment to variable reg (git-fixes).
- net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 (git-fixes).
- net: usb: lan78xx: Limit packet length to skb->len (git-fixes).
- net: usb: qmi_wwan: add Telit 0x1080 composition (git-fixes).
- net: usb: smsc75xx: Limit packet length to skb->len (git-fixes).
- net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull (git-fixes).
- net: usb: smsc95xx: Limit packet length to skb->len (git-fixes).
- net: usb: use eth_hw_addr_set() (git-fixes).
- nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() (git-fixes).
- nilfs2: fix sysfs interface lifetime (git-fixes).
- nvme-tcp: always fail a request when sending it failed (bsc#1208902).
- pNFS/filelayout: Fix coalescing test for single DS (git-fixes).
- pinctrl: amd: Disable and mask interrupts on resume (git-fixes).
- pinctrl: at91-pio4: fix domain name assignment (git-fixes).
- pinctrl: ocelot: Fix alt mode for ocelot (git-fixes).
- platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl (git-fixes).
- platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix (git-fixes).
- platform/x86: think-lmi: Add possible_values for ThinkStation (git-fixes).
- platform/x86: think-lmi: Certificate authentication support (bsc#1210050).
- platform/x86: think-lmi: Clean up display of current_value on Thinkstation (git-fixes).
- platform/x86: think-lmi: Fix memory leak when showing current settings (git-fixes).
- platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings (git-fixes).
- platform/x86: think-lmi: Move kobject_init() call into tlmi_create_auth() (bsc#1210050).
- platform/x86: think-lmi: Opcode support (bsc#1210050).
- platform/x86: think-lmi: Prevent underflow in index_store() (bsc#1210050).
- platform/x86: think-lmi: Simplify tlmi_analyze() error handling a bit (bsc#1210050).
- platform/x86: think-lmi: Use min_t() for comparison and assignment (bsc#1210050).
- platform/x86: think-lmi: add debug_cmd (bsc#1210050).
- platform/x86: think-lmi: add missing type attribute (git-fixes).
- platform/x86: think-lmi: certificate support clean ups (bsc#1210050).
- platform/x86: think-lmi: only display possible_values if available (git-fixes).
- platform/x86: think-lmi: use correct possible_values delimiters (git-fixes).
- platform/x86: thinkpad-acpi: Add support for automatic mode transitions (bsc#1210050).
- platform/x86: thinkpad-acpi: Enable AMT by default on supported systems (bsc#1210050).
- platform/x86: thinkpad-acpi: profile capabilities as integer (bsc#1210050).
- platform/x86: thinkpad_acpi: Accept ibm_init_struct.init() returning -ENODEV (bsc#1210050).
- platform/x86: thinkpad_acpi: Add LED_RETAIN_AT_SHUTDOWN to led_class_devs (bsc#1210050).
- platform/x86: thinkpad_acpi: Add PSC mode support (bsc#1210050).
- platform/x86: thinkpad_acpi: Add a s2idle resume quirk for a number of laptops (bsc#1210050).
- platform/x86: thinkpad_acpi: Add dual fan probe (bsc#1210050).
- platform/x86: thinkpad_acpi: Add dual-fan quirk for T15g (2nd gen) (bsc#1210050).
- platform/x86: thinkpad_acpi: Add hotkey_notify_extended_hotkey() helper (bsc#1210050).
- platform/x86: thinkpad_acpi: Add lid_logo_dot to the list of safe LEDs (bsc#1210050).
- platform/x86: thinkpad_acpi: Add quirk for ThinkPads without a fan (bsc#1210050).
- platform/x86: thinkpad_acpi: Cleanup dytc_profile_available (bsc#1210050).
- platform/x86: thinkpad_acpi: Convert btusb DMI list to quirks (bsc#1210050).
- platform/x86: thinkpad_acpi: Convert platform driver to use dev_groups (bsc#1210050).
- platform/x86: thinkpad_acpi: Correct dual fan probe (bsc#1210050).
- platform/x86: thinkpad_acpi: Do not use test_bit on an integer (bsc#1210050).
- platform/x86: thinkpad_acpi: Enable s2idle quirk for 21A1 machine type (bsc#1210050).
- platform/x86: thinkpad_acpi: Explicitly set to balanced mode on startup (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix coccinelle warnings (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix compiler warning about uninitialized err variable (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix incorrect use of platform profile on AMD platforms (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix max_brightness of thinklight (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix reporting a non present second fan on some models (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix the hwmon sysfs-attr showing up in the wrong place (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix thermal_temp_input_attr sorting (bsc#1210050).
- platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255 (bsc#1210050).
- platform/x86: thinkpad_acpi: Get privacy-screen / lcdshadow ACPI handles only once (bsc#1210050).
- platform/x86: thinkpad_acpi: Make *_init() functions return -ENODEV instead of 1 (bsc#1210050).
- platform/x86: thinkpad_acpi: Properly indent code in tpacpi_dytc_profile_init() (bsc#1210050).
- platform/x86: thinkpad_acpi: Register tpacpi_pdriver after subdriver init (bsc#1210050).
- platform/x86: thinkpad_acpi: Remove 'goto err_exit' from hotkey_init() (bsc#1210050).
- platform/x86: thinkpad_acpi: Remove unused sensors_pdev_attrs_registered flag (bsc#1210050).
- platform/x86: thinkpad_acpi: Restore missing hotkey_tablet_mode and hotkey_radio_sw sysfs-attr (bsc#1210050).
- platform/x86: thinkpad_acpi: Simplify dytc_version handling (bsc#1210050).
- platform/x86: thinkpad_acpi: Switch to common use of attributes (bsc#1210050).
- platform/x86: thinkpad_acpi: Use backlight helper (bsc#1210050).
- platform/x86: thinkpad_acpi: clean up dytc profile convert (bsc#1210050).
- platform/x86: thinkpad_acpi: consistently check fan_get_status return (bsc#1210050).
- platform/x86: thinkpad_acpi: do not use PSC mode on Intel platforms (bsc#1210050).
- platform/x86: thinkpad_acpi: tpacpi_attr_group contains driver attributes not device attrs (bsc#1210050).
- platform/x86: thinkpad_acpi: use strstarts() (bsc#1210050).
- power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition (git-fixes).
- powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch (bsc#1194869).
- powerpc/btext: add missing of_node_put (bsc#1065729).
- powerpc/ioda/iommu/debugfs: Generate unique debugfs entries (bsc#1194869).
- powerpc/iommu: Add missing of_node_put in iommu_init_early_dart (bsc#1194869).
- powerpc/iommu: fix memory leak with using debugfs_lookup() (bsc#1194869).
- powerpc/kcsan: Exclude udelay to prevent recursive instrumentation (bsc#1194869).
- powerpc/kexec_file: fix implicit decl error (bsc#1194869).
- powerpc/powernv/ioda: Skip unallocated resources when mapping to PE (bsc#1065729).
- powerpc/powernv: fix missing of_node_put in uv_init() (bsc#1194869).
- powerpc/pseries/lpar: add missing RTAS retry status handling (bsc#1109158 ltc#169177 git-fixes).
- powerpc/pseries/lparcfg: add missing RTAS retry status handling (bsc#1065729).
- powerpc/rtas: ensure 4KB alignment for rtas_data_buf (bsc#1065729).
- powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT (bsc#1194869).
- powerpc/vmlinux.lds: Do not discard .comment (bsc#1194869).
- powerpc/vmlinux.lds: Do not discard .rela* for relocatable builds (bsc#1194869).
- powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds (bsc#1194869).
- powerpc: Remove linker flag from KBUILD_AFLAGS (bsc#1194869).
- ppc64le: HWPOISON_INJECT=m (bsc#1209572).
- pwm: cros-ec: Explicitly set .polarity in .get_state() (git-fixes).
- pwm: sprd: Explicitly set .polarity in .get_state() (git-fixes).
- r8169: fix RTL8168H and RTL8107E rx crc error (git-fixes).
- rcu: Fix rcu_torture_read ftrace event (git-fixes).
- ring-buffer: Fix race while reader and writer are on the same page (git-fixes).
- ring-buffer: Handle race between rb_move_tail and rb_check_pages (git-fixes).
- ring-buffer: remove obsolete comment for free_buffer_page() (git-fixes).
- s390/boot: simplify and fix kernel memory layout setup (bsc#1209600).
- s390/dasd: fix no record found for raw_track_access (bsc#1207574).
- s390/vfio-ap: fix memory leak in vfio_ap device driver (git-fixes).
- sbitmap: Avoid lockups when waker gets preempted (bsc#1209118).
- sched/psi: Fix use-after-free in ep_remove_wait_queue() (bsc#1209799).
- scsi: qla2xxx: Synchronize the IOCB count to be in order (bsc#1209292 bsc#1209684 bsc#1209556).
- sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list (bsc#1208602, git-fixes).
- serial: 8250: ASPEED_VUART: select REGMAP instead of depending on it (git-fixes).
- serial: 8250: SERIAL_8250_ASPEED_VUART should depend on ARCH_ASPEED (git-fixes).
- serial: fsl_lpuart: Fix comment typo (git-fixes).
- smb3: fix unusable share after force unmount failure (bsc#1193629).
- smb3: lower default deferred close timeout to address perf regression (bsc#1193629).
- struct dwc3: mask new member (git-fixes).
- thunderbolt: Add missing UNSET_INBOUND_SBTX for retimer access (git-fixes).
- thunderbolt: Call tb_check_quirks() after initializing adapters (git-fixes).
- thunderbolt: Disable interrupt auto clear for rings (git-fixes).
- thunderbolt: Rename shadowed variables bit to interrupt_bit and auto_clear_bit (git-fixes).
- thunderbolt: Use const qualifier for `ring_interrupt_index` (git-fixes).
- thunderbolt: Use scale field when allocating USB3 bandwidth (git-fixes).
- timers: Prevent union confusion from unexpected (git-fixes)
- trace/hwlat: Do not start per-cpu thread if it is already running (git-fixes).
- trace/hwlat: Do not wipe the contents of per-cpu thread data (git-fixes).
- trace/hwlat: make use of the helper function kthread_run_on_cpu() (git-fixes).
- tracing: Add trace_array_puts() to write into instance (git-fixes).
- tracing: Fix wrong return in kprobe_event_gen_test.c (git-fixes).
- tracing: Free error logs of tracing instances (git-fixes).
- tracing: Have tracing_snapshot_instance_cond() write errors to the appropriate instance (git-fixes).
- tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty (git-fixes).
- tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted (git-fixes).
- tty: serial: sh-sci: Fix Rx on RZ/G2L SCI (git-fixes).
- tty: serial: sh-sci: Fix transmit end interrupt handler (git-fixes).
- uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 (git-fixes).
- vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready (git-fixes).
- wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta (git-fixes).
- wifi: mac80211: fix qos on mesh interfaces (git-fixes).
- wireguard: ratelimiter: use hrtimer in selftest (git-fixes)
- x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes).
- x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes).
- x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes).
- x86/fpu: Cache xfeature flags from CPUID (git-fixes).
- x86/fpu: Remove unused supervisor only offsets (git-fixes).
- x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes).
- x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes).
- x86/mce: Allow instrumentation during task work queueing (git-fixes).
- x86/mce: Mark mce_end() noinstr (git-fixes).
- x86/mce: Mark mce_panic() noinstr (git-fixes).
- x86/mce: Mark mce_read_aux() noinstr (git-fixes).
- x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes).
- x86/msr: Remove .fixup usage (git-fixes).
- x86/sgx: Free backing memory after faulting the enclave page (git-fixes).
- x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes).
- x86/uaccess: Move variable into switch case statement (git-fixes).
- x86: Annotate call_on_stack() (git-fixes).
- x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments (bsc#1203200).
- xfs: convert ptag flags to unsigned (git-fixes).
- xfs: do not assert fail on perag references on teardown (git-fixes).
- xfs: do not leak btree cursor when insrec fails after a split (git-fixes).
- xfs: pass the correct cursor to xfs_iomap_prealloc_size (git-fixes).
- xfs: remove xfs_setattr_time() declaration (git-fixes).
- xfs: zero inode fork buffer at allocation (git-fixes).
- xhci: Free the command allocated for setting LPM if we return early (git-fixes).
- xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu (git-fixes).
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach (git-fixes).
- xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2157-1
Released:    Wed May 10 13:21:20 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1200441

This update of conmon fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2231-1
Released:    Wed May 17 10:08:22 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1142685,1155798,1174777,1189999,1194869,1203039,1203325,1206649,1206891,1206992,1207088,1208076,1208845,1209615,1209693,1209739,1209871,1209927,1209999,1210034,1210158,1210202,1210206,1210301,1210329,1210336,1210337,1210439,1210453,1210454,1210469,1210506,1210629,1210725,1210762,1210763,1210764,1210765,1210766,1210767,1210768,1210769,1210770,1210771,1210793,1210816,1210817,1210827,1210943,1210953,1210986,1211025,CVE-2022-2196,CVE-2023-0386,CVE-2023-1670,CVE-2023-1855,CVE-2023-1989,CVE-2023-1990,CVE-2023-1998,CVE-2023-2008,CVE-2023-2019,CVE-2023-2176,CVE-2023-2235,CVE-2023-23006,CVE-2023-30772
The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-2235: A use-after-free vulnerability in the Performance Events system can be exploited to achieve local privilege escalation (bsc#1210986).
- CVE-2022-2196: Fixed a regression related to KVM that allowed for speculative execution attacks (bsc#1206992).
- CVE-2023-23006: Fixed NULL checking against IS_ERR in dr_domain_init_resources (bsc#1208845).
- CVE-2023-1670: Fixed a use after free in the Xircom 16-bit PCMCIA Ethernet driver. A local user could use this flaw to crash the system or potentially escalate their privileges on the system (bsc#1209871).
- CVE-2023-2176: A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege (bsc#1210629).
- CVE-2023-0386: A flaw was found where unauthorized access to the execution of the setuid file with capabilities was found in the OverlayFS subsystem, when a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allowed a local user to escalate their privileges on the system (bsc#1209615).
- CVE-2023-1998: Fixed a use after free during login when accessing the shost ipaddress (bsc#1210506).
- CVE-2023-1855: Fixed a use after free in xgene_hwmon_remove (bsc#1210202).
- CVE-2023-30772: Fixed a race condition and resultant use-after-free in da9150_charger_remove (bsc#1210329).
- CVE-2023-2019: A flaw was found in the netdevsim device driver, more specifically within the scheduling of events. This issue results from the improper management of a reference count and may lead to a denial of service (bsc#1210454).
- CVE-2023-2008: A flaw was found in the fault handler of the udmabuf device driver. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code (bsc#1210453).
- CVE-2023-1989: Fixed a use after free in btsdio_remove (bsc#1210336).
- CVE-2023-1990: Fixed a use after free in ndlc_remove (bsc#1210337).

The following non-security bugs were fixed:

- ACPI: CPPC: Disable FIE if registers in PCC regions (bsc#1210953).
- ACPI: VIOT: Initialize the correct IOMMU fwspec (git-fixes).
- ACPI: resource: Add Medion S17413 to IRQ override quirk (git-fixes).
- ALSA: emu10k1: do not create old pass-through playback device on Audigy (git-fixes).
- ALSA: emu10k1: fix capture interrupt handler unlinking (git-fixes).
- ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() (git-fixes).
- ALSA: hda/cirrus: Add extra 10 ms delay to allow PLL settle and lock (git-fixes).
- ALSA: hda/realtek: Add quirks for Lenovo Z13/Z16 Gen2 (git-fixes).
- ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops (git-fixes).
- ALSA: hda/realtek: Remove specific patch for Dell Precision 3260 (git-fixes).
- ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook (git-fixes).
- ALSA: hda/realtek: fix speaker, mute/micmute LEDs not work on a HP platform (git-fixes).
- ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard (git-fixes).
- ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards (git-fixes).
- ALSA: hda: cs35l41: Enable Amp High Pass Filter (git-fixes).
- ALSA: hda: patch_realtek: add quirk for Asus N7601ZM (git-fixes).
- ALSA: i2c/cs8427: fix iec958 mixer control deactivation (git-fixes).
- ARM: 9290/1: uaccess: Fix KASAN false-positives (git-fixes).
- ARM: dts: exynos: fix WM8960 clock name in Itop Elite (git-fixes).
- ARM: dts: gta04: fix excess dma channel usage (git-fixes).
- ARM: dts: qcom: ipq4019: Fix the PCI I/O port range (git-fixes).
- ARM: dts: rockchip: fix a typo error for rk3288 spdif node (git-fixes).
- ARM: dts: s5pv210: correct MIPI CSIS clock name (git-fixes).
- ASN.1: Fix check for strdup() success (git-fixes).
- ASoC: cs35l41: Only disable internal boost (git-fixes).
- ASoC: es8316: Handle optional IRQ assignment (git-fixes).
- ASoC: fsl_asrc_dma: fix potential null-ptr-deref (git-fixes).
- ASoC: fsl_mqs: move of_node_put() to the correct location (git-fixes).
- Add 42a11bf5c543 cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly
- Add eee878537941 cgroup/cpuset: Add cpuset_can_fork() and cpuset_cancel_fork() methods
- Bluetooth: Fix race condition in hidp_session_thread (git-fixes).
- Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} (git-fixes).
- Drivers: vmbus: Check for channel allocation before looking up relids (git-fixes).
- IB/mlx5: Add support for 400G_8X lane speed (git-fixes)
- Input: hp_sdc_rtc - mark an unused function as __maybe_unused (git-fixes).
- Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe (git-fixes).
- KEYS: Add missing function documentation (git-fixes).
- KEYS: Create static version of public_key_verify_signature (git-fixes).
- NFS: Cleanup unused rpc_clnt variable (git-fixes).
- NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL (git-fixes).
- NFSD: callback request does not use correct credential for AUTH_SYS (git-fixes).
- PCI/EDR: Clear Device Status after EDR error recovery (git-fixes).
- PCI: dwc: Fix PORT_LINK_CONTROL update when CDM check enabled (git-fixes).
- PCI: imx6: Install the fault handler only on compatible match (git-fixes).
- PCI: loongson: Add more devices that need MRRS quirk (git-fixes).
- PCI: loongson: Prevent LS7A MRRS increases (git-fixes).
- PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock (git-fixes).
- PCI: qcom: Fix the incorrect register usage in v2.7.0 config (git-fixes).
- RDMA/cma: Allow UD qp_type to join multicast only (git-fixes)
- RDMA/core: Fix GID entry ref leak when create_ah fails (git-fixes)
- RDMA/irdma: Add ipv4 check to irdma_find_listener() (git-fixes)
- RDMA/irdma: Fix memory leak of PBLE objects (git-fixes)
- RDMA/irdma: Increase iWARP CM default rexmit count (git-fixes)
- Remove obsolete KMP obsoletes (bsc#1210469).
- Revert 'Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work' (git-fixes).
- Revert 'pinctrl: amd: Disable and mask interrupts on resume' (git-fixes).
- USB: dwc3: fix runtime pm imbalance on probe errors (git-fixes).
- USB: dwc3: fix runtime pm imbalance on unbind (git-fixes).
- USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs (git-fixes).
- USB: serial: option: add Quectel RM500U-CN modem (git-fixes).
- USB: serial: option: add Telit FE990 compositions (git-fixes).
- USB: serial: option: add UNISOC vendor and TOZED LT70C product (git-fixes).
- amdgpu: disable powerpc support for the newer display engine (bsc#1194869).
- arm64: dts: imx8mm-evk: correct pmic clock source (git-fixes).
- arm64: dts: meson-g12-common: specify full DMC range (git-fixes).
- arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node (git-fixes).
- arm64: dts: qcom: ipq8074: Fix the PCI I/O port range (git-fixes).
- arm64: dts: qcom: msm8994-kitakami: drop unit address from PMI8994 regulator (git-fixes).
- arm64: dts: qcom: msm8994-msft-lumia-octagon: drop unit address from PMI8994 regulator (git-fixes).
- arm64: dts: qcom: msm8996: Fix the PCI I/O port range (git-fixes).
- arm64: dts: qcom: msm8998: Fix stm-stimulus-base reg name (git-fixes).
- arm64: dts: qcom: msm8998: Fix the PCI I/O port range (git-fixes).
- arm64: dts: qcom: sc7180-trogdor-lazor: correct trackpad supply (git-fixes).
- arm64: dts: qcom: sdm845: Fix the PCI I/O port range (git-fixes).
- arm64: dts: qcom: sm8250: Fix the PCI I/O port range (git-fixes).
- arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table (git-fixes).
- arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table (git-fixes).
- arm64: dts: ti: k3-j721e-main: Remove ti,strobe-sel property (git-fixes).
- arm64: enable jump-label jump-label was disabled on arm64 by a backport error.
- bluetooth: Perform careful capability checks in hci_sock_ioctl() (git-fixes).
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() (bsc#1210827).
- cifs: fix negotiate context parsing (bsc#1210301).
- clk: add missing of_node_put() in 'assigned-clocks' property parsing (git-fixes).
- clk: at91: clk-sam9x60-pll: fix return value check (git-fixes).
- clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent (git-fixes).
- clk: sprd: set max_register according to mapping range (git-fixes).
- clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails (git-fixes).
- config: arm64: enable ERRATUM_843419 Config option was incorrectly replaced by the rt-refresh-configs script
- cpufreq: CPPC: Fix build error without CONFIG_ACPI_CPPC_CPUFREQ_FIE (bsc#1210953).
- cpufreq: CPPC: Fix performance/frequency conversion (git-fixes).
- cpumask: fix incorrect cpumask scanning result checks (bsc#1210943).
- crypto: caam - Clear some memory in instantiate_rng (git-fixes).
- crypto: drbg - Only fail when jent is unavailable in FIPS mode (git-fixes).
- crypto: sa2ul - Select CRYPTO_DES (git-fixes).
- crypto: safexcel - Cleanup ring IRQ workqueues on load failure (git-fixes).
- driver core: Do not require dynamic_debug for initcall_debug probe timing (git-fixes).
- drivers: staging: rtl8723bs: Fix locking in _rtw_join_timeout_handler() (git-fixes).
- drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() (git-fixes).
- drm/amd/display/dc/dce60/Makefile: Fix previous attempt to silence known override-init warnings (git-fixes).
- drm/amd/display: Fix potential null dereference (git-fixes).
- drm/amdgpu: Re-enable DCN for 64-bit powerpc (bsc#1194869).
- drm/armada: Fix a potential double free in an error handling path (git-fixes).
- drm/bridge: adv7533: Fix adv7533_mode_valid for adv7533 and adv7535 (git-fixes).
- drm/bridge: lt8912b: Fix DSI Video Mode (git-fixes).
- drm/bridge: lt9611: Fix PLL being unable to lock (git-fixes).
- drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var (git-fixes).
- drm/i915/dsi: fix DSS CTL register offsets for TGL+ (git-fixes).
- drm/i915: Fix fast wake AUX sync len (git-fixes).
- drm/i915: Make intel_get_crtc_new_encoder() less oopsy (git-fixes).
- drm/i915: fix race condition UAF in i915_perf_add_config_ioctl (git-fixes).
- drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe() (git-fixes).
- drm/msm/adreno: drop bogus pm_runtime_set_active() (git-fixes).
- drm/msm/disp/dpu: check for crtc enable rather than crtc active to release shared resources (git-fixes).
- drm/msm: fix NULL-deref on snapshot tear down (git-fixes).
- drm/nouveau/disp: Support more modes by checking with lower bpc (git-fixes).
- drm/panel: otm8009a: Set backlight parent to panel device (git-fixes).
- drm/probe-helper: Cancel previous job before starting new one (git-fixes).
- drm/rockchip: Drop unbalanced obj unref (git-fixes).
- drm/vgem: add missing mutex_destroy (git-fixes).
- drm: msm: adreno: Disable preemption on Adreno 510 (git-fixes).
- drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F (git-fixes).
- drm: rcar-du: Fix a NULL vs IS_ERR() bug (git-fixes).
- dt-bindings: arm: fsl: Fix copy-paste error in comment (git-fixes).
- dt-bindings: iio: ti,tmp117: fix documentation link (git-fixes).
- dt-bindings: mailbox: qcom,apcs-kpss-global: fix SDX55 'if' match (git-fixes).
- dt-bindings: nvmem: qcom,spmi-sdam: fix example 'reg' property (git-fixes).
- dt-bindings: remoteproc: stm32-rproc: Typo fix (git-fixes).
- dt-bindings: soc: qcom: smd-rpm: re-add missing qcom,rpm-msm8994 (git-fixes).
- e1000e: Disable TSO on i219-LM card to increase speed (git-fixes).
- efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L (git-fixes).
- ext4: Fix deadlock during directory rename (bsc#1210763).
- ext4: Fix possible corruption when moving a directory (bsc#1210763).
- ext4: fix RENAME_WHITEOUT handling for inline directories (bsc#1210766).
- ext4: fix another off-by-one fsmap error on 1k block filesystems (bsc#1210767).
- ext4: fix bad checksum after online resize (bsc#1210762 bsc#1208076).
- ext4: fix cgroup writeback accounting with fs-layer encryption (bsc#1210765).
- ext4: fix corruption when online resizing a 1K bigalloc fs (bsc#1206891).
- ext4: fix incorrect options show of original mount_opt and extend mount_opt2 (bsc#1210764).
- ext4: fix possible double unlock when moving a directory (bsc#1210763).
- ext4: use ext4_journal_start/stop for fast commit transactions (bsc#1210793).
- fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace (git-fixes).
- firmware: qcom_scm: Clear download bit during reboot (git-fixes).
- firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe (git-fixes).
- fpga: bridge: fix kernel-doc parameter description (git-fixes).
- hwmon: (adt7475) Use device_property APIs when configuring polarity (git-fixes).
- hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write (git-fixes).
- hwmon: (pmbus/fsp-3y) Fix functionality bitmask in FSP-3Y YM-2151E (git-fixes).
- i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path (git-fixes).
- i2c: hisi: Avoid redundant interrupts (git-fixes).
- i2c: imx-lpi2c: clean rx/tx buffers upon new message (git-fixes).
- i2c: ocores: generate stop condition after timeout in polling mode (git-fixes).
- i915/perf: Replace DRM_DEBUG with driver specific drm_dbg call (git-fixes).
- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock (bsc#1210158).
- iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() (git-fixes).
- iio: light: tsl2772: fix reading proximity-diodes from device tree (git-fixes).
- ipmi: fix SSIF not responding under certain cond (git-fixes).
- ipmi:ssif: Add send_retries increment (git-fixes).
- k-m-s: Drop Linux 2.6 support
- kABI: PCI: loongson: Prevent LS7A MRRS increases (kabi).
- kABI: x86/msi: Fix msi message data shadow struct (kabi).
- kabi/severities: ignore KABI for NVMe target (bsc#1174777) The target code is only for testing and there are no external users.
- keys: Fix linking a duplicate key to a keyring's assoc_array (bsc#1207088).
- locking/rwbase: Mitigate indefinite writer starvation.
- media: av7110: prevent underflow in write_ts_to_decoder() (git-fixes).
- media: dm1105: Fix use after free bug in dm1105_remove due to race condition (git-fixes).
- media: max9286: Free control handler (git-fixes).
- media: rc: gpio-ir-recv: Fix support for wake-up (git-fixes).
- media: rkvdec: fix use after free bug in rkvdec_remove (git-fixes).
- media: saa7134: fix use after free bug in saa7134_finidev due to race condition (git-fixes).
- media: venus: dec: Fix handling of the start cmd (git-fixes).
- memstick: fix memory leak if card device is never registered (git-fixes).
- mm/filemap: fix page end in filemap_get_read_batch (bsc#1210768).
- mm: page_alloc: skip regions with hugetlbfs pages when allocating 1G pages (bsc#1210034).
- mm: take a page reference when removing device exclusive entries (bsc#1211025).
- mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data (git-fixes).
- mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25 (git-fixes).
- mtd: core: fix error path for nvmem provider (git-fixes).
- mtd: core: fix nvmem error reporting (git-fixes).
- mtd: core: provide unique name for nvmem device, take two (git-fixes).
- mtd: spi-nor: Fix a trivial typo (git-fixes).
- net: phy: nxp-c45-tja11xx: add remove callback (git-fixes).
- net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow (git-fixes).
- nfsd: call op_release, even when op_func returns an error (git-fixes).
- nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() (git-fixes).
- nilfs2: initialize unused bytes in segment summary blocks (git-fixes).
- nvme initialize core quirks before calling nvme_init_subsystem (git-fixes).
- nvme-auth: uninitialized variable in nvme_auth_transform_key() (git-fixes).
- nvme-fcloop: fix 'inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage' (git-fixes).
- nvme-hwmon: consistently ignore errors from nvme_hwmon_init (git-fixes).
- nvme-hwmon: kmalloc the NVME SMART log buffer (git-fixes).
- nvme-multipath: fix possible hang in live ns resize with ANA access (git-fixes).
- nvme-pci: fix doorbell buffer value endianness (git-fixes).
- nvme-pci: fix mempool alloc size (git-fixes).
- nvme-pci: fix page size checks (git-fixes).
- nvme-pci: fix timeout request state check (git-fixes).
- nvme-rdma: fix possible hang caused during ctrl deletion (git-fixes).
- nvme-tcp: fix possible circular locking when deleting a controller under memory pressure (git-fixes).
- nvme-tcp: fix possible hang caused during ctrl deletion (git-fixes).
- nvme-tcp: fix regression that causes sporadic requests to time out (git-fixes).
- nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices (git-fixes).
- nvme: add device name to warning in uuid_show() (git-fixes).
- nvme: catch -ENODEV from nvme_revalidate_zones again (git-fixes).
- nvme: copy firmware_rev on each init (git-fixes).
- nvme: define compat_ioctl again to unbreak 32-bit userspace (git-fixes).
- nvme: fix async event trace event (git-fixes).
- nvme: fix handling single range discard request (git-fixes).
- nvme: fix per-namespace chardev deletion (git-fixes).
- nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition (git-fixes).
- nvme: fix the read-only state for zoned namespaces with unsupposed features (git-fixes).
- nvme: improve the NVME_CONNECT_AUTHREQ* definitions (git-fixes).
- nvme: move nvme_multi_css into nvme.h (git-fixes).
- nvme: return err on nvme_init_non_mdts_limits fail (git-fixes).
- nvme: send Identify with CNS 06h only to I/O controllers (bsc#1209693).
- nvme: set dma alignment to dword (git-fixes).
- nvme: use command_id instead of req->tag in trace_nvme_complete_rq() (git-fixes).
- nvmet-auth: do not try to cancel a non-initialized work_struct (git-fixes).
- nvmet-tcp: fix incomplete data digest send (git-fixes).
- nvmet-tcp: fix regression in data_digest calculation (git-fixes).
- nvmet: add helpers to set the result field for connect commands (git-fixes).
- nvmet: avoid potential UAF in nvmet_req_complete() (git-fixes).
- nvmet: do not defer passthrough commands with trivial effects to the workqueue (git-fixes).
- nvmet: fix I/O Command Set specific Identify Controller (git-fixes).
- nvmet: fix Identify Active Namespace ID list handling (git-fixes).
- nvmet: fix Identify Controller handling (git-fixes).
- nvmet: fix Identify Namespace handling (git-fixes).
- nvmet: fix a memory leak (git-fixes).
- nvmet: fix a memory leak in nvmet_auth_set_key (git-fixes).
- nvmet: fix a use-after-free (git-fixes).
- nvmet: fix invalid memory reference in nvmet_subsys_attr_qid_max_show (git-fixes).
- nvmet: force reconnect when number of queue changes (git-fixes).
- nvmet: looks at the passthrough controller when initializing CAP (git-fixes).
- nvmet: only allocate a single slab for bvecs (git-fixes).
- nvmet: use IOCB_NOWAIT only if the filesystem supports it (git-fixes).
- perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output (git fixes).
- perf/core: Fix the same task check in perf_event_set_output (git fixes).
- perf: Fix check before add_event_to_groups() in perf_group_detach() (git fixes).
- perf: fix perf_event_context->time (git fixes).
- platform/x86 (gigabyte-wmi): Add support for A320M-S2H V2 (git-fixes).
- platform/x86: gigabyte-wmi: add support for X570S AORUS ELITE (git-fixes).
- power: supply: cros_usbpd: reclassify 'default case!' as debug (git-fixes).
- power: supply: generic-adc-battery: fix unit scaling (git-fixes).
- powerpc/64: Always build with 128-bit long double (bsc#1194869).
- powerpc/64e: Fix amdgpu build on Book3E w/o AltiVec (bsc#1194869).
- powerpc/hv-gpci: Fix hv_gpci event list (git fixes).
- powerpc/papr_scm: Update the NUMA distance table for the target node (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 git-fixes).
- powerpc/perf/hv-24x7: add missing RTAS retry status handling (git fixes).
- powerpc/pseries: Consolidate different NUMA distance update code paths (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 git-fixes).
- powerpc: declare unmodified attribute_group usages const (git-fixes).
- regulator: core: Avoid lockdep reports when resolving supplies (git-fixes).
- regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow() (git-fixes).
- regulator: core: Shorten off-on-delay-us for always-on/boot-on by time since booted (git-fixes).
- regulator: fan53555: Explicitly include bits header (git-fixes).
- regulator: fan53555: Fix wrong TCS_SLEW_MASK (git-fixes).
- regulator: stm32-pwr: fix of_iomap leak (git-fixes).
- remoteproc: Harden rproc_handle_vdev() against integer overflow (git-fixes).
- remoteproc: imx_rproc: Call of_node_put() on iteration error (git-fixes).
- remoteproc: st: Call of_node_put() on iteration error (git-fixes).
- remoteproc: stm32: Call of_node_put() on iteration error (git-fixes).
- rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time (git-fixes).
- rtc: omap: include header for omap_rtc_power_off_program prototype (git-fixes).
- sched/fair: Fix imbalance overflow (bsc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: Limit sched slice duration (bsc#1189999 (Scheduler functional and performance backports)).
- sched/fair: Move calculate of avg_load to a better location (bsc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: Sanitize vruntime of entity being migrated (bsc#1203325).
- sched/fair: sanitize vruntime of entity being placed (bsc#1203325).
- sched/numa: Stop an exhastive search if an idle core is found (bsc#1189999 (Scheduler functional and performance backports)).
- sched_getaffinity: do not assume 'cpumask_size()' is fully initialized (bsc#1155798 (CPU scheduler functional and performance backports)).
- scsi: aic94xx: Add missing check for dma_map_single() (git-fixes).
- scsi: core: Add BLIST_NO_VPD_SIZE for some VDASD (git-fixes bsc#1203039) (renamed now that it's upstgream)
- scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR (git-fixes).
- scsi: core: Fix a procfs host directory removal regression (git-fixes).
- scsi: core: Fix a source code comment (git-fixes).
- scsi: core: Remove the /proc/scsi/${proc_name} directory earlier (git-fixes).
- scsi: hisi_sas: Check devm_add_action() return value (git-fixes).
- scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id (git-fixes).
- scsi: ipr: Work around fortify-string warning (git-fixes).
- scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param() (git-fixes).
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (git-fixes).
- scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress (git-fixes).
- scsi: kABI workaround for fc_host_fpin_rcv (git-fixes).
- scsi: libsas: Remove useless dev_list delete in sas_ex_discover_end_dev() (git-fixes).
- scsi: lpfc: Avoid usage of list iterator variable after loop (git-fixes).
- scsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read() (git-fixes).
- scsi: lpfc: Copyright updates for 14.2.0.11 patches (bsc#1210943).
- scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery (bsc#1210943).
- scsi: lpfc: Defer issuing new PLOGI if received RSCN before completing REG_LOGIN (bsc#1210943).
- scsi: lpfc: Drop redundant pci_enable_pcie_error_reporting() (bsc#1210943).
- scsi: lpfc: Fix double word in comments (bsc#1210943).
- scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() (bsc#1210943).
- scsi: lpfc: Fix lockdep warning for rx_monitor lock when unloading driver (bsc#1210943).
- scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow (bsc#1210943).
- scsi: lpfc: Record LOGO state with discovery engine even if aborted (bsc#1210943).
- scsi: lpfc: Reorder freeing of various DMA buffers and their list removal (bsc#1210943).
- scsi: lpfc: Revise lpfc_error_lost_link() reason code evaluation logic (bsc#1210943).
- scsi: lpfc: Silence an incorrect device output (bsc#1210943).
- scsi: lpfc: Skip waiting for register ready bits when in unrecoverable state (bsc#1210943).
- scsi: lpfc: Update lpfc version to 14.2.0.11 (bsc#1210943).
- scsi: megaraid_sas: Fix crash after a double completion (git-fixes).
- scsi: megaraid_sas: Update max supported LD IDs to 240 (git-fixes).
- scsi: mpt3sas: Do not print sense pool info twice (git-fixes).
- scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add() (git-fixes).
- scsi: mpt3sas: Fix a memory leak (git-fixes).
- scsi: qla2xxx: Fix memory leak in qla2x00_probe_one() (git-fixes).
- scsi: qla2xxx: Perform lockless command completion in abort path (git-fixes).
- scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() (git-fixes).
- scsi: scsi_transport_fc: Add an additional flag to fc_host_fpin_rcv() (bsc#1210943).
- scsi: sd: Fix wrong zone_write_granularity value during revalidate (git-fixes).
- scsi: ses: Do not attach if enclosure has no components (git-fixes).
- scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses (git-fixes).
- scsi: ses: Fix possible desc_ptr out-of-bounds accesses (git-fixes).
- scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() (git-fixes).
- scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() (git-fixes).
- scsi: snic: Fix memory leak with using debugfs_lookup() (git-fixes).
- seccomp: Move copy_seccomp() to no failure path (bsc#1210817).
- selftests/kselftest/runner/run_one(): allow running non-executable files (git-fixes).
- selftests: sigaltstack: fix -Wuninitialized (git-fixes).
- selinux: ensure av_permissions.h is built when needed (git-fixes).
- selinux: fix Makefile dependencies of flask.h (git-fixes).
- serial: 8250: Add missing wakeup event reporting (git-fixes).
- serial: 8250_bcm7271: Fix arbitration handling (git-fixes).
- serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards (git-fixes).
- serial: exar: Add support for Sealevel 7xxxC serial cards (git-fixes).
- signal handling: do not use BUG_ON() for debugging (bsc#1210439).
- signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed (bsc#1210816).
- signal: Do not always set SA_IMMUTABLE for forced signals (bsc#1210816).
- signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE (bsc#1210816).
- soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe (git-fixes).
- spi: cadence-quadspi: fix suspend-resume implementations (git-fixes).
- spi: fsl-spi: Fix CPM/QE mode Litte Endian (git-fixes).
- spi: qup: Do not skip cleanup in remove's error path (git-fixes).
- staging: iio: resolver: ads1210: fix config mode (git-fixes).
- staging: rtl8192e: Fix W_DISABLE# does not work after stop/start (git-fixes).
- stat: fix inconsistency between struct stat and struct compat_stat (git-fixes).
- sunrpc: only free unix grouplist after RCU settles (git-fixes).
- supported.conf: declaring usb_f_ncm supported as requested in (jsc#PED-3750) Support for the legacy functionality g_ncm is still under discussion (see jsc-PED#3200) For maintainance see (jsc#PED-3759)
- supported.conf: support u_ether and libcomposite (jsc-PED#3750) This is necessary for g_ncm (for maintainance see jsc-PED#3759)
- tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH (git-fixes).
- tty: serial: fsl_lpuart: adjust buffer length to the intended size (git-fixes).
- udf: Check consistency of Space Bitmap Descriptor (bsc#1210771).
- udf: Fix a slab-out-of-bounds write bug in udf_find_entry() (bsc#1206649).
- udf: Support splicing to file (bsc#1210770).
- usb: chipidea: fix missing goto in `ci_hdrc_probe` (git-fixes).
- usb: chipidea: imx: avoid unnecessary probe defer (git-fixes).
- usb: dwc3: gadget: Change condition for processing suspend event (git-fixes).
- usb: dwc3: pci: add support for the Intel Meteor Lake-S (git-fixes).
- usb: gadget: tegra-xudc: Fix crash in vbus_draw (git-fixes).
- usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition (git-fixes).
- usb: host: xhci-rcar: remove leftover quirk handling (git-fixes).
- virt/coco/sev-guest: Add throttling awareness (bsc#1209927).
- virt/coco/sev-guest: Carve out the request issuing logic into a helper (bsc#1209927).
- virt/coco/sev-guest: Check SEV_SNP attribute at probe time (bsc#1209927).
- virt/coco/sev-guest: Convert the sw_exit_info_2 checking to a switch-case (bsc#1209927).
- virt/coco/sev-guest: Do some code style cleanups (bsc#1209927).
- virt/coco/sev-guest: Remove the disable_vmpck label in handle_guest_request() (bsc#1209927).
- virt/coco/sev-guest: Simplify extended guest request handling (bsc#1209927).
- virt/sev-guest: Return -EIO if certificate buffer is not large enough (bsc#1209927).
- virtio_ring: do not update event idx on get_buf (git-fixes).
- vmci_host: fix a race condition in vmci_host_poll() causing GPF (git-fixes).
- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
- wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() (git-fixes).
- wifi: ath6kl: minor fix for allocation size (git-fixes).
- wifi: ath6kl: reduce WARN to dev_dbg() in callback (git-fixes).
- wifi: ath9k: hif_usb: fix memory leak of remain_skbs (git-fixes).
- wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() (git-fixes).
- wifi: brcmfmac: support CQM RSSI notification with older firmware (git-fixes).
- wifi: iwlwifi: debug: fix crash in __iwl_err() (git-fixes).
- wifi: iwlwifi: fix duplicate entry in iwl_dev_info_table (git-fixes).
- wifi: iwlwifi: fw: fix memory leak in debugfs (git-fixes).
- wifi: iwlwifi: fw: move memset before early return (git-fixes).
- wifi: iwlwifi: make the loop for card preparation effective (git-fixes).
- wifi: iwlwifi: mvm: check firmware response size (git-fixes).
- wifi: iwlwifi: mvm: do not set CHECKSUM_COMPLETE for unsupported protocols (git-fixes).
- wifi: iwlwifi: mvm: fix mvmtxq->stopped handling (git-fixes).
- wifi: iwlwifi: mvm: initialize seq variable (git-fixes).
- wifi: iwlwifi: trans: do not trigger d3 interrupt twice (git-fixes).
- wifi: iwlwifi: yoyo: Fix possible division by zero (git-fixes).
- wifi: iwlwifi: yoyo: skip dump correctly on hw error (git-fixes).
- wifi: mac80211: adjust scan cancel comment/check (git-fixes).
- wifi: mt76: add missing locking to protect against concurrent rx/status calls (git-fixes).
- wifi: mt76: fix 6GHz high channel not be scanned (git-fixes).
- wifi: mt76: handle failure of vzalloc in mt7615_coredump_work (git-fixes).
- wifi: mwifiex: mark OF related data as maybe unused (git-fixes).
- wifi: rt2x00: Fix memory leak when handling surveys (git-fixes).
- wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg() (git-fixes).
- wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg() (git-fixes).
- wifi: rtw88: mac: Return the original error from rtw_mac_power_switch() (git-fixes).
- wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser() (git-fixes).
- wifi: rtw89: fix potential race condition between napi_init and napi_enable (git-fixes).
- writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs (bsc#1210769).
- x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails (git-fixes).
- x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot (git-fixes).
- x86/bug: Prevent shadowing in __WARN_FLAGS (git-fixes).
- x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes).
- x86/entry: Avoid very early RET (git-fixes).
- x86/entry: Do not call error_entry() for XENPV (git-fixes).
- x86/entry: Move CLD to the start of the idtentry macro (git-fixes).
- x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() (git-fixes).
- x86/entry: Switch the stack after error_entry() returns (git-fixes).
- x86/fpu: Prevent FPU state corruption (git-fixes).
- x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume (git-fixes).
- x86/msi: Fix msi message data shadow struct (git-fixes).
- x86/pci/xen: Disable PCI/MSI masking for XEN_HVM guests (git-fixes).
- x86/traps: Use pt_regs directly in fixup_bad_iret() (git-fixes).
- x86/tsx: Disable TSX development mode at boot (git-fixes).
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 (git-fixes).
- xhci: fix debugfs register accesses while suspended (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2324-1
Released:    Tue May 30 15:52:17 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1200441

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2527-1
Released:    Fri Jun 16 19:04:57 2023
Summary:     Recommended update for NetworkManager
Type:        recommended
Severity:    moderate
References:  
This update for NetworkManager fixes the following issues:

- Create /etc/NetworkManager/conf.d by default, allowing easy override for NetworkManager.conf file with drop-in
- Move default config file to /usr/lib/NetworkManager/NetworkManager.conf, as part of main package
- Ensure /usr/lib/NetworkManager/conf.d is part of the package

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2782-1
Released:    Tue Jul  4 17:34:42 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1152472,1152489,1160435,1172073,1189998,1191731,1193629,1194869,1195655,1195921,1203906,1205650,1205756,1205758,1205760,1205762,1205803,1206024,1206578,1207553,1208050,1208410,1208600,1208604,1208758,1209039,1209287,1209288,1209367,1209856,1209982,1210165,1210294,1210449,1210450,1210498,1210533,1210551,1210647,1210741,1210775,1210783,1210791,1210806,1210940,1210947,1211037,1211043,1211044,1211089,1211105,1211113,1211131,1211205,1211263,1211280,1211281,1211299,1211346,1211387,1211410,1211414,1211449,1211465,1211519,1211564,1211590,1211592,1211686,1211687,1211688,1211689,1211690,1211691,1211692,1211693,1211714,1211796,1211804,1211807,1211808,1211847,1211852,1211855,1211960,1212129,1212154,1212155,1212158,1212350,1212448,1212494,1212504,1212513,1212540,1212561,1212563,1212564,1212584,1212592,CVE-2022-4269,CVE-2022-45884,CVE-2022-45885,CVE-2022-45886,CVE-2022-45887,CVE-2022-45919,CVE-2023-1077,CVE-2023-1079,CVE-2023-1249,CVE-2023-1380,CVE-2023-1382,CVE-2023-2002,CVE-
 2023-21102,CVE-2023-2124,CVE-2023-2156,CVE-2023-2162,CVE-2023-2269,CVE-2023-2483,CVE-2023-2513,CVE-2023-28410,CVE-2023-3006,CVE-2023-30456,CVE-2023-31084,CVE-2023-3141,CVE-2023-31436,CVE-2023-3161,CVE-2023-32233,CVE-2023-33288,CVE-2023-35788,CVE-2023-35823,CVE-2023-35828

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-35828: Fixed a use-after-free flaw inside renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c (bsc#1212513).
- CVE-2023-35823: Fixed a use-after-free in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c (bsc#1212494).
- CVE-2023-35788: Fixed an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets in fl_set_geneve_opt in net/sched/cls_flower.c (bsc#1212504).
- CVE-2023-33288: Fixed a use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c (bsc#1211590).
- CVE-2023-32233: Fixed a use-after-free in Netfilter nf_tables when processing batch requests (bsc#1211043).
- CVE-2023-3161: Fixed shift-out-of-bounds in fbcon_set_font() (bsc#1212154).
- CVE-2023-31436: Fixed an out-of-bounds write in qfq_change_class() because lmax can exceed QFQ_MIN_LMAX (bsc#1210940).
- CVE-2023-3141: Fixed a use-after-free flaw in r592_remove in drivers/memstick/host/r592.c, that allowed local attackers to crash the system at device disconnect (bsc#1212129).
- CVE-2023-31084: Fixed a blocking issue in drivers/media/dvb-core/dvb_frontend.c (bsc#1210783).
- CVE-2023-30456: Fixed an issue in arch/x86/kvm/vmx/nested.c with nVMX on x86_64 lacks consistency checks for CR0 and CR4 (bsc#1210294).
- CVE-2023-3006: Fixed a known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, for the new hw AmpereOne (bsc#1211855).
- CVE-2023-28410: Fixed improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers that may have allowed an authenticated user to potentially enable escalation of privilege via local access (bsc#1211263).
- CVE-2023-2513: Fixed a use-after-free vulnerability in the ext4 filesystem (bsc#1211105).
- CVE-2023-2483: Fixed a use after free bug in emac_remove due caused by a race condition (bsc#1211037).
- CVE-2023-2269: Fixed a denial-of-service problem due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c (bsc#1210806).
- CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210647).
- CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131).
- CVE-2023-2124: Fixed an out-of-bound access in the XFS subsystem that could have lead to denial-of-service or potentially privilege escalation (bsc#1210498).
- CVE-2023-21102: Fixed possible bypass of shadow stack protection in __efi_rt_asm_wrapper of efi-rt-wrapper.S (bsc#1212155).
- CVE-2023-2002: Fixed a flaw that allowed an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication (bsc#1210533).
- CVE-2023-1382: Fixed denial of service in tipc_conn_close (bsc#1209288).
- CVE-2023-1380: Fixed a slab-out-of-bound read problem in brcmf_get_assoc_ies() (bsc#1209287).
- CVE-2023-1249: Fixed a use-after-free flaw inside the core dump subsystem, that could have been used to crash the system (bsc#1209039).
- CVE-2023-1079: Fixed a use-after-free problem that could have been triggered in asus_kbd_backlight_set when plugging/disconnecting a malicious USB device (bsc#1208604).
- CVE-2023-1077: Fixed a type confusion in pick_next_rt_entity(), that could cause memory corruption (bsc#1208600).
- CVE-2022-45919: Fixed a use-after-free in dvb_ca_en50221.c that could occur if there is a disconnect after an open, because of the lack of a wait_event (bsc#1205803).
- CVE-2022-45887: Fixed a memory leak in ttusb_dec.c caused by the lack of a dvb_frontend_detach call (bsc#1205762).
- CVE-2022-45886: Fixed a .disconnect versus dvb_device_open race condition in dvb_net.c that lead to a use-after-free (bsc#1205760).
- CVE-2022-45885: Fixed a race condition in dvb_frontend.c that could cause a use-after-free when a device is disconnected (bsc#1205758).
- CVE-2022-45884: Fixed a use-after-free in dvbdev.c, related to dvb_register_device dynamically allocating fops (bsc#1205756).
- CVE-2022-4269: Fixed a flaw was found inside the Traffic Control (TC) subsystem (bsc#1206024).

The following non-security bugs were fixed:

- 3c589_cs: Fix an error handling path in tc589_probe() (git-fixes).
- ACPI: EC: Fix oops when removing custom query handlers (git-fixes).
- ACPI: bus: Ensure that notify handlers are not running after removal (git-fixes).
- ACPI: processor: Fix evaluating _PDC method when running as Xen dom0 (git-fixes).
- ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep() (git-fixes).
- ACPI: tables: Add support for NBFT (bsc#1195921).
- ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects (git-fixes).
- ACPICA: Avoid undefined behavior: applying zero offset to null pointer (git-fixes).
- ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init` (git-fixes).
- ALSA: cs46xx: mark snd_cs46xx_download_image as static (git-fixes).
- ALSA: firewire-digi00x: prevent potential use after free (git-fixes).
- ALSA: hda/ca0132: add quirk for EVGA X299 DARK (git-fixes).
- ALSA: hda/realtek: Add Lenovo P3 Tower platform (git-fixes).
- ALSA: hda/realtek: Add a quirk for Compaq N14JP6 (git-fixes).
- ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 (git-fixes).
- ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01 (git-fixes).
- ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 (git-fixes).
- ALSA: hda/realtek: Add quirk for ASUS UM3402YAR using CS35L41 (git-fixes).
- ALSA: hda/realtek: Add quirk for Clevo L140AU (git-fixes).
- ALSA: hda/realtek: Add quirk for Clevo NS50AU (git-fixes).
- ALSA: hda/realtek: Add quirk for HP EliteBook G10 laptops (git-fixes).
- ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6 (git-fixes).
- ALSA: hda/realtek: Add quirks for Asus ROG 2024 laptops using CS35L41 (git-fixes).
- ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 (git-fixes).
- ALSA: hda/realtek: Enable 4 amplifiers instead of 2 on a HP platform (git-fixes).
- ALSA: hda/realtek: Enable headset onLenovo M70/M90 (git-fixes).
- ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop (git-fixes).
- ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop (git-fixes).
- ALSA: hda/realtek: support HP Pavilion Aero 13-be0xxx Mute LED (git-fixes).
- ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table (git-fixes).
- ALSA: hda: Fix Oops by 9.1 surround channel names (git-fixes).
- ALSA: hda: Fix unhandled register update during auto-suspend period (git-fixes).
- ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs (git-fixes).
- ALSA: oss: avoid missing-prototype warnings (git-fixes).
- ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go (git-fixes).
- ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback (git-fixes).
- ALSA: usb-audio: Add quirk for Pioneer DDJ-800 (git-fixes).
- ALSA: usb-audio: Fix broken resume due to UAC3 power state (git-fixes).
- ARM64: dts: Add DTS files for bcmbca SoC BCM6858 (git-fixes).
- ARM: 9295/1: unwind:fix unwind abort for uleb128 case (git-fixes)
- ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings (git-fixes).
- ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1212448).
- ARM: dts: qcom: ipq8064: Fix the PCI I/O port range (git-fixes).
- ARM: dts: qcom: ipq8064: reduce pci IO size to 64K (git-fixes).
- ARM: dts: vexpress: add missing cache properties (git-fixes).
- ASOC: Intel: sof_sdw: add quirk for Intel 'Rooks County' NUC M15 (git-fixes).
- ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg (git-fixes).
- ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750 (git-fixes).
- ASoC: codecs: wsa881x: do not set can_multi_write flag (git-fixes).
- ASoC: dwc: limit the number of overrun messages (git-fixes).
- ASoC: dwc: move DMA init to snd_soc_dai_driver probe() (git-fixes).
- ASoC: fsl_micfil: Fix error handler with pm_runtime_enable (git-fixes).
- ASoC: lpass: Fix for KASAN use_after_free out of bounds (git-fixes).
- ASoC: rt5682: Disable jack detection interrupt during suspend (git-fixes).
- ASoC: soc-pcm: fix hw->formats cleared by soc_pcm_hw_init() for dpcm (git-fixes).
- ASoC: soc-pcm: test if a BE can be prepared (git-fixes).
- ASoC: ssm2602: Add workaround for playback distortions (git-fixes).
- Add a bug reference to two existing drm-hyperv changes (bsc#1211281).
- Also include kernel-docs build requirements for ALP
- Avoid unsuported tar parameter on SLE12
- Bluetooth: Fix l2cap_disconnect_req deadlock (git-fixes).
- Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk (git-fixes).
- Bluetooth: L2CAP: Add missing checks for invalid DCID (git-fixes).
- Bluetooth: L2CAP: fix 'bad unlock balance' in l2cap_disconnect_rsp (git-fixes).
- Bluetooth: btintel: Add LE States quirk support (git-fixes).
- Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set (git-fixes).
- Bluetooth: hci_qca: fix debugfs registration (git-fixes).
- Documentation/filesystems: ramfs-rootfs-initramfs: use :Author: (git-fixes).
- Documentation/filesystems: sharedsubtree: add section headings (git-fixes).
- HID: google: add jewel USB id (git-fixes).
- HID: logitech-hidpp: Do not use the USB serial for USB devices (git-fixes).
- HID: logitech-hidpp: Reconcile USB and Unifying serials (git-fixes).
- HID: microsoft: Add rumble support to latest xbox controllers (bsc#1211280).
- HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs (git-fixes).
- HID: wacom: Force pen out of prox if no events have been received in a while (git-fixes).
- HID: wacom: Set a default resolution for older tablets (git-fixes).
- HID: wacom: add three styli to wacom_intuos_get_tool_type (git-fixes).
- HID: wacom: avoid integer overflow in wacom_intuos_inout() (git-fixes).
- HID: wacom: generic: Set battery quirk only when we see battery data (git-fixes).
- IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order (git-fixes)
- IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (git-fixes)
- IB/hifi1: add a null check of kzalloc_node in hfi1_ipoib_txreq_init (git-fixes)
- IB/rdmavt: add missing locks in rvt_ruc_loopback (git-fixes)
- Input: fix open count when closing inhibited device (git-fixes).
- Input: psmouse - fix OOB access in Elantech protocol (git-fixes).
- Input: xpad - add constants for GIP interface numbers (git-fixes).
- Input: xpad - delete a Razer DeathAdder mouse VID/PID entry (git-fixes).
- KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() (git-fixes).
- KVM: Destroy target device if coalesced MMIO unregistration fails (git-fixes)
- KVM: Disallow user memslot with size that exceeds 'unsigned long' (git-fixes)
- KVM: Do not create VM debugfs files outside of the VM directory (git-fixes)
- KVM: Do not set Accessed/Dirty bits for ZERO_PAGE (git-fixes)
- KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised (git-fixes).
- KVM: Prevent module exit until all VMs are freed (git-fixes)
- KVM: SVM: Do not rewrite guest ICR on AVIC IPI virtualization failure (git-fixes).
- KVM: SVM: Fix benign 'bool vs. int' comparison in svm_set_cr0() (git-fixes).
- KVM: SVM: Fix potential overflow in SEV's send|receive_update_data() (git-fixes).
- KVM: SVM: Require logical ID to be power-of-2 for AVIC entry (git-fixes).
- KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid (git-fixes).
- KVM: SVM: hyper-v: placate modpost section mismatch error (git-fixes).
- KVM: VMX: Introduce vmx_msr_bitmap_l01_changed() helper (git-fixes).
- KVM: VMX: Resume guest immediately when injecting #GP on ECREATE (git-fixes).
- KVM: VMX: Set vmcs.PENDING_DBG.BS on #DB in STI/MOVSS blocking shadow (git-fixes).
- KVM: VMX: Use is_64_bit_mode() to check 64-bit mode in SGX handler (git-fixes).
- KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid() (git-fixes).
- KVM: arm64: Do not arm a hrtimer for an already pending timer (git-fixes)
- KVM: arm64: Do not hypercall before EL2 init (git-fixes)
- KVM: arm64: Do not return from void function (git-fixes)
- KVM: arm64: Fix PAR_TO_HPFAR() to work independently of PA_BITS. (git-fixes)
- KVM: arm64: Fix S1PTW handling on RO memslots (git-fixes)
- KVM: arm64: Fix bad dereference on MTE-enabled systems (git-fixes)
- KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() (git-fixes)
- KVM: arm64: Fix kvm init failure when mode!=vhe and VA_BITS=52. (git-fixes)
- KVM: arm64: Free hypervisor allocations if vector slot init fails (git-fixes)
- KVM: arm64: GICv4.1: Fix race with doorbell on VPE (git-fixes)
- KVM: arm64: Limit length in kvm_vm_ioctl_mte_copy_tags() to INT_MAX (git-fixes)
- KVM: arm64: PMU: Restore the guest's EL0 event counting after (git-fixes)
- KVM: arm64: Propagate errors from __pkvm_prot_finalize hypercall (git-fixes)
- KVM: arm64: Reject 32bit user PSTATE on asymmetric systems (git-fixes)
- KVM: arm64: Save PSTATE early on exit (git-fixes)
- KVM: arm64: Stop handle_exit() from handling HVC twice when an SError (git-fixes)
- KVM: arm64: Treat PMCR_EL1.LC as RES1 on asymmetric systems (git-fixes)
- KVM: arm64: nvhe: Eliminate kernel-doc warnings (git-fixes)
- KVM: arm64: vgic: Fix exit condition in scan_its_table() (git-fixes)
- KVM: arm64: vgic: Read HW interrupt pending state from the HW (git-fixes)
- KVM: nVMX: Also filter MSR_IA32_VMX_TRUE_PINBASED_CTLS when eVMCS (git-fixes).
- KVM: nVMX: Do not use Enlightened MSR Bitmap for L3 (git-fixes).
- KVM: nVMX: Document that ignoring memory failures for VMCLEAR is deliberate (git-fixes).
- KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted (git-fixes).
- KVM: nVMX: Inject #GP, not #UD, if 'generic' VMXON CR0/CR4 check fails (git-fixes).
- KVM: nVMX: Prioritize TSS T-flag #DBs over Monitor Trap Flag (git-fixes).
- KVM: nVMX: Properly expose ENABLE_USR_WAIT_PAUSE control to L1 (git-fixes).
- KVM: nVMX: Treat General Detect #DB (DR7.GD=1) as fault-like (git-fixes).
- KVM: nVMX: eVMCS: Filter out VM_EXIT_SAVE_VMX_PREEMPTION_TIMER (git-fixes).
- KVM: x86/emulator: Emulate RDPID only if it is enabled in guest (git-fixes).
- KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs (git-fixes).
- KVM: x86/pmu: Ignore pmu->global_ctrl check if vPMU does not support global_ctrl (git-fixes).
- KVM: x86/svm: add __GFP_ACCOUNT to __sev_dbg_{en,de}crypt_user() (git-fixes).
- KVM: x86/vmx: Do not skip segment attributes if unusable bit is set (git-fixes).
- KVM: x86/xen: Fix memory leak in kvm_xen_write_hypercall_page() (git-fixes).
- KVM: x86: Copy filter arg outside kvm_vm_ioctl_set_msr_filter() (git-fixes).
- KVM: x86: Do not change ICR on write to APIC_SELF_IPI (git-fixes).
- KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception (git-fixes).
- KVM: x86: Inject #GP if WRMSR sets reserved bits in APIC Self-IPI (git-fixes).
- KVM: x86: Mask off reserved bits in CPUID.8000001FH (git-fixes).
- KVM: x86: Mask off unsupported and unknown bits of IA32_ARCH_CAPABILITIES (git-fixes).
- KVM: x86: Protect the unused bits in MSR exiting flags (git-fixes).
- KVM: x86: Remove a redundant guest cpuid check in kvm_set_cr4() (git-fixes).
- KVM: x86: Report deprecated x87 features in supported CPUID (git-fixes).
- KVM: x86: do not set st->preempted when going back to user space (git-fixes).
- KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness (git-fixes).
- KVM: x86: ioapic: Fix level-triggered EOI and userspace I/OAPIC reconfigure race (git-fixes).
- PCI/ASPM: Remove pcie_aspm_pm_state_change() (git-fixes).
- PM: hibernate: Do not get block device exclusively in test_resume mode (git-fixes).
- PM: hibernate: Turn snapshot_test into global variable (git-fixes).
- PM: hibernate: fix load_image_and_restore() error path (git-fixes).
- RDMA/bnxt_re: Fix a possible memory leak (git-fixes)
- RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx (git-fixes)
- RDMA/bnxt_re: Fix the page_size used during the MR creation (git-fixes)
- RDMA/cm: Trace icm_send_rej event before the cm state is reset (git-fixes)
- RDMA/core: Fix multiple -Warray-bounds warnings (git-fixes)
- RDMA/efa: Fix unsupported page sizes in device (git-fixes)
- RDMA/hns: Fix base address table allocation (git-fixes)
- RDMA/hns: Fix timeout attr in query qp for HIP08 (git-fixes)
- RDMA/hns: Modify the value of long message loopback slice (git-fixes)
- RDMA/irdma: Add SW mechanism to generate completions on error (jsc#SLE-18383).
- RDMA/irdma: Do not generate SW completions for NOPs (jsc#SLE-18383).
- RDMA/irdma: Fix Local Invalidate fencing (git-fixes)
- RDMA/irdma: Fix RQ completion opcode (jsc#SLE-18383).
- RDMA/irdma: Fix drain SQ hang with no completion (jsc#SLE-18383).
- RDMA/irdma: Fix inline for multiple SGE's (jsc#SLE-18383).
- RDMA/irdma: Prevent QP use after free (git-fixes)
- RDMA/irdma: Remove enum irdma_status_code (jsc#SLE-18383).
- RDMA/irdma: Remove excess error variables (jsc#SLE-18383).
- RDMA/mana: Remove redefinition of basic u64 type (bsc#1210741 jsc#PED-4022).
- RDMA/mana: hide new rdma_driver_ids (bsc#1210741 jsc#PED-4022).
- RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter (bsc#1210741 jsc#PED-4022).
- RDMA/mana_ib: Fix a bug when the PF indicates more entries for registering memory on first packet (bsc#1210741 jsc#PED-4022).
- RDMA/mana_ib: Prevent array underflow in mana_ib_create_qp_raw() (bsc#1210741 jsc#PED-4022).
- RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (jsc#SLE-19255).
- RDMA/mlx5: Fix flow counter query via DEVX (git-fixes)
- RDMA/mlx5: Use correct device num_ports when modify DC (git-fixes)
- RDMA/rdmavt: Delete unnecessary NULL check (git-fixes)
- RDMA/rtrs-clt: Replace list_next_or_null_rr_rcu with an inline function (git-fixes)
- RDMA/rtrs-srv: Pass the correct number of entries for dma mapped SGL (git-fixes)
- RDMA/rxe: Fix the error 'trying to register non-static key in rxe_cleanup_task' (git-fixes)
- RDMA/rxe: Remove tasklet call from rxe_cq.c (git-fixes)
- RDMA/siw: Fix potential page_array out of range access (git-fixes)
- RDMA/siw: Remove namespace check from siw_netdev_event() (git-fixes)
- RDMA/srpt: Add a check for valid 'mad_agent' pointer (git-fixes)
- Remove orphaned CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT (bsc#1189998 git-fixes).
- Revert 'KVM: set owner of cpu and vm file operations' (git-fixes)
- SMB3.1.1: add new tree connect ShareFlags (bsc#1193629).
- SMB3: Add missing locks to protect deferred close file list (git-fixes).
- SMB3: Close all deferred handles of inode in case of handle lease break (bsc#1193629).
- SMB3: Close deferred file handles in case of handle lease break (bsc#1193629).
- SMB3: drop reference to cfile before sending oplock break (bsc#1193629).
- SMB3: force unmount was failing to close deferred close files (bsc#1193629).
- SUNRPC: Clean up svc_deferred_class trace events (git-fixes).
- SUNRPC: fix breakage caused by introduction of rq_xprt_ctxt (bsc#1210775).
- Squashfs: fix handling and sanity checking of xattr_ids count (git-fixes).
- Trim obsolete KMP list. SLE11 is out of support, we do not need to handle upgrading from SLE11 SP1.
- USB / dwc3: Fix a checkpatch warning in core.c (git-fixes).
- USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value (git-fixes).
- USB: core: Add routines for endpoint checks in old drivers (git-fixes).
- USB: dwc3: fix use-after-free on core driver unbind (git-fixes).
- USB: dwc3: qcom: fix NULL-deref on suspend (git-fixes).
- USB: serial: option: add Quectel EM061KGL series (git-fixes).
- USB: sisusbvga: Add endpoint checks (git-fixes).
- USB: usbtmc: Fix direction for 0-length ioctl control messages (git-fixes).
- affs: initialize fsdata in affs_truncate() (git-fixes).
- apparmor: add a kernel label to use on kernel objects (bsc#1211113).
- arm64: Always load shadow stack pointer directly from the task struct (git-fixes)
- arm64: Stash shadow stack pointer in the task struct on interrupt (git-fixes)
- arm64: dts: Add DTS files for bcmbca SoC BCM4912 (git-fixes).
- arm64: dts: Add DTS files for bcmbca SoC BCM63158 (git-fixes).
- arm64: dts: Add base DTS file for bcmbca device Asus GT-AX6000 (git-fixes).
- arm64: dts: broadcom: bcm4908: add DT for Netgear RAXE500 (git-fixes).
- arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts (git-fixes).
- arm64: dts: imx8mn-beacon: Fix SPI CS pinmux (git-fixes).
- arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals (git-fixes).
- arm64: dts: qcom: msm8996: Add missing DWC3 quirks (git-fixes).
- arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite boards (git-fixes).
- arm64: errata: add detection for AMEVCNTR01 incrementing incorrectly (git-fixes).
- arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step (git-fixes)
- arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step (git-fixes).
- asm-generic/io.h: suppress endianness warnings for readq() and writeq() (git-fixes).
- ata: libata-scsi: Use correct device no in ata_find_dev() (git-fixes).
- ata: pata_octeon_cf: drop kernel-doc notation (git-fixes).
- ath6kl: Use struct_group() to avoid size-mismatched casting (git-fixes).
- batman-adv: Broken sync while rescheduling delayed work (git-fixes).
- block: add a bdev_max_zone_append_sectors helper (git-fixes).
- bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() (git-fixes).
- bnxt: Do not read past the end of test names (jsc#SLE-18978).
- bnxt: prevent skb UAF after handing over to PTP worker (jsc#SLE-18978).
- bnxt_en: Add missing 200G link speed reporting (jsc#SLE-18978).
- bnxt_en: Avoid order-5 memory allocation for TPA data (jsc#SLE-18978).
- bnxt_en: Do not initialize PTP on older P3/P4 chips (jsc#SLE-18978).
- bnxt_en: Do not issue AP reset during ethtool's reset operation (git-fixes).
- bnxt_en: Fix mqprio and XDP ring checking logic (jsc#SLE-18978).
- bnxt_en: Fix reporting of test result in ethtool selftest (jsc#SLE-18978).
- bnxt_en: Fix typo in PCI id to device description string mapping (jsc#SLE-18978).
- bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks (git-fixes).
- bnxt_en: Query default VLAN before VNIC setup on a VF (git-fixes).
- bnxt_en: Skip firmware fatal error recovery if chip is not accessible (git-fixes).
- bnxt_en: fix NQ resource accounting during vf creation on 57500 chips (jsc#SLE-18978).
- bnxt_en: set missing reload flag in devlink features (jsc#SLE-18978).
- bpf, arm64: Call build_prologue() first in first JIT pass (git-fixes)
- bpf, arm64: Clear prog->jited_len along prog->jited (git-fixes)
- bpf, arm64: Feed byte-offset into bpf line info (git-fixes)
- bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC (git-fixes)
- bpf: Add extra path pointer check to d_path helper (git-fixes).
- bpf: Fix UAF in task local storage (bsc#1212564).
- can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag (git-fixes).
- can: j1939: avoid possible use-after-free when j1939_can_rx_register fails (git-fixes).
- can: j1939: change j1939_netdev_lock type to mutex (git-fixes).
- can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket (git-fixes).
- can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag (git-fixes).
- can: kvaser_pciefd: Call request_irq() before enabling interrupts (git-fixes).
- can: kvaser_pciefd: Clear listen-only bit if not explicitly requested (git-fixes).
- can: kvaser_pciefd: Disable interrupts in probe error path (git-fixes).
- can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt (git-fixes).
- can: kvaser_pciefd: Empty SRB buffer in probe (git-fixes).
- can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() (git-fixes).
- can: kvaser_usb: Add struct kvaser_usb_busparams (git-fixes).
- can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device (git-fixes).
- can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT (git-fixes).
- can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event (git-fixes).
- can: kvaser_usb_leaf: Fix overread with an invalid command (git-fixes).
- cassini: Fix a memory leak in the error handling path of cas_init_one() (git-fixes).
- ceph: fix use-after-free bug for inodes when flushing capsnaps (bsc#1212540).
- ceph: force updating the msg pointer in non-split case (bsc#1211804).
- cgroup.c: add helper __cset_cgroup_from_root to cleanup duplicated codes (bsc#1203906).
- cgroup: Homogenize cgroup_get_from_id() return value (bsc#1205650).
- cgroup: Honor caller's cgroup NS when resolving path (bsc#1205650).
- cgroup: Make cgroup_get_from_id() prettier (bsc#1205650).
- cgroup: Reorganize css_set_lock and kernfs path processing (bsc#1205650).
- cgroup: Use cgroup_attach_{lock,unlock}() from cgroup_attach_task_all() (bsc#1212563).
- cgroup: always put cset in cgroup_css_set_put_fork (bsc#1212561).
- cgroup: cgroup: Honor caller's cgroup NS when resolving cgroup  id (bsc#1205650).
- cgroup: fix missing cpus_read_{lock,unlock}() in cgroup_transfer_tasks() (bsc#1212563).
- cgroup: reduce dependency on cgroup_mutex (bsc#1205650).
- cifs: Avoid a cast in add_lease_context() (bsc#1193629).
- cifs: Simplify SMB2_open_init() (bsc#1193629).
- cifs: Simplify SMB2_open_init() (bsc#1193629).
- cifs: Simplify SMB2_open_init() (bsc#1193629).
- cifs: avoid dup prefix path in dfs_get_automount_devname() (git-fixes).
- cifs: avoid potential races when handling multiple dfs tcons (bsc#1208758).
- cifs: fix pcchunk length type in smb2_copychunk_range (bsc#1193629).
- cifs: fix potential race when tree connecting ipc (bsc#1208758).
- cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname (bsc#1208758).
- cifs: fix sharing of DFS connections (bsc#1208758).
- cifs: fix smb1 mount regression (bsc#1193629).
- cifs: mapchars mount option ignored (bsc#1193629).
- cifs: missing lock when updating session status (bsc#1193629).
- cifs: print smb3_fs_context::source when mounting (bsc#1193629).
- cifs: protect access of TCP_Server_Info::{origin,leaf}_fullpath (bsc#1208758).
- cifs: protect session status check in smb2_reconnect() (bsc#1208758).
- cifs: release leases for deferred close handles when freezing (bsc#1193629).
- cifs: sanitize paths in cifs_update_super_prepath (git-fixes).
- cifs: update internal module version number for cifs.ko (bsc#1193629).
- clk: qcom: gcc-sm8350: fix PCIe PIPE clocks handling (git-fixes).
- clk: qcom: regmap: add PHY clock source implementation (git-fixes).
- clk: tegra20: fix gcc-7 constant overflow warning (git-fixes).
- configfs: fix possible memory leak in configfs_create_dir() (git-fixes).
- crypto: acomp - define max size for destination (jsc#PED-3692)
- crypto: drivers - move from strlcpy with unused retval to (jsc#PED-3692)
- crypto: qat - Fix unsigned function returning negative (jsc#PED-3692)
- crypto: qat - Removes the x86 dependency on the QAT drivers (jsc#PED-3692)
- crypto: qat - abstract PFVF messages with struct pfvf_message (jsc#PED-3692)
- crypto: qat - abstract PFVF receive logic (jsc#PED-3692)
- crypto: qat - abstract PFVF send function (jsc#PED-3692)
- crypto: qat - add PFVF support to enable the reset of ring (jsc#PED-3692)
- crypto: qat - add PFVF support to the GEN4 host driver (jsc#PED-3692)
- crypto: qat - add VF and PF wrappers to common send function (jsc#PED-3692)
- crypto: qat - add backlog mechanism (jsc#PED-3692)
- crypto: qat - add check for invalid PFVF protocol version 0 (jsc#PED-3692)
- crypto: qat - add check to validate firmware images (jsc#PED-3692)
- crypto: qat - add limit to linked list parsing (jsc#PED-3692)
- crypto: qat - add misc workqueue (jsc#PED-3692)
- crypto: qat - add missing restarting event notification in (jsc#PED-3692)
- crypto: qat - add param check for DH (jsc#PED-3692)
- crypto: qat - add param check for RSA (jsc#PED-3692)
- crypto: qat - add pfvf_ops (jsc#PED-3692)
- crypto: qat - add resubmit logic for decompression (jsc#PED-3692)
- crypto: qat - add support for 401xx devices (jsc#PED-3692)
- crypto: qat - add support for compression for 4xxx (jsc#PED-3692)
- crypto: qat - add the adf_get_pmisc_base() helper function (jsc#PED-3692)
- crypto: qat - allow detection of dc capabilities for 4xxx (jsc#PED-3692)
- crypto: qat - change PFVF ACK behaviour (jsc#PED-3692)
- crypto: qat - change behaviour of (jsc#PED-3692)
- crypto: qat - change bufferlist logic interface (jsc#PED-3692)
- crypto: qat - config VFs based on ring-to-svc mapping (jsc#PED-3692)
- crypto: qat - differentiate between pf2vf and vf2pf offset (jsc#PED-3692)
- crypto: qat - disable AER if an error occurs in probe (jsc#PED-3692)
- crypto: qat - do not handle PFVF sources for qat_4xxx (jsc#PED-3692)
- crypto: qat - do not rely on min version (jsc#PED-3692)
- crypto: qat - enable deflate for QAT GEN4 (jsc#PED-3692)
- crypto: qat - enable power management for QAT GEN4 (jsc#PED-3692)
- crypto: qat - exchange device capabilities over PFVF (jsc#PED-3692)
- crypto: qat - exchange ring-to-service mappings over PFVF (jsc#PED-3692)
- crypto: qat - expose deflate through acomp api for QAT GEN2 (jsc#PED-3692)
- crypto: qat - expose device config through sysfs for 4xxx (jsc#PED-3692)
- crypto: qat - expose device state through sysfs for 4xxx (jsc#PED-3692)
- crypto: qat - extend buffer list interface (jsc#PED-3692)
- crypto: qat - extend crypto capability detection for 4xxx (jsc#PED-3692)
- crypto: qat - extract send and wait from (jsc#PED-3692)
- crypto: qat - fix DMA transfer direction (jsc#PED-3692)
- crypto: qat - fix ETR sources enabled by default on GEN2 (jsc#PED-3692)
- crypto: qat - fix VF IDs in PFVF log messages (jsc#PED-3692)
- crypto: qat - fix a signedness bug in get_service_enabled() (jsc#PED-3692)
- crypto: qat - fix a typo in a comment (jsc#PED-3692)
- crypto: qat - fix access to PFVF interrupt registers for GEN4 (jsc#PED-3692)
- crypto: qat - fix definition of ring reset results (jsc#PED-3692)
- crypto: qat - fix error return code in adf_probe (jsc#PED-3692)
- crypto: qat - fix handling of VF to PF interrupts (jsc#PED-3692)
- crypto: qat - fix initialization of pfvf cap_msg structures (jsc#PED-3692)
- crypto: qat - fix initialization of pfvf rts_map_msg (jsc#PED-3692)
- crypto: qat - fix off-by-one error in PFVF debug print (jsc#PED-3692)
- crypto: qat - fix wording and formatting in code comment (jsc#PED-3692)
- crypto: qat - flush vf workqueue at driver removal (jsc#PED-3692)
- crypto: qat - free irq in case of failure (jsc#PED-3692)
- crypto: qat - free irqs only if allocated (jsc#PED-3692)
- crypto: qat - generalize crypto request buffers (jsc#PED-3692)
- crypto: qat - get compression extended capabilities (jsc#PED-3692)
- crypto: qat - handle retries due to collisions in (jsc#PED-3692)
- crypto: qat - honor CRYPTO_TFM_REQ_MAY_SLEEP flag (jsc#PED-3692)
- crypto: qat - improve logging of PFVF messages (jsc#PED-3692)
- crypto: qat - improve the ACK timings in PFVF send (jsc#PED-3692)
- crypto: qat - introduce support for PFVF block messages (jsc#PED-3692)
- crypto: qat - leverage bitfield.h utils for PFVF messages (jsc#PED-3692)
- crypto: qat - leverage read_poll_timeout in PFVF send (jsc#PED-3692)
- crypto: qat - leverage the GEN2 VF mask definiton (jsc#PED-3692)
- crypto: qat - make PFVF message construction direction (jsc#PED-3692)
- crypto: qat - make PFVF send and receive direction agnostic (jsc#PED-3692)
- crypto: qat - move VF message handler to adf_vf2pf_msg.c (jsc#PED-3692)
- crypto: qat - move and rename GEN4 error register definitions (jsc#PED-3692)
- crypto: qat - move interrupt code out of the PFVF handler (jsc#PED-3692)
- crypto: qat - move pfvf collision detection values (jsc#PED-3692)
- crypto: qat - move vf2pf interrupt helpers (jsc#PED-3692)
- crypto: qat - pass the PF2VF responses back to the callers (jsc#PED-3692)
- crypto: qat - prevent spurious MSI interrupt in VF (jsc#PED-3692)
- crypto: qat - re-enable interrupts for legacy PFVF messages (jsc#PED-3692)
- crypto: qat - re-enable registration of algorithms (jsc#PED-3692)
- crypto: qat - refactor PF top half for PFVF (jsc#PED-3692)
- crypto: qat - refactor pfvf version request messages (jsc#PED-3692)
- crypto: qat - refactor submission logic (jsc#PED-3692)
- crypto: qat - relocate PFVF PF related logic (jsc#PED-3692)
- crypto: qat - relocate PFVF VF related logic (jsc#PED-3692)
- crypto: qat - relocate PFVF disabled function (jsc#PED-3692)
- crypto: qat - relocate and rename adf_sriov_prepare_restart() (jsc#PED-3692)
- crypto: qat - relocate backlog related structures (jsc#PED-3692)
- crypto: qat - relocate bufferlist logic (jsc#PED-3692)
- crypto: qat - relocate qat_algs_alloc_flags() (jsc#PED-3692)
- crypto: qat - remove duplicated logic across GEN2 drivers (jsc#PED-3692)
- crypto: qat - remove empty sriov_configure() (jsc#PED-3692)
- crypto: qat - remove line wrapping for pfvf_ops functions (jsc#PED-3692)
- crypto: qat - remove the unnecessary get_vintmsk_offset() (jsc#PED-3692)
- crypto: qat - remove unmatched CPU affinity to cluster IRQ (jsc#PED-3692)
- crypto: qat - remove unnecessary tests to detect PFVF support (jsc#PED-3692)
- crypto: qat - remove unneeded assignment (jsc#PED-3692)
- crypto: qat - remove unneeded braces (jsc#PED-3692)
- crypto: qat - remove unneeded packed attribute (jsc#PED-3692)
- crypto: qat - remove unused PFVF stubs (jsc#PED-3692)
- crypto: qat - rename and relocate GEN2 config function (jsc#PED-3692)
- crypto: qat - rename bufferlist functions (jsc#PED-3692)
- crypto: qat - rename pfvf collision constants (jsc#PED-3692)
- crypto: qat - reorganize PFVF code (jsc#PED-3692)
- crypto: qat - reorganize PFVF protocol definitions (jsc#PED-3692)
- crypto: qat - replace deprecated MSI API (jsc#PED-3692)
- crypto: qat - replace disable_vf2pf_interrupts() (jsc#PED-3692)
- crypto: qat - replace get_current_node() with numa_node_id() (jsc#PED-3692)
- crypto: qat - rework the VF2PF interrupt handling logic (jsc#PED-3692)
- crypto: qat - set CIPHER capability for QAT GEN2 (jsc#PED-3692)
- crypto: qat - set COMPRESSION capability for DH895XCC (jsc#PED-3692)
- crypto: qat - set COMPRESSION capability for QAT GEN2 (jsc#PED-3692)
- crypto: qat - set DMA mask to 48 bits for Gen2 (jsc#PED-3692)
- crypto: qat - set PFVF_MSGORIGIN just before sending (jsc#PED-3692)
- crypto: qat - share adf_enable_pf2vf_comms() from (jsc#PED-3692)
- crypto: qat - simplify adf_enable_aer() (jsc#PED-3692)
- crypto: qat - simplify code and axe the use of a deprecated (jsc#PED-3692)
- crypto: qat - split PFVF message decoding from handling (jsc#PED-3692)
- crypto: qat - stop using iommu_present() (jsc#PED-3692)
- crypto: qat - store the PFVF protocol version of the (jsc#PED-3692)
- crypto: qat - store the ring-to-service mapping (jsc#PED-3692)
- crypto: qat - support fast ACKs in the PFVF protocol (jsc#PED-3692)
- crypto: qat - support the reset of ring pairs on PF (jsc#PED-3692)
- crypto: qat - test PFVF registers for spurious interrupts on (jsc#PED-3692)
- crypto: qat - use enums for PFVF protocol codes (jsc#PED-3692)
- crypto: qat - use hweight for bit counting (jsc#PED-3692)
- crypto: qat - use pre-allocated buffers in datapath (jsc#PED-3692)
- crypto: qat - use reference to structure in dma_map_single() (jsc#PED-3692)
- crypto: qat - use u32 variables in all GEN4 pfvf_ops (jsc#PED-3692)
- crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs() (git-fixes).
- cxgb4: fix missing unlock on ETHOFLD desc collect fail path (jsc#SLE-18992).
- debugfs: fix error when writing negative value to atomic_t debugfs file (git-fixes).
- dma: gpi: remove spurious unlock in gpi_ch_init (git-fixes).
- dmaengine: at_xdmac: Move the free desc to the tail of the desc list (git-fixes).
- dmaengine: at_xdmac: do not enable all cyclic channels (git-fixes).
- dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved() (git-fixes).
- dmaengine: dw-edma: Fix to change for continuous transfer (git-fixes).
- dmaengine: dw-edma: Fix to enable to issue dma request on DMA processing (git-fixes).
- dmaengine: idxd: Do not enable user type Work Queue without Shared Virtual Addressing (git-fixes).
- dmaengine: idxd: Only call idxd_enable_system_pasid() if succeeded in enabling SVA feature (git-fixes).
- dmaengine: idxd: Separate user and kernel pasid enabling (git-fixes).
- dmaengine: mv_xor_v2: Fix an error code (git-fixes).
- dmaengine: pl330: rename _start to prevent build error (git-fixes).
- do not reuse connection if share marked as isolated (bsc#1193629).
- docs: networking: fix x25-iface.rst heading & index order (git-fixes).
- drivers: base: component: fix memory leak with using debugfs_lookup() (git-fixes).
- drivers: base: dd: fix memory leak with using debugfs_lookup() (git-fixes).
- drm/amd/display: Fix hang when skipping modeset (git-fixes).
- drm/amd/display: Use DC_LOG_DC in the trasform pixel function (git-fixes).
- drm/amd/display: edp do not add non-edid timings (git-fixes).
- drm/amd/display: fix flickering caused by S/G mode (git-fixes).
- drm/amd/pm: Fix power context allocation in SMU13 (git-fixes).
- drm/amd/pm: reverse mclk and fclk clocks levels for renoir (git-fixes).
- drm/amd/pm: reverse mclk and fclk clocks levels for vangogh (git-fixes).
- drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp (git-fixes).
- drm/amd: Fix an out of bounds error in BIOS parser (git-fixes).
- drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras (git-fixes).
- drm/amdgpu: Fix vram recover does not work after whole GPU reset (v2) (git-fixes).
- drm/amdgpu: Use the default reset when loading or reloading the driver (git-fixes).
- drm/amdgpu: add a missing lock for AMDGPU_SCHED (git-fixes).
- drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend (git-fixes).
- drm/amdgpu: fix xclk freq on CHIP_STONEY (git-fixes).
- drm/amdgpu: release gpu full access after 'amdgpu_device_ip_late_init' (git-fixes).
- drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged (git-fixes).
- drm/amdgpu: update drm_display_info correctly when the edid is read (git-fixes).
- drm/ast: Fix ARM compatibility (git-fixes).
- drm/displayid: add displayid_get_header() and check bounds better (git-fixes).
- drm/exynos: fix g2d_open/close helper function definitions (git-fixes).
- drm/i915/dg2: Add HDMI pixel clock frequencies 267.30 and 319.89 MHz (git-fixes).
- drm/i915/dg2: Add additional HDMI pixel clock frequencies (git-fixes).
- drm/i915/dg2: Support 4k at 30 on HDMI (git-fixes).
- drm/i915/dp: prevent potential div-by-zero (git-fixes).
- drm/i915/gt: Use the correct error value when kernel_context() fails (git-fixes).
- drm/i915/selftests: Add some missing error propagation (git-fixes).
- drm/i915/selftests: Increase timeout for live_parallel_switch (git-fixes).
- drm/i915/selftests: Stop using kthread_stop() (git-fixes).
- drm/i915: Explain the magic numbers for AUX SYNC/precharge length (git-fixes).
- drm/i915: Use 18 fast wake AUX sync len (git-fixes).
- drm/mipi-dsi: Set the fwnode for mipi_dsi_device (git-fixes).
- drm/msm/dp: Clean up handling of DP AUX interrupts (git-fixes).
- drm/msm/dp: unregister audio driver during unbind (git-fixes).
- drm/msm/dpu: Add INTF_5 interrupts (git-fixes).
- drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header (git-fixes).
- drm/msm/dpu: Remove duplicate register defines from INTF (git-fixes).
- drm/msm: Be more shouty if per-process pgtables are not working (git-fixes).
- drm/msm: Set max segment size earlier (git-fixes).
- drm/nouveau/dp: check for NULL nv_connector->native_mode (git-fixes).
- drm/nouveau: add nv_encoder pointer check for NULL (git-fixes).
- drm/nouveau: do not detect DSM for non-NVIDIA device (git-fixes).
- drm/sched: Remove redundant check (git-fixes).
- drm/tegra: Avoid potential 32-bit integer overflow (git-fixes).
- drm/ttm/pool: Fix ttm_pool_alloc error path (git-fixes).
- drm/ttm: optimize pool allocations a bit v2 (git-fixes).
- drm:amd:amdgpu: Fix missing buffer object unlock in failure path (git-fixes).
- dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type (git-fixes).
- dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries (git-fixes).
- dt-bindings: ata: ahci-ceva: convert to yaml (git-fixes).
- dt-bindings: i3c: silvaco,i3c-master: fix missing schema restriction (git-fixes).
- dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value (git-fixes).
- dt-bindings: usb: snps,dwc3: Fix 'snps,hsphy_interface' type (git-fixes).
- eeprom: at24: also select REGMAP (git-fixes).
- ext4: unconditionally enable the i_version counter (bsc#1211299).
- f2fs: Fix f2fs_truncate_partial_nodes ftrace event (git-fixes).
- fbcon: Fix null-ptr-deref in soft_cursor (git-fixes).
- fbdev: Prevent possible use-after-free in fb_release() (bsc#1152472).
- fbdev: arcfb: Fix error handling in arcfb_probe() (git-fixes).
- fbdev: ep93xx-fb: Add missing clk_disable_unprepare in ep93xxfb_probe() (git-fixes).
- fbdev: fbcon: Destroy mutex on freeing struct fb_info (bsc#1152489)
- fbdev: imsttfb: Fix use after free bug in imsttfb_probe (git-fixes bsc#1211387).
- fbdev: modedb: Add 1920x1080 at 60 Hz video mode (git-fixes).
- fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards (git-fixes).
- fbdev: stifb: Fix info entry in sti_struct on error path (git-fixes).
- fbdev: udlfb: Fix endpoint check (git-fixes).
- firmware: arm_ffa: Check if ffa_driver remove is present before executing (git-fixes).
- firmware: arm_ffa: Set handle field to zero in memory descriptor (git-fixes).
- firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors (git-fixes).
- fs/jfs: fix shift exponent db_agl2size negative (git-fixes).
- fs: hfsplus: fix UAF issue in hfsplus_put_super (git-fixes).
- fs: jfs: fix possible NULL pointer dereference in dbFree() (git-fixes).
- fs: jfs: fix shift-out-of-bounds in dbAllocAG (git-fixes).
- fs: jfs: fix shift-out-of-bounds in dbDiscardAG (git-fixes).
- fs: sysv: Fix sysv_nblocks() returns wrong value (git-fixes).
- fuse: always revalidate rename target dentry (bsc#1211808).
- fuse: fix attr version comparison in fuse_read_update_size() (bsc#1211807).
- futex: Resend potentially swallowed owner death notification (git-fixes).
- google/gve:fix repeated words in comments (bsc#1211519).
- gpio: mockup: Fix mode of debugfs files (git-fixes).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Cache link_speed value from device (git-fixes).
- gve: Fix error return code in gve_prefill_rx_pages() (bsc#1211519).
- gve: Fix spelling mistake 'droping' -> 'dropping' (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path (bsc#1211519).
- gve: Remove the code of clearing PBA bit (git-fixes).
- gve: Secure enough bytes in the first TX desc for all TCP pkts (git-fixes).
- gve: enhance no queue page list detection (bsc#1211519).
- hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling (git-fixes).
- hfs/hfsplus: use WARN_ON for sanity check (git-fixes).
- hfs: Fix OOB Write in hfs_asc2mac (git-fixes).
- hfs: fix OOB Read in __hfs_brec_find (git-fixes).
- hfs: fix missing hfs_bnode_get() in __hfs_bnode_create (git-fixes).
- hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount (git-fixes).
- i2c: mv64xxx: Fix reading invalid status value in atomic mode (git-fixes).
- i2c: omap: Fix standard mode false ACK readings (git-fixes).
- i2c: sprd: Delete i2c adapter in .remove's error path (git-fixes).
- i2c: tegra: Fix PEC support for SMBUS block read (git-fixes).
- i40e: Add checking for null for nlmsg_find_attr() (jsc#SLE-18378).
- i40e: Fix ADQ rate limiting for PF (jsc#SLE-18378).
- i40e: Fix DMA mappings leak (jsc#SLE-18378).
- i40e: Fix VF hang when reset is triggered on another VF (jsc#SLE-18378).
- i40e: Fix VF set max MTU size (jsc#SLE-18378).
- i40e: Fix VF's MAC Address change on VM (jsc#SLE-18378).
- i40e: Fix adding ADQ filter to TC0 (jsc#SLE-18378).
- i40e: Fix calculating the number of queue pairs (jsc#SLE-18378).
- i40e: Fix erroneous adapter reinitialization during recovery process (jsc#SLE-18378).
- i40e: Fix ethtool rx-flow-hash setting for X722 (jsc#SLE-18378).
- i40e: Fix flow-type by setting GL_HASH_INSET registers (jsc#SLE-18378).
- i40e: Fix for VF MAC address 0 (jsc#SLE-18378).
- i40e: Fix incorrect address type for IPv6 flow rules (jsc#SLE-18378).
- i40e: Fix interface init with MSI interrupts (no MSI-X) (jsc#SLE-18378).
- i40e: Fix kernel crash during module removal (jsc#SLE-18378).
- i40e: Fix kernel crash during reboot when adapter is in recovery mode (jsc#SLE-18378).
- i40e: Fix set max_tx_rate when it is lower than 1 Mbps (jsc#SLE-18378).
- i40e: Fix the inability to attach XDP program on downed interface (jsc#SLE-18378).
- i40e: Refactor tc mqprio checks (jsc#SLE-18378).
- i40e: add double of VLAN header when computing the max MTU (jsc#SLE-18378).
- i40e: fix accessing vsi->active_filters without holding lock (jsc#SLE-18378).
- i40e: fix flow director packet filter programming (jsc#SLE-18378).
- i40e: fix i40e_setup_misc_vector() error handling (jsc#SLE-18378).
- i40e: fix registers dump after run ethtool adapter self test (jsc#SLE-18378).
- iavf/iavf_main: actually log ->src mask when talking about it (jsc#SLE-18385).
- iavf: Detach device during reset task (jsc#SLE-18385).
- iavf: Disallow changing rx/tx-frames and rx/tx-frames-irq (jsc#SLE-18385).
- iavf: Do not restart Tx queues after reset task failure (jsc#SLE-18385).
- iavf: Fix 'tc qdisc show' listing too many queues (jsc#SLE-18385).
- iavf: Fix a crash during reset task (jsc#SLE-18385).
- iavf: Fix bad page state (jsc#SLE-18385).
- iavf: Fix cached head and tail value for iavf_get_tx_pending (jsc#SLE-18385).
- iavf: Fix error handling in iavf_init_module() (jsc#SLE-18385).
- iavf: Fix max_rate limiting (jsc#SLE-18385).
- iavf: Fix race condition between iavf_shutdown and iavf_remove (jsc#SLE-18385).
- iavf: Fix set max MTU size with port VLAN and jumbo frames (jsc#SLE-18385).
- iavf: fix hang on reboot with ice (jsc#SLE-18385).
- iavf: fix inverted Rx hash condition leading to disabled hash (jsc#SLE-18385).
- iavf: fix non-tunneled IPv6 UDP packet type and hashing (jsc#SLE-18385).
- iavf: remove mask from iavf_irq_enable_queues() (git-fixes).
- ice: Fix interrupt moderation settings getting cleared (jsc#SLE-18375).
- ice: Set txq_teid to ICE_INVAL_TEID on ring creation (jsc#SLE-18375).
- igb: Add lock to avoid data race (jsc#SLE-18379).
- igb: Enable SR-IOV after reinit (jsc#SLE-18379).
- igb: Initialize mailbox message for VF reset (jsc#SLE-18379).
- igb: conditionalize I2C bit banging on external thermal sensor support (jsc#SLE-18379).
- igb: fix bit_shift to be in [1..8] range (git-fixes).
- igb: fix nvm.ops.read() error handling (git-fixes).
- igb: revert rtnl_lock() that causes deadlock (jsc#SLE-18379).
- igbvf: Regard vf reset nack as success (jsc#SLE-18379).
- igc: Add checking for basetime less than zero (jsc#SLE-18377).
- igc: Add ndo_tx_timeout support (jsc#SLE-18377).
- igc: Clean the TX buffer and TX descriptor ring (git-fixes).
- igc: Enhance Qbv scheduling by using first flag bit (jsc#SLE-18377).
- igc: Fix PPS delta between two synchronized end-points (jsc#SLE-18377).
- igc: Fix possible system crash when loading module (git-fixes).
- igc: Lift TAPRIO schedule restriction (jsc#SLE-18377).
- igc: Reinstate IGC_REMOVED logic and implement it properly (jsc#SLE-18377).
- igc: Set Qbv start_time and end_time to end_time if not being configured in GCL (jsc#SLE-18377).
- igc: Use strict cycles for Qbv scheduling (jsc#SLE-18377).
- igc: allow BaseTime 0 enrollment for Qbv (jsc#SLE-18377).
- igc: fix the validation logic for taprio's gate list (jsc#SLE-18377).
- igc: read before write to SRRCTL register (jsc#SLE-18377).
- igc: recalculate Qbv end_time by considering cycle time (jsc#SLE-18377).
- igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp() (jsc#SLE-18377).
- iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT method (git-fixes).
- iio: adc: ad7192: Change 'shorted' channels to differential (git-fixes).
- iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag (git-fixes).
- iio: adc: mxs-lradc: fix the order of two cleanup operations (git-fixes).
- iio: adc: palmas_gpadc: fix NULL dereference on rmmod (git-fixes).
- iio: dac: mcp4725: Fix i2c_master_send() return value handling (git-fixes).
- iio: imu: inv_icm42600: fix timestamp reset (git-fixes).
- iio: light: vcnl4035: fixed chip ID check (git-fixes).
- init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1212448).
- init: Invoke arch_cpu_finalize_init() earlier (bsc#1212448).
- init: Provide arch_cpu_finalize_init() (bsc#1212448).
- init: Remove check_bugs() leftovers (bsc#1212448).
- intel/igbvf: free irq on the error path in igbvf_request_msix() (jsc#SLE-18379).
- ipv6: sr: fix out-of-bounds read when setting HMAC data (bsc#1211592).
- iwlwifi: cfg: Add missing MODULE_FIRMWARE() for *.pnvm (bsc#1207553).
- ixgbe: Allow flow hash to be set via ethtool (jsc#SLE-18384).
- ixgbe: Enable setting RSS table to default values (jsc#SLE-18384).
- ixgbe: Fix panic during XDP_TX with > 64 CPUs (jsc#SLE-18384).
- ixgbe: add double of VLAN header when computing the max MTU (jsc#SLE-18384).
- ixgbe: allow to increase MTU to 3K with XDP enabled (jsc#SLE-18384).
- ixgbe: fix pci device refcount leak (jsc#SLE-18384).
- ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter (jsc#SLE-18384).
- jfs: Fix fortify moan in symlink (git-fixes).
- kABI workaround for btbcm.c (git-fixes).
- kABI workaround for mt76_poll_msec() (git-fixes).
- kABI: Fix kABI after backport Emulate RDPID only if it is enabled in guest  (git-fixes)
- kABI: Fixed broken 3rd party dirvers issue (bsc#1208050 bsc#1211414).
- kabi/severities: added Microsoft mana symbold (bsc#1210551)
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- kernel-docs: Add buildrequires on python3-base when using python3 The python3 binary is provided by python3-base.
- kernel-docs: Add missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- kernel-source: Remove unused macro variant_symbols
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate obsoletes correctly (boo#1172073 bsc#1191731).
- kprobe: reverse kp->flags when arm_kprobe failed (git-fixes).
- kprobes: Fix check for probe enabled in kill_kprobe() (git-fixes).
- kprobes: Fix to handle forcibly unoptimized kprobes on freeing_list (git-fixes).
- kprobes: Forbid probing on trampoline and BPF code areas (git-fixes).
- kprobes: Prohibit probes in gate area (git-fixes).
- kprobes: Skip clearing aggrprobe's post_handler in kprobe-on-ftrace case (git-fixes).
- kprobes: do not call disarm_kprobe() for disabled kprobes (git-fixes).
- kvm: x86: Disable KVM_HC_CLOCK_PAIRING if tsc is in always catchup mode (git-fixes).
- leds: Fix reference to led_set_brightness() in doc (git-fixes).
- leds: TI_LMU_COMMON: select REGMAP instead of depending on it (git-fixes).
- leds: tca6507: Fix error handling of using fwnode_property_read_string (git-fixes).
- libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value (git-fixes).
- locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers (git-fixes).
- lpfc: Account for fabric domain ctlr device loss recovery (bsc#1211346, bsc#1211852).
- lpfc: Change firmware upgrade logging to KERN_NOTICE instead of TRACE_EVENT (bsc#1211852).
- lpfc: Clean up SLI-4 CQE status handling (bsc#1211852).
- lpfc: Clear NLP_IN_DEV_LOSS flag if already in rediscovery (bsc#1211852).
- lpfc: Copyright updates for 14.2.0.13 patches (bsc#1211852).
- lpfc: Enhance congestion statistics collection (bsc#1211852).
- lpfc: Fix use-after-free rport memory access in lpfc_register_remote_port (bsc#1211852, bsc#1208410, bsc#1211346).
- lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state (bsc#1211852).
- lpfc: Update lpfc version to 14.2.0.13 (bsc#1211852).
- mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() (git-fixes).
- mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() (git-fixes).
- mailbox: zynqmp: Fix IPI isr handling (git-fixes).
- mailbox: zynqmp: Fix typo in IPI documentation (git-fixes).
- mce: fix set_mce_nospec to always unmap the whole page (git-fixes).
- media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish() (git-fixes).
- media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() (git-fixes).
- media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() (git-fixes).
- media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer (git-fixes).
- media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() (git-fixes).
- media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() (git-fixes).
- media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address (git-fixes).
- media: dvb_ca_en50221: fix a size write bug (git-fixes).
- media: dvb_demux: fix a bug for the continuity counter (git-fixes).
- media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table (git-fixes).
- media: netup_unidvb: fix irq init by register it at the end of probe (git-fixes).
- media: netup_unidvb: fix use-after-free at del_timer() (git-fixes).
- media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish (git-fixes).
- media: radio-shark: Add endpoint checks (git-fixes).
- media: rcar_fdp1: Fix the correct variable assignments (git-fixes).
- media: rcar_fdp1: Make use of the helper function devm_platform_ioremap_resource() (git-fixes).
- memstick: r592: Fix UAF bug in r592_remove due to race condition (bsc#1211449).
- mfd: dln2: Fix memory leak in dln2_probe() (git-fixes).
- mfd: tqmx86: Correct board names for TQMxE39x (git-fixes).
- mfd: tqmx86: Do not access I2C_DETECT register through io_base (git-fixes).
- misc: fastrpc: reject new invocations during device removal (git-fixes).
- misc: fastrpc: return -EPIPE to invocations on device removal (git-fixes).
- mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() (git-fixes).
- mm/vmalloc: do not output a spurious warning when huge vmalloc() fails (bsc#1211410).
- mm: vmalloc: avoid warn_alloc noise caused by fatal signal (bsc#1211410).
- mmc: sdhci-esdhc-imx: make 'no-mmc-hs400' works (git-fixes).
- mmc: vub300: fix invalid response handling (git-fixes).
- mt76: mt7915: fix incorrect testmode ipg on band 1 caused by wmm_idx (git-fixes).
- mtd: rawnand: ingenic: fix empty stub helper definitions (git-fixes).
- mtd: rawnand: marvell: do not set the NAND frequency select (git-fixes).
- mtd: rawnand: marvell: ensure timing values are written (git-fixes).
- net/iucv: Fix size of interrupt data (bsc#1211465 git-fixes).
- net/net_failover: fix txq exceeding warning (git-fixes).
- net/sched: fix initialization order when updating chain 0 head (git-fixes).
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() (git-fixes).
- net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit platforms (git-fixes).
- net: accept UFOv6 packages in virtio_net_hdr_to_skb (git-fixes).
- net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize (git-fixes).
- net: ena: Account for the number of processed bytes in XDP (git-fixes).
- net: ena: Do not register memory info on XDP exchange (git-fixes).
- net: ena: Fix rx_copybreak value update (git-fixes).
- net: ena: Fix toeplitz initial hash value (git-fixes).
- net: ena: Set default value for RX interrupt moderation (git-fixes).
- net: ena: Update NUMA TPH hint register upon NUMA node update (git-fixes).
- net: ena: Use bitmask to indicate packet redirection (git-fixes).
- net: hns3: add interrupts re-initialization while doing VF FLR (git-fixes).
- net: hns3: fix output information incomplete for dumping tx queue info with debugfs (git-fixes).
- net: hns3: fix reset delay time to avoid configuration timeout (git-fixes).
- net: hns3: fix sending pfc frames after reset issue (git-fixes).
- net: hns3: fix tm port shapping of fibre port is incorrect after driver initialization (git-fixes).
- net: mana: Add new MANA VF performance counters for easier troubleshooting (bsc#1209982).
- net: mana: Add support for auxiliary device (bsc#1210741 jsc#PED-4022).
- net: mana: Add support for jumbo frame (bsc#1210551).
- net: mana: Check if netdev/napi_alloc_frag returns single page (bsc#1210551).
- net: mana: Define and process GDMA response code GDMA_STATUS_MORE_ENTRIES (bsc#1210741 jsc#PED-4022).
- net: mana: Define data structures for allocating doorbell page from GDMA (bsc#1210741 jsc#PED-4022).
- net: mana: Define data structures for protection domain and memory registration (bsc#1210741 jsc#PED-4022).
- net: mana: Define max values for SGL entries (bsc#1210741 jsc#PED-4022).
- net: mana: Enable RX path to handle various MTU sizes (bsc#1210551).
- net: mana: Export Work Queue functions for use by RDMA driver (bsc#1210741 jsc#PED-4022).
- net: mana: Fix perf regression: remove rx_cqes, tx_cqes counters (git-fixes).
- net: mana: Handle vport sharing between devices (bsc#1210741 jsc#PED-4022).
- net: mana: Move header files to a common location (bsc#1210741 jsc#PED-4022).
- net: mana: Record port number in netdev (bsc#1210741 jsc#PED-4022).
- net: mana: Record the physical address for doorbell page region (bsc#1210741 jsc#PED-4022).
- net: mana: Refactor RX buffer allocation code to prepare for various MTU (bsc#1210551).
- net: mana: Rename mana_refill_rxoob and remove some empty lines (bsc#1210551).
- net: mana: Set the DMA device max segment size (bsc#1210741 jsc#PED-4022).
- net: mana: Use napi_build_skb in RX path (bsc#1210551).
- net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() (git-fixes).
- net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure (bsc#1211564).
- net: phy: dp83867: add w/a for packet errors seen with short cables (git-fixes).
- net: qrtr: correct types of trace event parameters (git-fixes).
- net: sched: fix possible refcount leak in tc_chain_tmplt_add() (git-fixes).
- net: skip virtio_net_hdr_set_proto if protocol already set (git-fixes).
- net: tun: avoid disabling NAPI twice (git-fixes).
- net: tun: fix bugs for oversize packet when napi frags enabled (git-fixes).
- net: tun: stop NAPI when detaching queues (git-fixes).
- net: tun: unlink NAPI from device on destruction (git-fixes).
- net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 (git-fixes).
- net: usb: qmi_wwan: add support for Compal RXM-G1 (git-fixes).
- net: virtio_net_hdr_to_skb: count transport header in UFO (git-fixes).
- nfp: only report pause frame configuration for physical device (git-fixes).
- nilfs2: do not write dirty data after degenerating to read-only (git-fixes).
- nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() (git-fixes).
- nilfs2: fix infinite loop in nilfs_mdt_get_block() (git-fixes).
- nilfs2: fix possible out-of-bounds segment allocation in resize ioctl (git-fixes).
- nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() (git-fixes).
- nouveau: fix client work fence deletion race (git-fixes).
- nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association (git-fixes).
- nvme-multipath: fix hang when disk goes live over reconnect (git-fixes).
- nvme-pci: add quirks for Samsung X5 SSDs (git-fixes).
- nvme-pci: add the IGNORE_DEV_SUBNQN quirk for Intel P4500/P4600 SSDs (git-fixes).
- nvme-pci: avoid the deepest sleep state on ZHITAI TiPro5000 SSDs (git-fixes).
- nvme-pci: avoid the deepest sleep state on ZHITAI TiPro7000 SSDs (git-fixes).
- nvme-pci: clear the prp2 field when not used (git-fixes).
- nvme-pci: disable write zeroes on various Kingston SSD (git-fixes).
- nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags (git-fixes).
- nvme-pci: mark Lexar NM760 as IGNORE_DEV_SUBNQN (git-fixes).
- nvme-pci: set min_align_mask before calculating max_hw_sectors (git-fixes).
- nvme-tcp: fix a possible UAF when failing to allocate an io queue (git-fixes).
- nvme-tcp: fix bogus request completion when failing to send AER (git-fixes).
- nvme-tcp: lockdep: annotate in-kernel sockets (git-fixes).
- nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH (git-fixes).
- nvme: also return I/O command effects from nvme_command_effects (git-fixes).
- nvme: check for duplicate identifiers earlier (git-fixes).
- nvme: cleanup __nvme_check_ids (git-fixes).
- nvme: fix discard support without oncs (git-fixes).
- nvme: fix interpretation of DMRSL (git-fixes).
- nvme: fix multipath crash caused by flush request when blktrace is enabled (git-fixes).
- nvme: fix passthrough csi check (git-fixes).
- nvme: generalize the nvme_multi_css check in nvme_scan_ns (git-fixes).
- nvme: move the Samsung X5 quirk entry to the core quirks (git-fixes).
- nvme: rename nvme_validate_or_alloc_ns to nvme_scan_ns (git-fixes).
- nvme: set non-mdts limits in nvme_scan_work (git-fixes).
- nvmet-tcp: add bounds check on Transfer Tag (git-fixes).
- nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown (git-fixes).
- nvmet-tcp: fix unhandled tcp states in nvmet_tcp_state_change() (git-fixes).
- nvmet: fix mar and mor off-by-one errors (git-fixes).
- nvmet: fix memory leak in nvmet_subsys_attr_model_store_locked (git-fixes).
- nvmet: fix workqueue MEM_RECLAIM flushing dependency (git-fixes).
- nvmet: move the call to nvmet_ns_changed out of nvmet_ns_revalidate (git-fixes).
- nvmet: use NVME_CMD_EFFECTS_CSUPP instead of open coding it (git-fixes).
- octeontx2-pf: Avoid use of GFP_KERNEL in atomic context (git-fixes).
- octeontx2-pf: Fix resource leakage in VF driver unbind (git-fixes).
- octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt (git-fixes).
- octeontx2-pf: Recalculate UDP checksum for ptp 1-step sync packet (git-fixes).
- phy: st: miphy28lp: use _poll_timeout functions for waits (git-fixes).
- phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port (git-fixes).
- pinctrl: meson-axg: add missing GPIOA_18 gpio group (git-fixes).
- pinctrl: qcom: lpass-lpi: set output value before enabling output (git-fixes).
- pinctrl: renesas: r8a779a0: Remove incorrect AVB[01] pinmux configuration (git-fixes).
- platform/surface: aggregator: Allow completion work-items to be executed in parallel (git-fixes).
- platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0 (git-fixes).
- platform/x86: hp-wmi: Support touchpad on/off (git-fixes).
- platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield (git-fixes).
- platform/x86: thinkpad_acpi: Fix platform profiles on T490 (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i (git-fixes).
- platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet (git-fixes).
- power: supply: Fix logic checking if system is running from battery (git-fixes).
- power: supply: Ratelimit no data debug output (git-fixes).
- power: supply: ab8500: Fix external_power_changed race (git-fixes).
- power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync (git-fixes).
- power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status() (git-fixes).
- power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize (git-fixes).
- power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes (git-fixes).
- power: supply: bq27xxx: Fix I2C IRQ race on remove (git-fixes).
- power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition (git-fixes).
- power: supply: bq27xxx: Fix poll_interval handling and races on remove (git-fixes).
- power: supply: bq27xxx: Move bq27xxx_battery_update() down (git-fixes).
- power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule() (git-fixes).
- power: supply: bq27xxx: expose battery data when CI=1 (git-fixes).
- power: supply: leds: Fix blink to LED on transition (git-fixes).
- power: supply: sbs-charger: Fix INHIBITED bit for Status reg (git-fixes).
- power: supply: sc27xx: Fix external_power_changed race (git-fixes).
- powerpc/64s/radix: Fix soft dirty tracking (bsc#1065729).
- powerpc/64s: Make POWER10 and later use pause_short in cpu_relax loops (bsc#1209367 ltc#195662).
- powerpc/iommu: DMA address offset is incorrectly calculated with 2MB TCEs (jsc#SLE-19556 git-fixes).
- powerpc/purgatory: remove PGO flags (bsc#1194869).
- powerpc/rtas: use memmove for potentially overlapping buffer copy (bsc#1065729).
- powerpc: Do not try to copy PPR for task with NULL pt_regs (bsc#1065729).
- powerpc: Redefine HMT_xxx macros as empty on PPC32 (bsc#1209367 ltc#195662).
- powerpc: add ISA v3.0 / v3.1 wait opcode macro (bsc#1209367 ltc#195662).
- pstore: Revert pmsg_lock back to a normal mutex (git-fixes).
- purgatory: fix disabling debug info (git-fixes).
- pwm: meson: Fix axg ao mux parents (git-fixes).
- pwm: meson: Fix g12a ao clk81 name (git-fixes).
- qed/qed_dev: guard against a possible division by zero (jsc#SLE-19001).
- qed/qed_mng_tlv: correctly zero out ->min instead of ->hour (jsc#SLE-19001).
- qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info (jsc#SLE-19001).
- qed/qede: Fix scheduling while atomic (git-fixes).
- qed: allow sleep in qed_mcp_trace_dump() (jsc#SLE-19001).
- qede: execute xdp_do_flush() before napi_complete_done() (jsc#SLE-19001).
- r8152: fix flow control issue of RTL8156A (git-fixes).
- r8152: fix the poor throughput for 2.5G devices (git-fixes).
- r8152: move setting r8153b_rx_agg_chg_indicate() (git-fixes).
- rcu: Fix missing TICK_DEP_MASK_RCU_EXP dependency check (git-fixes).
- regmap: Account for register length when chunking (git-fixes).
- regmap: cache: Return error in cache sync operations for REGCACHE_NONE (git-fixes).
- regmap: spi-avmm: Fix regmap_bus max_raw_write (git-fixes).
- regulator: Fix error checking for debugfs_create_dir (git-fixes).
- regulator: mt6359: add read check for PMIC MT6359 (git-fixes).
- regulator: pca9450: Fix BUCK2 enable_mask (git-fixes).
- regulator: pca9450: Fix LDO3OUT and LDO4OUT MASK (git-fixes).
- reiserfs: Add missing calls to reiserfs_security_free() (git-fixes).
- reiserfs: Add security prefix to xattr name in reiserfs_security_write() (git-fixes).
- remoteproc: stm32_rproc: Add mutex protection for workqueue (git-fixes).
- revert 'squashfs: harden sanity check in squashfs_read_xattr_id_table' (git-fixes).
- ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus (git-fixes).
- ring-buffer: Fix kernel-doc (git-fixes).
- ring-buffer: Sync IRQ works before buffer destruction (git-fixes).
- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- rpm/kernel-source.spec.in: Add patches.drm for moved DRM patches
- rtmutex: Ensure that the top waiter is always woken up (git-fixes).
- s390/ap: fix crash on older machines based on QCI info missing (bsc#1210947)
- s390/ctcm: Fix return type of ctc{mp,}m_tx() (git-fixes bsc#1211686).
- s390/dasd: Use correct lock while counting channel queue length (git-fixes bsc#1212592).
- s390/dasd: fix hanging blockdevice after request requeue (git-fixes bsc#1211687).
- s390/extmem: return correct segment type in __segment_load() (bsc#1210450 git-fixes).
- s390/kprobes: fix current_kprobe never cleared after kprobes reenter (git-fixes bsc#1211688).
- s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler (git-fixes bsc#1211689).
- s390/lcs: Fix return type of lcs_start_xmit() (git-fixes bsc#1211690).
- s390/mem_detect: fix detect_memory() error handling (git-fixes bsc#1211691).
- s390/netiucv: Fix return type of netiucv_tx() (git-fixes bsc#1211692).
- s390/qdio: fix do_sqbs() inline assembly constraint (git-fixes bsc#1211693).
- s390/qeth: fix use-after-free in hsci (bsc#1210449 git-fixes).
- s390/uaccess: add missing earlyclobber annotations to __clear_user() (bsc#1209856 git-fixes).
- s390/vdso: remove -nostdlib compiler flag (git-fixes bsc#1211714).
- s390: Hard lockups are observed while running stress-ng and LPAR hangs (bsc#1195655 ltc#195733).
- scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed (git-fixes).
- scsi: core: Improve scsi_vpd_inquiry() checks (git-fixes).
- scsi: hisi_sas: Handle NCQ error when IPTT is valid (git-fixes).
- scsi: libsas: Add sas_ata_device_link_abort() (git-fixes).
- scsi: libsas: Grab the ATA port lock in sas_ata_device_link_abort() (git-fixes).
- scsi: lpfc: Add new RCQE status for handling DMA failures (bsc#1211847).
- scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused by lpfc_nlp_not_used() (bsc#1211847).
- scsi: lpfc: Fix verbose logging for SCSI commands issued to SES devices (bsc#1211847).
- scsi: lpfc: Match lock ordering of lpfc_cmd->buf_lock and hbalock for abort paths (bsc#1211847).
- scsi: lpfc: Replace blk_irq_poll intr handler with threaded IRQ (bsc#1211847).
- scsi: lpfc: Update congestion warning notification period (bsc#1211847).
- scsi: lpfc: Update lpfc version to 14.2.0.12 (bsc#1211847).
- scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS (git-fixes).
- scsi: megaraid_sas: Fix fw_crash_buffer_show() (git-fixes).
- scsi: qedi: Fix use after free bug in qedi_remove() (git-fixes).
- scsi: qla2xxx: Drop redundant pci_enable_pcie_error_reporting() (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Refer directly to the qla2xxx_driver_template (bsc#1211960).
- scsi: qla2xxx: Remove default fabric ops callouts (bsc#1211960).
- scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport (bsc#1211960).
- scsi: ses: Handle enclosure with just a primary component gracefully (git-fixes).
- scsi: stex: Fix gcc 13 warnings (git-fixes).
- scsi: storvsc: Do not pass unused PFNs to Hyper-V host (git-fixes).
- selftests mount: Fix mount_setattr_test builds failed (git-fixes).
- selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET (git-fixes).
- selftests/resctrl: Allow ->setup() to return errors (git-fixes).
- selftests/resctrl: Check for return value after write_schemata() (git-fixes).
- selftests/resctrl: Extend CPU vendor detection (git-fixes).
- selftests/resctrl: Move ->setup() call outside of test specific branches (git-fixes).
- selftests/resctrl: Return NULL if malloc_and_init_memory() did not alloc mem (git-fixes).
- selftests/sgx: Add 'test_encl.elf' to TEST_FILES (git-fixes).
- selftests: mptcp: connect: skip if MPTCP is not supported (git-fixes).
- selftests: mptcp: pm nl: skip if MPTCP is not supported (git-fixes).
- selftests: mptcp: sockopt: skip if MPTCP is not supported (git-fixes).
- selftests: seg6: disable DAD on IPv6 router cfg for srv6_end_dt4_l3vpn_test (git-fixes).
- selftests: srv6: make srv6_end_dt46_l3vpn_test more robust (git-fixes).
- selftests: xsk: Disable IPv6 on VETH1 (git-fixes).
- selftets: seg6: disable rp_filter by default in srv6_end_dt4_l3vpn_test (git-fixes).
- selinux: do not use make's grouped targets feature yet (git-fixes).
- serial: 8250: Reinit port->pm on port specific driver unbind (git-fixes).
- serial: 8250_bcm7271: balance clk_enable calls (git-fixes).
- serial: 8250_bcm7271: fix leak in `brcmuart_probe` (git-fixes).
- serial: 8250_exar: Add support for USR298x PCI Modems (git-fixes).
- serial: 8250_tegra: Fix an error handling path in tegra_uart_probe() (git-fixes).
- serial: Add support for Advantech PCI-1611U card (git-fixes).
- serial: arc_uart: fix of_iomap leak in `arc_serial_probe` (git-fixes).
- serial: lantiq: add missing interrupt ack (git-fixes).
- serial: qcom-geni: fix enabling deactivated interrupt (git-fixes).
- serial: stm32: re-introduce an irq flag condition in usart_receive_chars (git-fixes).
- sfc: Change VF mac via PF as first preference if available (git-fixes).
- sfc: Fix module EEPROM reporting for QSFP modules (git-fixes).
- sfc: Fix use-after-free due to selftest_work (git-fixes).
- sfc: correctly advertise tunneled IPv6 segmentation (git-fixes).
- sfc: disable RXFCS and RXALL features by default (git-fixes).
- sfc: ef10: do not overwrite offload features at NIC reset (git-fixes).
- sfc: fix TX channel offset when using legacy interrupts (git-fixes).
- sfc: fix considering that all channels have TX queues (git-fixes).
- sfc: fix null pointer dereference in efx_hard_start_xmit (git-fixes).
- sfc: fix wrong tx channel offset with efx_separate_tx_channels (git-fixes).
- sfc: include vport_id in filter spec hash and equal() (git-fixes).
- smb3: display debug information better for encryption (bsc#1193629).
- smb3: fix problem remounting a share after shutdown (bsc#1193629).
- smb3: improve parallel reads of large files (bsc#1193629).
- smb3: make query_on_disk_id open context consistent and move to common code (bsc#1193629).
- smb3: move some common open context structs to smbfs_common (bsc#1193629).
- soundwire: qcom: correct setting ignore bit on v1.5.1 (git-fixes).
- soundwire: qcom: gracefully handle too many ports in DT (git-fixes).
- spi: fsl-dspi: avoid SCK glitches with continuous transfers (git-fixes).
- spi: qup: Request DMA before enabling clocks (git-fixes).
- spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 (git-fixes).
- spi: spi-imx: using pm_runtime_resume_and_get instead of pm_runtime_get_sync (git-fixes).
- spi: tegra210-quad: Fix combined sequence (bsc#1212584)
- spi: tegra210-quad: Fix iterator outside loop (git-fixes).
- spi: tegra210-quad: Multi-cs support (bsc#1212584)
- squashfs: harden sanity check in squashfs_read_xattr_id_table (git-fixes).
- staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE (git-fixes).
- struct ci_hdrc: hide new member at end (git-fixes).
- supported.conf: Move bt878 and bttv modules to kernel-*-extra (jsc#PED-3931)
- supported.conf: mark mana_ib supported
- swiotlb: relocate PageHighMem test away from rmem_swiotlb_setup (git-fixes).
- test_firmware: Use kstrtobool() instead of strtobool() (git-fixes).
- test_firmware: fix the memory leak of the allocated firmware buffer (git-fixes).
- test_firmware: prevent race conditions by a correct implementation of locking (git-fixes).
- thunderbolt: Clear registers properly when auto clear isn't in use (bsc#1210165).
- thunderbolt: Mask ring interrupt on Intel hardware as well (bsc#1210165).
- thunderbolt: dma_test: Use correct value for absent rings when creating paths (git-fixes).
- tls: Skip tls_append_frag on zero copy size (git-fixes).
- tools/virtio: compile with -pthread (git-fixes).
- tools/virtio: fix the vringh test for virtio ring changes (git-fixes).
- tools/virtio: fix virtio_test execution (git-fixes).
- tools/virtio: initialize spinlocks in vring_test.c (git-fixes).
- tools: bpftool: Remove invalid \' json escape (git-fixes).
- tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register (git-fixes).
- tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed (git-fixes).
- tpm, tpm_tis: Request threaded interrupt handler (git-fixes).
- tpm/tpm_tis: Disable interrupts for more Lenovo devices (git-fixes).
- tracing/histograms: Allow variables to have some modifiers (git-fixes).
- tracing/probe: trace_probe_primary_from_call(): checked list_first_entry (git-fixes).
- tracing: Fix permissions for the buffer_percent file (git-fixes).
- tracing: Have event format check not flag %p* on __get_dynamic_array() (git-fixes, bsc#1212350).
- tracing: Introduce helpers to safely handle dynamic-sized sockaddrs (git-fixes).
- tracing: Update print fmt check to handle new __get_sockaddr() macro (git-fixes, bsc#1212350).
- tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK (git-fixes).
- usb-storage: fix deadlock when a scsi command timeouts more than once (git-fixes).
- usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM (git-fixes).
- usb: chipidea: core: fix possible concurrent when switch role (git-fixes).
- usb: dwc3: Align DWC3_EP_* flag macros (git-fixes).
- usb: dwc3: Fix a repeated word checkpatch warning (git-fixes).
- usb: dwc3: Fix ep0 handling when getting reset while doing control transfer (git-fixes).
- usb: dwc3: debugfs: Resume dwc3 before accessing registers (git-fixes).
- usb: dwc3: drd: use helper to get role-switch-default-mode (git-fixes).
- usb: dwc3: ep0: Do not prepare beyond Setup stage (git-fixes).
- usb: dwc3: gadget: Delay issuing End Transfer (git-fixes).
- usb: dwc3: gadget: Execute gadget stop after halting the controller (git-fixes).
- usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume() (git-fixes).
- usb: dwc3: gadget: Only End Transfer for ep0 data phase (git-fixes).
- usb: dwc3: gadget: Reset num TRBs before giving back the request (git-fixes).
- usb: dwc3: gadget: Stall and restart EP0 if host is unresponsive (git-fixes).
- usb: dwc3: remove a possible unnecessary 'out of memory' message (git-fixes).
- usb: gadget: f_fs: Add unbind event before functionfs_unbind (git-fixes).
- usb: gadget: u_ether: Fix host MAC address case (git-fixes).
- usb: mtu3: fix kernel panic at qmu transfer done irq handler (git-fixes).
- usb: typec: altmodes/displayport: fix pin_assignment_show (git-fixes).
- usb: typec: tcpm: fix multiple times discover svids error (git-fixes).
- usb: typec: ucsi: Fix command cancellation (git-fixes).
- usb: usbfs: Enforce page requirements for mmap (git-fixes).
- usb: usbfs: Use consistent mmap functions (git-fixes).
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF (git-fixes).
- vdpa: fix use-after-free on vp_vdpa_remove (git-fixes).
- vhost/net: Clear the pending messages when the backend is removed (git-fixes).
- virtio-net: Keep stop() to follow mirror sequence of open() (git-fixes).
- virtio-net: execute xdp_do_flush() before napi_complete_done() (git-fixes).
- virtio_net: bugfix overflow inside xdp_linearize_page() (git-fixes).
- virtio_net: split free_unused_bufs() (git-fixes).
- virtio_net: suppress cpu stall when free_unused_bufs (git-fixes).
- watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe() (git-fixes).
- watchdog: menz069_wdt: fix watchdog initialisation (git-fixes).
- watchdog: sp5100_tco: Immediately trigger upon starting (git-fixes).
- wifi: ath11k: Fix SKB corruption in REO destination ring (git-fixes).
- wifi: ath: Silence memcpy run-time false positive warning (git-fixes).
- wifi: b43: fix incorrect __packed annotation (git-fixes).
- wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex (git-fixes).
- wifi: cfg80211: fix locking in regulatory disconnect (git-fixes).
- wifi: cfg80211: fix locking in sched scan stop work (git-fixes).
- wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace (git-fixes).
- wifi: iwlwifi: fix OEM's name in the ppag approved list (git-fixes).
- wifi: iwlwifi: fw: fix DBGI dump (git-fixes).
- wifi: iwlwifi: mvm: do not trust firmware n_channels (git-fixes).
- wifi: iwlwifi: mvm: fix OEM's name in the tas approved list (git-fixes).
- wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock (git-fixes).
- wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf (git-fixes).
- wifi: iwlwifi: pcie: fix possible NULL pointer dereference (git-fixes).
- wifi: mac80211: fix min center freq offset tracing (git-fixes).
- wifi: mac80211: simplify chanctx allocation (git-fixes).
- wifi: mt76: add flexible polling wait-interval support (git-fixes).
- wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll (git-fixes).
- wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset (git-fixes).
- wifi: mt76: mt7921e: fix probe timeout after reboot (git-fixes).
- wifi: mt76: mt7921e: improve reliability of dma reset (git-fixes).
- wifi: rtl8xxxu: RTL8192EU always needs full init (git-fixes).
- wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value (git-fixes).
- workqueue: Fix hung time report of worker pools (bsc#1211044).
- workqueue: Interrupted create_worker() is not a repeated event (bsc#1211044).
- workqueue: Print backtraces from CPUs with hung CPU bound workqueues (bsc#1211044).
- workqueue: Warn when a new worker could not be created (bsc#1211044).
- workqueue: Warn when a rescuer could not be created (bsc#1211044).
- x86, sched: Fix undefined reference to init_freq_invariance_cppc() build error (git-fixes).
- x86/MCE/AMD: Use an u64 for bank_map (git-fixes).
- x86/alternative: Make debug-alternative selective (bsc#1206578).
- x86/alternative: Report missing return thunk details (git-fixes).
- x86/alternative: Support relocations in alternatives (bsc#1206578).
- x86/amd: Use IBPB for firmware calls (git-fixes).
- x86/boot: Skip realmode init code when running as Xen PV guest  (git-fixes).
- x86/bugs: Add 'unknown' reporting for MMIO Stale Data (git-fixes).
- x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available (git-fixes).
- x86/bugs: Warn when 'ibrs' mitigation is selected on Enhanced IBRS parts (git-fixes).
- x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1212448).
- x86/crash: Disable virt in core NMI crash handler to avoid double shootdown (git-fixes).
- x86/delay: Fix the wrong asm constraint in delay_loop() (git-fixes).
- x86/entry: Build thunk_$(BITS) only if CONFIG_PREEMPTION=y (git-fixes).
- x86/fault: Cast an argument to the proper address space in prefetch() (git-fixes).
- x86/fpu/xsave: Initialize offset/size cache early (bsc#1211205).
- x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly (git-fixes).
- x86/fpu: Fix the init_fpstate size check with the actual size (git-fixes).
- x86/fpu: Mark init functions __init (bsc#1212448).
- x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1212448).
- x86/fpu: Remove cpuinfo argument from init functions (bsc#1212448).
- x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN (git-fixes).
- x86/hyperv: Block root partition functionality in a Confidential VM (git-fixes).
- x86/init: Initialize signal frame size late (bsc#1212448).
- x86/kprobes: Fix __recover_optprobed_insn check optimizing logic (git-fixes).
- x86/lib/memmove: Decouple ERMS from FSRM (bsc#1206578).
- x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes). This is a preparation for the next patch
- x86/microcode/AMD: Add a @cpu parameter to the reloading functions (git-fixes).
- x86/microcode/AMD: Fix mixed steppings support (git-fixes).
- x86/microcode/AMD: Track patch allocation size explicitly (git-fixes).
- x86/microcode: Add a parameter to microcode_check() to store CPU capabilities (git-fixes).
- x86/microcode: Add explicit CPU vendor dependency (git-fixes).
- x86/microcode: Adjust late loading result reporting message (git-fixes).
- x86/microcode: Check CPU capabilities after late microcode update correctly (git-fixes).
- x86/microcode: Rip out the OLD_INTERFACE (git-fixes).
- x86/mm: Cleanup the control_va_addr_alignment() __setup handler (git-fixes).
- x86/mm: Use proper mask when setting PUD mapping (git-fixes).
- x86/mm: fix poking_init() for Xen PV guests (git-fixes).
- x86/nospec: Unwreck the RSB stuffing (git-fixes).
- x86/numa: Use cpumask_available instead of hardcoded NULL check (git-fixes).
- x86/pat: Fix x86_has_pat_wp() (git-fixes).
- x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes).
- x86/reboot: Disable SVM, not just VMX, when stopping CPUs (git-fixes).
- x86/resctrl: Fix min_cbm_bits for AMD (git-fixes).
- x86/sev: Add SEV-SNP guest feature negotiation support (git-fixes).
- x86/signal: Fix the value returned by strict_sas_size() (git-fixes).
- x86/speculation/mmio: Print SMT warning (git-fixes).
- x86/speculation: Identify processors vulnerable to SMT RSB predictions (git-fixes).
- x86/static_call: Serialize __static_call_fixup() properly (git-fixes).
- x86/syscall: Include asm/ptrace.h in syscall_wrapper header (git-fixes).
- x86/topology: Fix duplicated core ID within a package (git-fixes).
- x86/topology: Fix multiple packages shown on a single-package system (git-fixes).
- x86/tsx: Add a feature bit for TSX control MSR support (git-fixes).
- x86: Fix return value of __setup handlers (git-fixes).
- x86: drop bogus 'cc' clobber from __try_cmpxchg_user_asm() (git-fixes).
- xen/netback: do not do grant copy across page boundary (git-fixes).
- xen/netback: use same error messages for same errors (git-fixes).
- xfs: fix rm_offset flag handling in rmap keys (git-fixes).
- xfs: set bnobt/cntbt numrecs correctly when formatting new AGs (git-fixes).
- xhci-pci: Only run d3cold avoidance quirk for s2idle (git-fixes).
- xhci: Fix incorrect tracking of free space on transfer rings (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2803-1
Released:    Mon Jul 10 16:11:18 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1187829,1194869,1210335,1212051,1212265,1212603,1212605,1212606,1212619,1212701,1212741,1212835,1212838,1212842,1212861,1212869,1212892,CVE-2023-1829,CVE-2023-3090,CVE-2023-3111,CVE-2023-3212,CVE-2023-3357,CVE-2023-3358,CVE-2023-3389

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210335).
- CVE-2023-3389: Fixed a use-after-free vulnerability in the io_uring subsystem (bsc#1212838).
- CVE-2023-3090: Fixed a heap out-of-bounds write in the ipvlan network driver (bsc#1212842).
- CVE-2023-3111: Fixed a use-after-free vulnerability in prepare_to_relocate in fs/btrfs/relocation.c (bsc#1212051).
- CVE-2023-3212: Fixed a NULL pointer dereference flaw in the gfs2 file system (bsc#1212265).
- CVE-2023-3358: Fixed a NULL pointer dereference flaw in the Integrated Sensor Hub (ISH) driver (bsc#1212606).
- CVE-2023-3357: Fixed a NULL pointer dereference flaw in the AMD Sensor Fusion Hub driver (bsc#1212605).

The following non-security bugs were fixed:

- Get module prefix from kmod (bsc#1212835).
- Revert 'mtd: rawnand: arasan: Prevent an unsupported configuration' (git-fixes).
- Revert 'net: phy: dp83867: perform soft reset and retain established link' (git-fixes).
- alsa: ac97: Fix possible NULL dereference in snd_ac97_mixer (git-fixes).
- alsa: hda/realtek: Add 'Intel Reference board' and 'NUC 13' SSID in the ALC256 (git-fixes).
- alsa: hda/realtek: Add quirk for ASUS ROG G634Z (git-fixes).
- alsa: hda/realtek: Add quirk for ASUS ROG GV601V (git-fixes).
- alsa: hda/realtek: Add quirks for ASUS GU604V and GU603V (git-fixes).
- alsa: hda/realtek: Add quirks for ROG ALLY CS35l41 audio (git-fixes).
- alsa: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook (git-fixes).
- amdgpu: validate offset_in_bo of drm_amdgpu_gem_va (git-fixes).
- arm64: Add missing Set/Way CMO encodings (git-fixes).
- arm64: dts: Move BCM4908 dts to bcmbca folder (git-fixes)
- arm64: dts: broadcom: bcmbca: bcm4908: fix NAND interrupt name (git-fixes)
- arm64: dts: broadcom: bcmbca: bcm4908: fix procmon nodename (git-fixes)
- arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert (git-fixes)
- arm: dts: Fix erroneous ADS touchscreen polarities (git-fixes).
- asoc: es8316: Do not set rate constraints for unsupported MCLKs (git-fixes).
- asoc: es8316: Increment max value for ALC Capture Target Volume control (git-fixes).
- asoc: imx-audmix: check return value of devm_kasprintf() (git-fixes).
- asoc: mediatek: mt8173: Fix irq error path (git-fixes).
- asoc: nau8824: Add quirk to active-high jack-detect (git-fixes).
- asoc: simple-card: Add missing of_node_put() in case of error (git-fixes).
- bus: fsl-mc: fsl-mc-allocator: Drop a write-only variable (git-fixes).
- bus: ti-sysc: Fix dispc quirk masking bool variables (git-fixes).
- can: isotp: isotp_sendmsg(): fix return error fix on TX path (git-fixes).
- can: kvaser_pciefd: Remove handler for unused KVASER_PCIEFD_PACK_TYPE_EFRAME_ACK (git-fixes).
- can: kvaser_pciefd: Remove useless write to interrupt register (git-fixes).
- can: length: fix bitstuffing count (git-fixes).
- can: length: fix description of the RRS field (git-fixes).
- can: length: make header self contained (git-fixes).
- clk: Fix memory leak in devm_clk_notifier_register() (git-fixes).
- clk: cdce925: check return value of kasprintf() (git-fixes).
- clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe (git-fixes).
- clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe() (git-fixes).
- clk: imx: scu: use _safe list iterator to avoid a use after free (git-fixes).
- clk: keystone: sci-clk: check return value of kasprintf() (git-fixes).
- clk: samsung: Add Exynos4212 compatible to CLKOUT driver (git-fixes).
- clk: si5341: check return value of {devm_}kasprintf() (git-fixes).
- clk: si5341: free unused memory on probe failure (git-fixes).
- clk: si5341: return error if one synth clock registration fails (git-fixes).
- clk: tegra: tegra124-emc: Fix potential memory leak (git-fixes).
- clk: ti: clkctrl: check return value of kasprintf() (git-fixes).
- clk: vc5: check memory returned by kasprintf() (git-fixes).
- clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe (git-fixes).
- crypto: marvell/cesa - Fix type mismatch warning (git-fixes).
- crypto: nx - fix build warnings when DEBUG_FS is not enabled (git-fixes).
- drivers: meson: secure-pwrc: always enable DMA domain (git-fixes).
- drm/amd/display: Add logging for display MALL refresh setting (git-fixes).
- drm/amd/display: Add minimal pipe split transition state (git-fixes).
- drm/amd/display: Add wrapper to call planes and stream update (git-fixes).
- drm/amd/display: Explicitly specify update type per plane info change (git-fixes).
- drm/amd/display: Fix artifacting on eDP panels when engaging freesync video mode (git-fixes).
- drm/amd/display: Use dc_update_planes_and_stream (git-fixes).
- drm/amd/display: drop redundant memset() in get_available_dsc_slices() (git-fixes).
- drm/amd/display: fix the system hang while disable PSR (git-fixes).
- drm/amdkfd: Fix potential deallocation of previously deallocated memory (git-fixes).
- drm/bridge: tc358768: always enable HS video mode (git-fixes).
- drm/bridge: tc358768: fix PLL parameters computation (git-fixes).
- drm/bridge: tc358768: fix PLL target frequency (git-fixes).
- drm/bridge: tc358768: fix TCLK_ZEROCNT computation (git-fixes).
- drm/bridge: tc358768: fix TXTAGOCNT computation (git-fixes).
- drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl (git-fixes).
- drm/exynos: vidi: fix a wrong error return (git-fixes).
- drm/i915/gvt: remove unused variable gma_bottom in command parser (git-fixes).
- drm/msm/adreno: fix sparse warnings in a6xx code (git-fixes).
- drm/msm/dp: Free resources after unregistering them (git-fixes).
- drm/msm/dpu: correct MERGE_3D length (git-fixes).
- drm/msm/dpu: do not enable color-management if DSPPs are not available (git-fixes).
- drm/msm/dsi: do not allow enabling 14nm VCO with unprogrammed rate (git-fixes).
- drm/panel: sharp-ls043t1le01: adjust mode settings (git-fixes).
- drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H (git-fixes).
- drm/radeon: fix possible division-by-zero errors (git-fixes).
- drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl (git-fixes).
- drm/rockchip: vop: Leave vblank enabled in self-refresh (git-fixes).
- drm/vram-helper: fix function names in vram helper doc (git-fixes).
- drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` (git-fixes).
- elf: correct note name comment (git-fixes).
- extcon: Fix kernel doc of property capability fields to avoid warnings (git-fixes).
- extcon: Fix kernel doc of property fields to avoid warnings (git-fixes).
- extcon: usbc-tusb320: Add USB TYPE-C support (git-fixes).
- extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is registered (git-fixes).
- extcon: usbc-tusb320: Unregister typec port on driver removal (git-fixes).
- extcon: usbc-tusb320: Update state on probe even if no IRQ pending (git-fixes).
- fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() (git-fixes).
- firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() (git-fixes).
- hid: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651 (git-fixes).
- hid: wacom: Add error check to wacom_parse_and_register() (git-fixes).
- hwmon: (gsc-hwmon) fix fan pwm temperature scaling (git-fixes).
- hwrng: imx-rngc - fix the timeout for init and self check (git-fixes).
- hwrng: st - keep clock enabled while hwrng is registered (git-fixes).
- i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle (git-fixes).
- i2c: qup: Add missing unwind goto in qup_i2c_probe() (git-fixes).
- ib/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate (git-fixes)
- ib/isert: Fix dead lock in ib_isert (git-fixes)
- ib/isert: Fix incorrect release of isert connection (git-fixes)
- ib/isert: Fix possible list corruption in CMA handler (git-fixes)
- ib/uverbs: Fix to consider event queue closing also upon non-blocking mode (git-fixes)
- ibmvnic: Do not reset dql stats on NON_FATAL err (bsc#1212603 ltc#202604).
- ice, xsk: Diversify return values from xsk_wakeup call paths (git-fixes).
- ice: Do not double unplug aux on peer initiated reset (git-fixes).
- ice: Do not use WQ_MEM_RECLAIM flag for workqueue (git-fixes).
- ice: Fix DSCP PFC TLV creation (git-fixes).
- ice: Fix XDP memory leak when NIC is brought up and down (git-fixes).
- ice: Fix ice_xdp_xmit() when XDP TX queue number is not sufficient (git-fixes).
- ice: Fix memory corruption in VF driver (git-fixes).
- ice: Ignore EEXIST when setting promisc mode (git-fixes).
- ice: Prevent set_channel from changing queues while RDMA active (git-fixes).
- ice: Reset FDIR counter in FDIR init stage (git-fixes).
- ice: add profile conflict check for AVF FDIR (git-fixes).
- ice: block LAN in case of VF to VF offload (git-fixes).
- ice: config netdev tc before setting queues number (git-fixes).
- ice: copy last block omitted in ice_get_module_eeprom() (git-fixes).
- ice: ethtool: Prohibit improper channel config for DCB (git-fixes).
- ice: ethtool: advertise 1000M speeds properly (git-fixes).
- ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg() (git-fixes).
- ice: fix wrong fallback logic for FDIR (git-fixes).
- ice: handle E822 generic device ID in PLDM header (git-fixes).
- ice: switch: fix potential memleak in ice_add_adv_recipe() (git-fixes).
- ice: use bitmap_free instead of devm_kfree (git-fixes).
- ice: xsk: use Rx ring's XDP ring when picking NAPI context (git-fixes).
- ieee802154: hwsim: Fix possible memory leaks (git-fixes).
- ifcvf/vDPA: fix misuse virtio-net device config size for blk dev (jsc#SLE-19253).
- iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF (git-fixes).
- iio: accel: fxls8962af: fixup buffer scan element type (git-fixes).
- iio: adc: ad7192: Fix internal/external clock selection (git-fixes).
- iio: adc: ad7192: Fix null ad7192_state pointer access (git-fixes).
- input: adxl34x - do not hardcode interrupt trigger type (git-fixes).
- input: drv260x - fix typo in register value define (git-fixes).
- input: drv260x - remove unused .reg_defaults (git-fixes).
- input: drv260x - sleep between polling GO bit (git-fixes).
- input: soc_button_array - add invalid acpi_index DMI quirk handling (git-fixes).
- integrity: Fix possible multiple allocation in integrity_inode_get() (git-fixes).
- irqchip/clps711x: Remove unused clps711x_intc_init() function (git-fixes).
- irqchip/ftintc010: Mark all function static (git-fixes).
- irqchip/jcore-aic: Fix missing allocation of IRQ descriptors (git-fixes).
- kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741).
- mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 (git-fixes).
- media: cec: core: do not set last_initiator if tx in progress (git-fixes).
- memory: brcmstb_dpfe: fix testing array offset after use (git-fixes).
- meson saradc: fix clock divider mask length (git-fixes).
- mfd: intel-lpss: Add missing check for platform_get_resource (git-fixes).
- mfd: pm8008: Fix module autoloading (git-fixes).
- mfd: rt5033: Drop rt5033-battery sub-device (git-fixes).
- mfd: stmfx: Fix error path in stmfx_chip_init (git-fixes).
- mfd: stmfx: Nullify stmfx->vdd in case of error (git-fixes).
- mfd: stmpe: Only disable the regulators if they are enabled (git-fixes).
- misc: fastrpc: Create fastrpc scalar with correct buffer count (git-fixes).
- misc: pci_endpoint_test: Free IRQs before removing the device (git-fixes).
- misc: pci_endpoint_test: Re-init completion for every test (git-fixes).
- mlx5: do not use RT_TOS for IPv6 flowlabel (jsc#SLE-19253).
- mmc: bcm2835: fix deferred probing (git-fixes).
- mmc: meson-gx: remove redundant mmc_request_done() call from irq context (git-fixes).
- mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS (git-fixes).
- mmc: mmci: stm32: fix max busy timeout calculation (git-fixes).
- mmc: mtk-sd: fix deferred probing (git-fixes).
- mmc: mvsdio: fix deferred probing (git-fixes).
- mmc: omap: fix deferred probing (git-fixes).
- mmc: omap_hsmmc: fix deferred probing (git-fixes).
- mmc: owl: fix deferred probing (git-fixes).
- mmc: sdhci-acpi: fix deferred probing (git-fixes).
- mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916 (git-fixes).
- mmc: sdhci-spear: fix deferred probing (git-fixes).
- mmc: sh_mmcif: fix deferred probing (git-fixes).
- mmc: sunxi: fix deferred probing (git-fixes).
- mmc: usdhi60rol0: fix deferred probing (git-fixes).
- mtd: rawnand: meson: fix unaligned DMA buffers handling (git-fixes).
- net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path (jsc#SLE-19253).
- net/mlx5: Allow async trigger completion execution on single CPU systems (jsc#SLE-19253).
- net/mlx5: Allow future addition of IPsec object modifiers (jsc#SLE-19253).
- net/mlx5: Avoid false positive lockdep warning by adding lock_class_key (jsc#SLE-19253).
- net/mlx5: Avoid recovery in probe flows (jsc#SLE-19253).
- net/mlx5: Bridge, fix ageing of peer FDB entries (jsc#SLE-19253).
- net/mlx5: Bridge, verify LAG state when adding bond to bridge (jsc#SLE-19253).
- net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE (jsc#SLE-19253).
- net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs (jsc#SLE-19253).
- net/mlx5: DR, Fix missing flow_source when creating multi-destination FW table (jsc#SLE-19253).
- net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device (jsc#SLE-19253).
- net/mlx5: Do not advertise IPsec netdev support for non-IPsec device (jsc#SLE-19253).
- net/mlx5: Do not use already freed action pointer (jsc#SLE-19253).
- net/mlx5: E-Switch, Fix an Oops in error handling code (jsc#SLE-19253).
- net/mlx5: E-Switch, properly handle ingress tagged packets on VST (jsc#SLE-19253).
- net/mlx5: E-switch, Create per vport table based on devlink encap mode (jsc#SLE-19253).
- net/mlx5: E-switch, Do not destroy indirect table in split rule (jsc#SLE-19253).
- net/mlx5: E-switch, Fix missing set of split_count when forward to ovs internal port (jsc#SLE-19253).
- net/mlx5: E-switch, Fix setting of reserved fields on MODIFY_SCHEDULING_ELEMENT (jsc#SLE-19253).
- net/mlx5: Enhance debug print in page allocation failure (jsc#SLE-19253).
- net/mlx5: Fix FW tracer timestamp calculation (jsc#SLE-19253).
- net/mlx5: Fix RoCE setting at HCA level (jsc#SLE-19253).
- net/mlx5: Fix crash during sync firmware reset (jsc#SLE-19253).
- net/mlx5: Fix error message when failing to allocate device memory (jsc#SLE-19253).
- net/mlx5: Fix handling of entry refcount when command is not issued to FW (jsc#SLE-19253).
- net/mlx5: Fix possible use-after-free in async command interface (jsc#SLE-19253).
- net/mlx5: Fix ptp max frequency adjustment range (jsc#SLE-19253).
- net/mlx5: Fix steering rules cleanup (jsc#SLE-19253).
- net/mlx5: Fix uninitialized variable bug in outlen_write() (jsc#SLE-19253).
- net/mlx5: Geneve, Fix handling of Geneve object id as error code (jsc#SLE-19253).
- net/mlx5: Initialize flow steering during driver probe (jsc#SLE-19253).
- net/mlx5: Read embedded cpu after init bit cleared (jsc#SLE-19253).
- net/mlx5: Read the TC mapping of all priorities on ETS query (jsc#SLE-19253).
- net/mlx5: Rearm the FW tracer after each tracer event (jsc#SLE-19253).
- net/mlx5: SF, Drain health before removing device (jsc#SLE-19253).
- net/mlx5: SF: Fix probing active SFs during driver probe phase (jsc#SLE-19253).
- net/mlx5: Serialize module cleanup with reload and remove (jsc#SLE-19253).
- net/mlx5: Wait for firmware to enable CRS before pci_restore_state (jsc#SLE-19253).
- net/mlx5: add IFC bits for bypassing port select flow table (git-fixes)
- net/mlx5: check attr pointer validity before dereferencing it (jsc#SLE-19253).
- net/mlx5: correct ECE offset in query qp output (jsc#SLE-19253).
- net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() (jsc#SLE-19253).
- net/mlx5: fs, fail conflicting actions (jsc#SLE-19253).
- net/mlx5: fw_tracer, Clear load bit when freeing string DBs buffers (jsc#SLE-19253).
- net/mlx5: fw_tracer, Fix event handling (jsc#SLE-19253).
- net/mlx5: fw_tracer, Zero consumer index when reloading the tracer (jsc#SLE-19253).
- net/mlx5e: Always clear dest encap in neigh-update-del (jsc#SLE-19253).
- net/mlx5e: Avoid false lock dependency warning on tc_ht even more (jsc#SLE-19253).
- net/mlx5e: Block entering switchdev mode with ns inconsistency (jsc#SLE-19253).
- net/mlx5e: Do not attach netdev profile while handling internal error (jsc#SLE-19253).
- net/mlx5e: Do not increment ESN when updating IPsec ESN state (jsc#SLE-19253).
- net/mlx5e: Do not support encap rules with gbp option (jsc#SLE-19253).
- net/mlx5e: E-Switch, Fix comparing termination table instance (jsc#SLE-19253).
- net/mlx5e: Extend SKB room check to include PTP-SQ (jsc#SLE-19253).
- net/mlx5e: Fix MPLSoUDP encap to use MPLS action information (jsc#SLE-19253).
- net/mlx5e: Fix SQ wake logic in ptp napi_poll context (jsc#SLE-19253).
- net/mlx5e: Fix capability check for updating vnic env counters (jsc#SLE-19253).
- net/mlx5e: Fix error handling in mlx5e_refresh_tirs (jsc#SLE-19253).
- net/mlx5e: Fix hw mtu initializing at XDP SQ allocation (jsc#SLE-19253).
- net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS (jsc#SLE-19253).
- net/mlx5e: Fix use-after-free when reverting termination table (jsc#SLE-19253).
- net/mlx5e: Fix wrong application of the LRO state (jsc#SLE-19253).
- net/mlx5e: Fix wrong tc flag used when set hw-tc-offload off (jsc#SLE-19253).
- net/mlx5e: IPoIB, Do not allow CQE compression to be turned on by default (jsc#SLE-19253).
- net/mlx5e: IPoIB, Show unknown speed instead of error (jsc#SLE-19253).
- net/mlx5e: Modify slow path rules to go to slow fdb (jsc#SLE-19253).
- net/mlx5e: QoS, Fix wrongfully setting parent_element_id on MODIFY_SCHEDULING_ELEMENT (jsc#SLE-19253).
- net/mlx5e: Set uplink rep as NETNS_LOCAL (jsc#SLE-19253).
- net/mlx5e: TC, Fix ct_clear overwriting ct action metadata (jsc#SLE-19253).
- net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change (jsc#SLE-19253).
- net/mlx5e: Verify flow_source cap before using it (jsc#SLE-19253).
- net/mlx5e: do as little as possible in napi poll when budget is 0 (jsc#SLE-19253).
- net/mlx5e: kTLS, Fix build time constant test in RX (jsc#SLE-19253).
- net/mlx5e: kTLS, Fix build time constant test in TX (jsc#SLE-19253).
- net: mlx5: eliminate anonymous module_init & module_exit (jsc#SLE-19253).
- nfcsim.c: Fix error checking for debugfs_create_dir (git-fixes).
- nilfs2: fix buffer corruption due to concurrent device reads (git-fixes).
- nvme-core: fix dev_pm_qos memleak (git-fixes).
- nvme-core: fix memory leak in dhchap_ctrl_secret (git-fixes).
- nvme-core: fix memory leak in dhchap_secret_store (git-fixes).
- nvme-pci: add quirk for missing secondary temperature thresholds (git-fixes).
- nvme: double KA polling frequency to avoid KATO with TBKAS on (git-fixes).
- ocfs2: fix defrag path triggering jbd2 ASSERT (git-fixes).
- ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown (git-fixes).
- ocfs2: fix non-auto defrag path not working issue (git-fixes).
- pci/aspm: Disable ASPM on MFD function removal to avoid use-after-free (git-fixes).
- pci: Add pci_clear_master() stub for non-CONFIG_PCI (git-fixes).
- pci: Release resource invalidated by coalescing (git-fixes).
- pci: cadence: Fix Gen2 Link Retraining process (git-fixes).
- pci: endpoint: Add missing documentation about the MSI/MSI-X range (git-fixes).
- pci: ftpci100: Release the clock resources (git-fixes).
- pci: pciehp: Cancel bringup sequence if card is not present (git-fixes).
- pci: qcom: Disable write access to read only registers for IP v2.3.3 (git-fixes).
- pci: rockchip: Add poll and timeout to wait for PHY PLLs to be locked (git-fixes).
- pci: rockchip: Assert PCI Configuration Enable bit after probe (git-fixes).
- pci: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core (git-fixes).
- pci: rockchip: Set address alignment for endpoint mode (git-fixes).
- pci: rockchip: Use u32 variable to access 32-bit registers (git-fixes).
- pci: rockchip: Write PCI Device ID to correct register (git-fixes).
- pci: vmd: Reset VMD config register between soft reboots (git-fixes).
- pinctrl: at91-pio4: check return value of devm_kasprintf() (git-fixes).
- pinctrl: cherryview: Return correct value if pin in push-pull mode (git-fixes).
- pinctrl: microchip-sgpio: check return value of devm_kasprintf() (git-fixes).
- platform/x86: think-lmi: Correct NVME password handling (git-fixes).
- platform/x86: think-lmi: Correct System password interface (git-fixes).
- platform/x86: think-lmi: mutex protection around multiple WMI calls (git-fixes).
- platform/x86: thinkpad_acpi: Fix lkp-tests warnings for platform profiles (git-fixes).
- pm: domains: fix integer overflow issues in genpd_parse_state() (git-fixes).
- powerpc/64s/radix: Fix exit lazy tlb mm switch with irqs enabled (bsc#1194869).
- powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall (bsc#1194869 bsc#1212701).
- powerpc/set_memory: Avoid spinlock recursion in change_page_attr() (bsc#1194869).
- pstore/ram: Add check for kstrdup (git-fixes).
- radeon: avoid double free in ci_dpm_init() (git-fixes).
- rdma/bnxt_re: Avoid calling wake_up threads from spin_lock context (git-fixes)
- rdma/bnxt_re: Disable/kill tasklet only if it is enabled (git-fixes)
- rdma/bnxt_re: Fix to remove an unnecessary log (git-fixes)
- rdma/bnxt_re: Fix to remove unnecessary return labels (git-fixes)
- rdma/bnxt_re: Remove a redundant check inside bnxt_re_update_gid (git-fixes)
- rdma/bnxt_re: Remove unnecessary checks (git-fixes)
- rdma/bnxt_re: Return directly without goto jumps (git-fixes)
- rdma/bnxt_re: Use unique names while registering interrupts (git-fixes)
- rdma/bnxt_re: wraparound mbox producer index (git-fixes)
- rdma/cma: Always set static rate to 0 for RoCE (git-fixes)
- rdma/hns: Fix hns_roce_table_get return value (git-fixes)
- rdma/irdma: avoid fortify-string warning in irdma_clr_wqes (git-fixes)
- rdma/mlx5: Do not set tx affinity when lag is in hash mode (git-fixes)
- rdma/mlx5: Fix affinity assignment (git-fixes)
- rdma/mlx5: Initiate dropless RQ for RAW Ethernet functions (git-fixes)
- rdma/mlx5: Rely on RoCE fw cap instead of devlink when setting profile (jsc#SLE-19253).
- rdma/rtrs: Fix rxe_dealloc_pd warning (git-fixes)
- rdma/rtrs: Fix the last iu->buf leak in err path (git-fixes)
- rdma/rxe: Fix packet length checks (git-fixes)
- rdma/rxe: Fix ref count error in check_rkey() (git-fixes)
- rdma/rxe: Fix rxe_cq_post (git-fixes)
- rdma/rxe: Fix the use-before-initialization error of resp_pkts (git-fixes)
- rdma/rxe: Remove dangling declaration of rxe_cq_disable() (git-fixes)
- rdma/rxe: Remove the unused variable obj (git-fixes)
- rdma/rxe: Removed unused name from rxe_task struct (git-fixes)
- rdma/uverbs: Restrict usage of privileged QKEYs (git-fixes)
- rdma/vmw_pvrdma: Remove unnecessary check on wr->opcode (git-fixes)
- regulator: core: Fix more error checking for debugfs_create_dir() (git-fixes).
- regulator: core: Streamline debugfs operations (git-fixes).
- regulator: helper: Document ramp_delay parameter of regulator_set_ramp_delay_regmap() (git-fixes).
- rpm/check-for-config-changes: ignore also PAHOLE_HAS_* We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE.
- rtc: st-lpc: Release some resources in st_rtc_probe() in case of error (git-fixes).
- s390/gmap: voluntarily schedule during key setting (git-fixes bsc#1212892).
- s390/pkey: zeroize key blobs (git-fixes bsc#1212619).
- serial: 8250: lock port for UART_IER access in omap8250_irq() (git-fixes).
- serial: 8250: lock port for stop_rx() in omap8250_irq() (git-fixes).
- serial: 8250: omap: Fix freeing of resources on failed register (git-fixes).
- serial: 8250_omap: Use force_suspend and resume for system suspend (git-fixes).
- serial: atmel: do not enable IRQs prematurely (git-fixes).
- signal/s390: Use force_sigsegv in default_trap_handler (git-fixes bsc#1212861).
- soc/fsl/qe: fix usb.c build errors (git-fixes).
- soc: samsung: exynos-pmu: Re-introduce Exynos4212 support (git-fixes).
- soundwire: dmi-quirks: add new mapping for HP Spectre x360 (git-fixes).
- spi: dw: Round of n_bytes to power of 2 (git-fixes).
- spi: lpspi: disable lpspi module irq in DMA mode (git-fixes).
- spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG (git-fixes).
- test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation (git-fixes).
- thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() (git-fixes).
- tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode() (git-fixes).
- tty: serial: imx: fix rs485 rx after tx (git-fixes).
- tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error (git-fixes).
- tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk (git-fixes).
- usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe() (git-fixes).
- usb: dwc3: gadget: Propagate core init errors to UDC during pullup (git-fixes).
- usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe() (git-fixes).
- usb: dwc3: qcom: Fix potential memory leak (git-fixes).
- usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() (git-fixes).
- usb: gadget: u_serial: Add null pointer check in gserial_suspend (git-fixes).
- usb: gadget: udc: fix NULL dereference in remove() (git-fixes).
- usb: hide unused usbfs_notify_suspend/resume functions (git-fixes).
- usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() (git-fixes).
- usb: xhci: Remove unused udev from xhci_log_ctx trace event (git-fixes).
- usrmerge: Adjust module path in the kernel sources (bsc#1212835). 
- vdpa/mlx5: Directly assign memory key (jsc#SLE-19253).
- vdpa/mlx5: Do not clear mr struct on destroy MR (jsc#SLE-19253).
- vdpa/mlx5: Fix wrong configuration of virtio_version_1_0 (jsc#SLE-19253).
- vdpa: Fix error logic in vdpa_nl_cmd_dev_get_doit (jsc#SLE-19253).
- vhost_vdpa: support PACKED when setting-getting vring_base (jsc#SLE-19253).
- w1: fix loop in w1_fini() (git-fixes).
- w1: w1_therm: fix locking behavior in convert_t (git-fixes).
- wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() (git-fixes).
- wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx (git-fixes).
- wifi: ath9k: convert msecs to jiffies where needed (git-fixes).
- wifi: ath9k: do not allow to overwrite ENDPOINT0 attributes (git-fixes).
- wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation (git-fixes).
- wifi: atmel: Fix an error handling path in atmel_probe() (git-fixes).
- wifi: cfg80211: rewrite merging of inherited elements (git-fixes).
- wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection (git-fixes).
- wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler() (git-fixes).
- wifi: iwlwifi: pull from TXQs with softirqs disabled (git-fixes).
- wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan() (git-fixes).
- wifi: orinoco: Fix an error handling path in orinoco_cs_probe() (git-fixes).
- wifi: orinoco: Fix an error handling path in spectrum_cs_probe() (git-fixes).
- wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled (git-fixes).
- wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown (git-fixes).
- wifi: wilc1000: fix for absent RSN capabilities WFA testcase (git-fixes).
- writeback: fix dereferencing NULL mapping->host on writeback_page_template (git-fixes).
- x86/build: Avoid relocation information in final vmlinux (bsc#1187829).
- x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range (git-fixes).
- x86/mm: Fix RESERVE_BRK() for older binutils (git-fixes).
- x86/mm: Fix use of uninitialized buffer in sme_enable() (git-fixes).
- x86/sgx: Fix race between reclaimer and page fault handler (git-fixes).
- x86/sgx: Mark PCMD page as dirty when modifying contents (git-fixes).
- x86/xen: fix secondary processor fpu initialization (bsc#1212869).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2869-1
Released:    Tue Jul 18 11:39:26 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1206346

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2989-1
Released:    Wed Jul 26 16:33:56 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1208737,1209307
This update for conmon fixes the following issues:

  conmon was updated to version 2.1.7:

  - Bumped go version to 1.19 (bsc#1209307).

  Bugfixes:

  - Fixed leaking symbolic links in the opt_socket_path directory.
  - Fixed cgroup oom issues (bsc#1208737).
  - Fixed OOM watcher for cgroupv2 `oom_kill` events.



-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3318-1
Released:    Tue Aug 15 10:34:18 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1150305,1193629,1194869,1206418,1207129,1207894,1208788,1210565,1210584,1210627,1210780,1210853,1211131,1211243,1211738,1211811,1211867,1212301,1212502,1212604,1212846,1212901,1212905,1213010,1213011,1213012,1213013,1213014,1213015,1213016,1213017,1213018,1213019,1213020,1213021,1213024,1213025,1213032,1213034,1213035,1213036,1213037,1213038,1213039,1213040,1213041,1213059,1213061,1213087,1213088,1213089,1213090,1213092,1213093,1213094,1213095,1213096,1213098,1213099,1213100,1213102,1213103,1213104,1213105,1213106,1213107,1213108,1213109,1213110,1213111,1213112,1213113,1213114,1213134,1213167,1213245,1213247,1213252,1213258,1213259,1213263,1213264,1213272,1213286,1213287,1213304,1213523,1213524,1213543,1213585,1213586,1213588,1213620,1213653,1213705,1213713,1213715,1213747,1213756,1213759,1213777,1213810,1213812,1213856,1213857,1213863,1213867,1213870,1213871,CVE-2022-40982,CVE-2023-0459,CVE-2023-20569,CVE-2023-20593,CVE-2023-21400,CVE-2023-2156,CVE-2023-2166,CVE-2023-29
 85,CVE-2023-31083,CVE-2023-3117,CVE-2023-31248,CVE-2023-3268,CVE-2023-3390,CVE-2023-35001,CVE-2023-3567,CVE-2023-3609,CVE-2023-3611,CVE-2023-3776,CVE-2023-3812,CVE-2023-4004


The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling' (bsc#1206418).
- CVE-2023-0459: Fixed information leak in __uaccess_begin_nospec (bsc#1211738).
- CVE-2023-20569: Fixed side channel attack ???Inception??? or ???RAS Poisoning??? (bsc#1213287).
- CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information (bsc#1213286).
- CVE-2023-21400: Fixed several memory corruptions due to improper locking in io_uring (bsc#1213272).
- CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131).
- CVE-2023-2166: Fixed NULL pointer dereference in can_rcv_filter (bsc#1210627).
- CVE-2023-2985: Fixed an use-after-free vulnerability in hfsplus_put_super in fs/hfsplus/super.c that could allow a local user to cause a denial of service (bsc#1211867).
- CVE-2023-31083: Fixed race condition in hci_uart_tty_ioctl (bsc#1210780).
- CVE-2023-3117: Fixed an use-after-free vulnerability in the netfilter subsystem when processing named and anonymous sets in batch requests that could allow a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system (bsc#1213245).
- CVE-2023-31248: Fixed an use-after-free vulnerability in nft_chain_lookup_byid that could allow a local attacker to escalate their privilege (bsc#1213061).
- CVE-2023-3268: Fixed an out of bounds memory access flaw in relay_file_read_start_pos in the relayfs (bsc#1212502).
- CVE-2023-3390: Fixed an use-after-free vulnerability in the netfilter subsystem in net/netfilter/nf_tables_api.c that could allow a local attacker with user access to cause a privilege escalation issue (bsc#1212846).
- CVE-2023-35001: Fixed an out-of-bounds memory access flaw in nft_byteorder that could allow a local attacker to escalate their privilege (bsc#1213059).
- CVE-2023-3567: Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c (bsc#1213167).
- CVE-2023-3609: Fixed reference counter leak leading to  overflow in net/sched (bsc#1213586).
- CVE-2023-3611: Fixed an out-of-bounds write in net/sched sch_qfq(bsc#1213585).
- CVE-2023-3776: Fixed improper refcount update in  cls_fw leads to use-after-free (bsc#1213588).
- CVE-2023-3812: Fixed an out-of-bounds memory access flaw in the TUN/TAP device driver functionality that could allow a local user to crash or potentially escalate their privileges on the system (bsc#1213543).
- CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812).

The following non-security bugs were fixed:

- acpi: utils: fix acpi_evaluate_dsm_typed() redefinition error (git-fixes).
- add module_firmware() for firmware_tg357766 (git-fixes).
- afs: adjust ack interpretation to try and cope with nat (git-fixes).
- afs: fix access after dec in put functions (git-fixes).
- afs: fix afs_getattr() to refetch file status if callback break occurred (git-fixes).
- afs: fix dynamic root getattr (git-fixes).
- afs: fix fileserver probe rtt handling (git-fixes).
- afs: fix infinite loop found by xfstest generic/676 (git-fixes).
- afs: fix lost servers_outstanding count (git-fixes).
- afs: fix server->active leak in afs_put_server (git-fixes).
- afs: fix setting of mtime when creating a file/dir/symlink (git-fixes).
- afs: fix updating of i_size with dv jump from server (git-fixes).
- afs: fix vlserver probe rtt handling (git-fixes).
- afs: return -eagain, not -eremoteio, when a file already locked (git-fixes).
- afs: use refcount_t rather than atomic_t (git-fixes).
- afs: use the operation issue time instead of the reply time for callbacks (git-fixes).
- alsa: emu10k1: roll up loops in dsp setup code for audigy (git-fixes).
- alsa: fireface: make read-only const array for model names static (git-fixes).
- alsa: hda/realtek - remove 3k pull low procedure (git-fixes).
- alsa: hda/realtek: add quirk for asus rog g614jx (git-fixes).
- alsa: hda/realtek: add quirk for asus rog ga402x (git-fixes).
- alsa: hda/realtek: add quirk for asus rog gx650p (git-fixes).
- alsa: hda/realtek: add quirk for asus rog gz301v (git-fixes).
- alsa: hda/realtek: add quirk for clevo npx0snx (git-fixes).
- alsa: hda/realtek: add quirk for clevo ns70au (git-fixes).
- alsa: hda/realtek: add quirks for unis h3c desktop b760 & q760 (git-fixes).
- alsa: hda/realtek: add support for dell oasis 13/14/16 laptops (git-fixes).
- alsa: hda/realtek: amend g634 quirk to enable rear speakers (git-fixes).
- alsa: hda/realtek: enable mute led on hp laptop 15s-eq2xxx (git-fixes).
- alsa: hda/realtek: fix generic fixup definition for cs35l41 amp (git-fixes).
- alsa: hda/realtek: support asus g713pv laptop (git-fixes).
- alsa: hda/realtek: whitespace fix (git-fixes).
- alsa: hda/relatek: enable mute led on hp 250 g8 (git-fixes).
- alsa: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() (git-fixes).
- alsa: oxfw: make read-only const array models static (git-fixes).
- alsa: pcm: fix potential data race at pcm memory allocation helpers (git-fixes).
- alsa: usb-audio: add quirk for microsoft modern wireless headset (bsc#1207129).
- alsa: usb-audio: update for native dsd support quirks (git-fixes).
- apparmor: fix missing error check for rhashtable_insert_fast (git-fixes).
- arm64/mm: mark private vm_fault_x defines as vm_fault_t (git-fixes)
- arm64: dts: microchip: sparx5: do not use psci on reference boards (git-fixes)
- arm64: vdso: pass (void *) to virt_to_page() (git-fixes)
- arm64: xor-neon: mark xor_arm64_neon_*() static (git-fixes)
- asoc: atmel: fix the 8k sample parameter in i2sc master (git-fixes).
- asoc: codecs: es8316: fix dmic config (git-fixes).
- asoc: codecs: wcd-mbhc-v2: fix resource leaks on component remove (git-fixes).
- asoc: codecs: wcd934x: fix resource leaks on component remove (git-fixes).
- asoc: codecs: wcd938x: fix codec initialisation race (git-fixes).
- asoc: codecs: wcd938x: fix db range for hphl and hphr (git-fixes).
- asoc: codecs: wcd938x: fix missing clsh ctrl error handling (git-fixes).
- asoc: codecs: wcd938x: fix soundwire initialisation race (git-fixes).
- asoc: da7219: check for failure reading aad irq events (git-fixes).
- asoc: da7219: flush pending aad irq when suspending (git-fixes).
- asoc: fsl_sai: disable bit clock with transmitter (git-fixes).
- asoc: fsl_spdif: silence output on stop (git-fixes).
- asoc: rt5682-sdw: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711-sdca: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: tegra: fix adx byte map (git-fixes).
- asoc: tegra: fix amx byte map (git-fixes).
- asoc: wm8904: fill the cache for wm8904_adc_test_0 register (git-fixes).
- ata: pata_ns87415: mark ns87560_tf_read static (git-fixes).
- block, bfq: fix division by zero error on zero wsum (bsc#1213653).
- block: fix a source code comment in include/uapi/linux/blkzoned.h (git-fixes).
- can: bcm: fix uaf in bcm_proc_show() (git-fixes).
- can: gs_usb: gs_can_close(): add missing set of can state to can_state_stopped (git-fixes).
- ceph: do not let check_caps skip sending responses for revoke msgs (bsc#1213856).
- cifs: add a warning when the in-flight count goes negative (bsc#1193629).
- cifs: address unused variable warning (bsc#1193629).
- cifs: do all necessary checks for credits within or before locking (bsc#1193629).
- cifs: fix lease break oops in xfstest generic/098 (bsc#1193629).
- cifs: fix max_credits implementation (bsc#1193629).
- cifs: fix session state check in reconnect to avoid use-after-free issue (bsc#1193629).
- cifs: fix session state check in smb2_find_smb_ses (bsc#1193629).
- cifs: fix session state transition to avoid use-after-free issue (bsc#1193629).
- cifs: fix sockaddr comparison in iface_cmp (bsc#1193629).
- cifs: fix status checks in cifs_tree_connect (bsc#1193629).
- cifs: log session id when a matching ses is not found (bsc#1193629).
- cifs: new dynamic tracepoint to track ses not found errors (bsc#1193629).
- cifs: prevent use-after-free by freeing the cfile later (bsc#1193629).
- cifs: print all credit counters in debugdata (bsc#1193629).
- cifs: print client_guid in debugdata (bsc#1193629).
- cifs: print more detail when invalidate_inode_mapping fails (bsc#1193629).
- cifs: print nosharesock value while dumping mount options (bsc#1193629).
- clk: qcom: camcc-sc7180: add parent dependency to all camera gdscs (git-fixes).
- clk: qcom: gcc-ipq6018: use floor ops for sdcc clocks (git-fixes).
- coda: avoid partial allocation of sig_inputargs (git-fixes).
- codel: fix kernel-doc notation warnings (git-fixes).
- crypto: kpp - add helper to set reqsize (git-fixes).
- crypto: qat - use helper to set reqsize (git-fixes).
- delete suse/memcg-drop-kmem-limit_in_bytes. drop the patch in order to fix bsc#1213705.
- devlink: fix kernel-doc notation warnings (git-fixes).
- dlm: fix missing lkb refcount handling (git-fixes).
- dlm: fix plock invalid read (git-fixes).
- docs: networking: update codeaurora references for rmnet (git-fixes).
- documentation: abi: sysfs-class-net-qmi: pass_through contact update (git-fixes).
- documentation: bonding: fix the doc of peer_notif_delay (git-fixes).
- documentation: devices.txt: reconcile serial/ucc_uart minor numers (git-fixes).
- documentation: timers: hrtimers: make hybrid union historical (git-fixes).
- drm/amd/display: correct `dmub_fw_version` macro (git-fixes).
- drm/amd/display: disable mpc split by default on special asic (git-fixes).
- drm/amd/display: keep phy active for dp displays on dcn31 (git-fixes).
- drm/amdgpu: avoid restore process run into dead loop (git-fixes).
- drm/amdgpu: fix clearing mappings for bos that are always valid in vm (git-fixes).
- drm/amdgpu: set vmbo destroy after pt bo is created (git-fixes).
- drm/amdgpu: validate vm ioctl flags (git-fixes).
- drm/atomic: allow vblank-enabled + self-refresh 'disable' (git-fixes).
- drm/atomic: fix potential use-after-free in nonblocking commits (git-fixes).
- drm/bridge: tc358768: add atomic_get_input_bus_fmts() implementation (git-fixes).
- drm/bridge: tc358768: fix tclk_trailcnt computation (git-fixes).
- drm/bridge: tc358768: fix ths_trailcnt computation (git-fixes).
- drm/bridge: tc358768: fix ths_zerocnt computation (git-fixes).
- drm/client: fix memory leak in drm_client_modeset_probe (git-fixes).
- drm/client: fix memory leak in drm_client_target_cloned (git-fixes).
- drm/i915/psr: use hw.adjusted mode when calculating io/fast wake times (git-fixes).
- drm/i915: fix one wrong caching mode enum usage (git-fixes).
- drm/msm/adreno: fix snapshot bindless_data size (git-fixes).
- drm/msm/disp/dpu: get timing engine status from intf status register (git-fixes).
- drm/msm/dpu: drop enum dpu_core_perf_data_bus_id (git-fixes).
- drm/msm/dpu: set dpu_data_hctl_en for in intf_sc7180_mask (git-fixes).
- drm/msm: fix is_err_or_null() vs null check in a5xx_submit_in_rb() (git-fixes).
- drm/panel: simple: add connector_type for innolux_at043tn24 (git-fixes).
- drm/panel: simple: add powertip ph800480t013 drm_display_mode flags (git-fixes).
- drm/radeon: fix integer overflow in radeon_cs_parser_init (git-fixes).
- drm/ttm: do not leak a resource on swapout move error (git-fixes).
- drop amdgpu patches for fixing regression (bsc#1213304,bsc#1213777)
- dt-bindings: phy: brcm,brcmstb-usb-phy: fix error in 'compatible' conditional schema (git-fixes).
- enable nxp snvs rtc driver for i.mx 8mq/8mp (jsc#PED-4758)
- ext4: add ea_inode checking to ext4_iget() (bsc#1213106).
- ext4: add ext4_sb_block_valid() refactored out of ext4_inode_block_valid() (bsc#1213088).
- ext4: add lockdep annotations for i_data_sem for ea_inode's (bsc#1213109).
- ext4: add strict range checks while freeing blocks (bsc#1213089).
- ext4: avoid deadlock in fs reclaim with page writeback (bsc#1213016).
- ext4: bail out of ext4_xattr_ibody_get() fails for any reason (bsc#1213018).
- ext4: block range must be validated before use in ext4_mb_clear_bb() (bsc#1213090).
- ext4: check iomap type only if ext4_iomap_begin() does not fail (bsc#1213103).
- ext4: disallow ea_inodes with extended attributes (bsc#1213108).
- ext4: fail ext4_iget if special inode unallocated (bsc#1213010).
- ext4: fix bug_on in __es_tree_search caused by bad quota inode (bsc#1213111).
- ext4: fix data races when using cached status extents (bsc#1213102).
- ext4: fix deadlock when converting an inline directory in nojournal mode (bsc#1213105).
- ext4: fix i_disksize exceeding i_size problem in paritally written case (bsc#1213015).
- ext4: fix lockdep warning when enabling mmp (bsc#1213100).
- ext4: fix reusing stale buffer heads from last failed mounting (bsc#1213020).
- ext4: fix task hung in ext4_xattr_delete_inode (bsc#1213096).
- ext4: fix to check return value of freeze_bdev() in ext4_shutdown() (bsc#1213021).
- ext4: fix use-after-free read in ext4_find_extent for bigalloc + inline (bsc#1213098).
- ext4: fix warning in ext4_update_inline_data (bsc#1213012).
- ext4: fix warning in mb_find_extent (bsc#1213099).
- ext4: improve error handling from ext4_dirhash() (bsc#1213104).
- ext4: improve error recovery code paths in __ext4_remount() (bsc#1213017).
- ext4: move where set the may_inline_data flag is set (bsc#1213011).
- ext4: only update i_reserved_data_blocks on successful block allocation (bsc#1213019).
- ext4: refactor ext4_free_blocks() to pull out ext4_mb_clear_bb() (bsc#1213087).
- ext4: refuse to create ea block when umounted (bsc#1213093).
- ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() (bsc#1213107).
- ext4: turn quotas off if mount failed after enabling quotas (bsc#1213110).
- ext4: update s_journal_inum if it changes after journal replay (bsc#1213094).
- ext4: use ext4_fc_tl_mem in fast-commit replay path (bsc#1213092).
- ext4: zero i_disksize when initializing the bootloader inode (bsc#1213013).
- fbdev: au1200fb: fix missing irq check in au1200fb_drv_probe (git-fixes).
- fbdev: imxfb: warn about invalid left/right margin (git-fixes).
- file: always lock position for fmode_atomic_pos (bsc#1213759).
- fix documentation of panic_on_warn (git-fixes).
- fs: dlm: add midcomms init/start functions (git-fixes).
- fs: dlm: do not set stop rx flag after node reset (git-fixes).
- fs: dlm: filter user dlm messages for kernel locks (git-fixes).
- fs: dlm: fix log of lowcomms vs midcomms (git-fixes).
- fs: dlm: fix race between test_bit() and queue_work() (git-fixes).
- fs: dlm: fix race in lowcomms (git-fixes).
- fs: dlm: handle -ebusy first in lock arg validation (git-fixes).
- fs: dlm: move sending fin message into state change handling (git-fixes).
- fs: dlm: retry accept() until -eagain or error returns (git-fixes).
- fs: dlm: return positive pid value for f_getlk (git-fixes).
- fs: dlm: start midcomms before scand (git-fixes).
- fs: hfsplus: remove warn_on() from hfsplus_cat_{read,write}_inode() (git-fixes).
- fs: jfs: check for read-only mounted filesystem in txbegin (git-fixes).
- fs: jfs: fix null-ptr-deref read in txbegin (git-fixes).
- fs: jfs: fix ubsan: array-index-out-of-bounds in dballocdmaplev (git-fixes).
- fuse: ioctl: translate enosys in outarg (bsc#1213524).
- fuse: revalidate: do not invalidate if interrupted (bsc#1213523).
- gve: set default duplex configuration to full (git-fixes).
- gve: unify driver name usage (git-fixes).
- hvcs: fix hvcs port reference counting (bsc#1213134 ltc#202861).
- hvcs: get reference to tty in remove (bsc#1213134 ltc#202861).
- hvcs: synchronize hotplug remove with port free (bsc#1213134 ltc#202861).
- hvcs: use dev_groups to manage hvcs device attributes (bsc#1213134 ltc#202861).
- hvcs: use driver groups to manage driver attributes (bsc#1213134 ltc#202861).
- hvcs: use vhangup in hotplug remove (bsc#1213134 ltc#202861).
- hwmon: (adm1275) allow setting sample averaging (git-fixes).
- hwmon: (k10temp) enable amd3255 proc to show negative temperature (git-fixes).
- hwmon: (nct7802) fix for temp6 (peci1) processed even if peci1 disabled (git-fixes).
- hwmon: (pmbus/adm1275) fix problems with temperature monitoring on adm1272 (git-fixes).
- i2c: xiic: defer xiic_wakeup() and __xiic_start_xfer() in xiic_process() (git-fixes).
- i2c: xiic: do not try to handle more interrupt events after error (git-fixes).
- iavf: fix out-of-bounds when setting channels on remove (git-fixes).
- iavf: fix use-after-free in free_netdev (git-fixes).
- iavf: use internal state to free traffic irqs (git-fixes).
- ib/hfi1: use bitmap_zalloc() when applicable (git-fixes)
- igc: check if hardware tx timestamping is enabled earlier (git-fixes).
- igc: enable and fix rx hash usage by netstack (git-fixes).
- igc: fix inserting of empty frame for launchtime (git-fixes).
- igc: fix kernel panic during ndo_tx_timeout callback (git-fixes).
- igc: fix launchtime before start of cycle (git-fixes).
- igc: fix race condition in ptp tx code (git-fixes).
- igc: handle pps start time programming for past time values (git-fixes).
- igc: prevent garbled tx queue with xdp zerocopy (git-fixes).
- igc: remove delay during tx ring configuration (git-fixes).
- igc: set tp bit in 'supported' and 'advertising' fields of ethtool_link_ksettings (git-fixes).
- igc: work around hw bug causing missing timestamps (git-fixes).
- inotify: avoid reporting event with invalid wd (bsc#1213025).
- input: i8042 - add clevo pcx0dx to i8042 quirk table (git-fixes).
- input: iqs269a - do not poll during ati (git-fixes).
- input: iqs269a - do not poll during suspend or resume (git-fixes).
- jbd2: fix data missing when reusing bh which is ready to be checkpointed (bsc#1213095).
- jdb2: do not refuse invalidation of already invalidated buffers (bsc#1213014).
- jffs2: fix memory leak in jffs2_do_fill_super (git-fixes).
- jffs2: fix memory leak in jffs2_do_mount_fs (git-fixes).
- jffs2: fix memory leak in jffs2_scan_medium (git-fixes).
- jffs2: fix use-after-free in jffs2_clear_xattr_subsystem (git-fixes).
- jffs2: gc deadlock reading a page that is used in jffs2_write_begin() (git-fixes).
- jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (git-fixes).
- jfs: jfs_dmap: validate db_l2nbperpage while mounting (git-fixes).
- kabi/severities: add vas symbols changed due to recent fix vas accelerators are directly tied to the architecture, there is no reason to have out-of-tree production drivers
- kabi: do not check external trampolines for signature (kabi bsc#1207894 bsc#1211243).
- kernel-binary.spec.in: remove superfluous %% in supplements fixes: 02b7735e0caf ('rpm/kernel-binary.spec.in: add enhances and supplements tags to in-tree kmps')
- kselftest: vdso: fix accumulation of uninitialized ret when clock_realtime is undefined (git-fixes).
- kvm: arm64: do not read a hw interrupt pending state in user context (git-fixes)
- kvm: arm64: warn if accessing timer pending state outside of vcpu (bsc#1213620)
- kvm: do not null dereference ops->destroy (git-fixes)
- kvm: downgrade two bug_ons to warn_on_once (git-fixes)
- kvm: initialize debugfs_dentry when a vm is created to avoid null (git-fixes)
- kvm: s390: pv: fix index value of replaced asce (git-fixes bsc#1213867).
- kvm: vmx: inject #gp on encls if vcpu has paging disabled (cr0.pg==0) (git-fixes).
- kvm: vmx: inject #gp, not #ud, if sgx2 encls leafs are unsupported (git-fixes).
- kvm: vmx: restore vmx_vmexit alignment (git-fixes).
- kvm: x86: account fastpath-only vm-exits in vcpu stats (git-fixes).
- leds: trigger: netdev: recheck netdev_led_mode_linkup on dev rename (git-fixes).
- libceph: harden msgr2.1 frame segment length checks (bsc#1213857).
- media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() (git-fixes).
- media: cec: i2c: ch7322: also select regmap (git-fixes).
- media: i2c: correct format propagation for st-mipid02 (git-fixes).
- media: staging: atomisp: select v4l2_fwnode (git-fixes).
- media: usb: check az6007_read() return value (git-fixes).
- media: usb: siano: fix warning due to null work_func_t function pointer (git-fixes).
- media: venus: helpers: fix align() of non power of two (git-fixes).
- media: videodev2.h: fix struct v4l2_input tuner index comment (git-fixes).
- memcg: drop kmem.limit_in_bytes (bsc#1208788, bsc#1212905).
- mmc: core: disable trim on kingston emmc04g-m627 (git-fixes).
- mmc: sdhci: fix dma configure compatibility issue when 64bit dma mode is used (git-fixes).
- net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585).
- net/sched: sch_qfq: reintroduce lmax bound check for mtu (bsc#1213585).
- net: ena: fix shift-out-of-bounds in exponential backoff (git-fixes).
- net: mana: add support for vlan tagging (bsc#1212301).
- net: mana: batch ringing rx queue doorbell on receiving packets (bsc#1212901).
- net: mana: use the correct wqe count for ringing rq doorbell (bsc#1212901).
- net: phy: marvell10g: fix 88x3310 power up (git-fixes).
- net: phy: prevent stale pointer dereference in phy_init() (git-fixes).
- nfsd: add encoding of op_recall flag for write delegation (git-fixes).
- nfsd: fix double fget() bug in __write_ports_addfd() (git-fixes).
- nfsd: fix sparse warning (git-fixes).
- nfsd: remove open coding of string copy (git-fixes).
- nfsv4.1: always send a reclaim_complete after establishing lease (git-fixes).
- nfsv4.1: freeze the session table upon receiving nfs4err_badsession (git-fixes).
- ntb: amd: fix error handling in amd_ntb_pci_driver_init() (git-fixes).
- ntb: idt: fix error handling in idt_pci_driver_init() (git-fixes).
- ntb: intel: fix error handling in intel_ntb_pci_driver_init() (git-fixes).
- ntb: ntb_tool: add check for devm_kcalloc (git-fixes).
- ntb: ntb_transport: fix possible memory leak while device_register() fails (git-fixes).
- nvme-multipath: support io stats on the mpath device (bsc#1210565).
- nvme-pci: fix dma direction of unmapping integrity data (git-fixes).
- nvme-pci: remove nvme_queue from nvme_iod (git-fixes).
- nvme: introduce nvme_start_request (bsc#1210565).
- ocfs2: check new file size on fallocate call (git-fixes).
- ocfs2: fix use-after-free when unmounting read-only filesystem (git-fixes).
- ocfs2: switch to security_inode_init_security() (git-fixes).
- octeontx-af: fix hardware timestamp configuration (git-fixes).
- octeontx2-af: move validation of ptp pointer before its usage (git-fixes).
- octeontx2-pf: add additional check for mcam rules (git-fixes).
- opp: fix use-after-free in lazy_opp_tables after probe deferral (git-fixes).
- pci/pm: avoid putting elopos e2/s2/h2 pcie ports in d3cold (git-fixes).
- pci: add function 1 dma alias quirk for marvell 88se9235 (git-fixes).
- phy: hisilicon: fix an out of bounds check in hisi_inno_phy_probe() (git-fixes).
- phy: revert 'phy: remove soc_exynos4212 dep. from phy_exynos4x12_usb' (git-fixes).
- phy: tegra: xusb: check return value of devm_kzalloc() (git-fixes).
- phy: tegra: xusb: clear the driver reference in usb-phy dev (git-fixes).
- pie: fix kernel-doc notation warning (git-fixes).
- pinctrl: amd: detect internal gpio0 debounce handling (git-fixes).
- pinctrl: amd: do not show `invalid config param` errors (git-fixes).
- pinctrl: amd: fix mistake in handling clearing pins at startup (git-fixes).
- pinctrl: amd: only use special debounce behavior for gpio 0 (git-fixes).
- pinctrl: amd: use amd_pinconf_set() for all config options (git-fixes).
- platform/x86: msi-laptop: fix rfkill out-of-sync on msi wind u100 (git-fixes).
- powerpc/64: only warn if __pa()/__va() called with bad addresses (bsc#1194869).
- powerpc/64s: fix vas mm use after free (bsc#1194869).
- powerpc/book3s64/mm: fix directmap stats in /proc/meminfo (bsc#1194869).
- powerpc/bpf: fix use of user_pt_regs in uapi (bsc#1194869).
- powerpc/ftrace: remove ftrace init tramp once kernel init is complete (bsc#1194869).
- powerpc/interrupt: do not read msr from interrupt_exit_kernel_prepare() (bsc#1194869).
- powerpc/mm/dax: fix the condition when checking if altmap vmemap can cross-boundary (bsc#1150305 ltc#176097 git-fixes).
- powerpc/mm: switch obsolete dssall to .long (bsc#1194869).
- powerpc/powernv/sriov: perform null check on iov before dereferencing iov (bsc#1194869).
- powerpc/powernv/vas: assign real address to rx_fifo in vas_rx_win_attr (bsc#1194869).
- powerpc/prom_init: fix kernel config grep (bsc#1194869).
- powerpc/secvar: fix refcount leak in format_show() (bsc#1194869).
- powerpc/xics: fix refcount leak in icp_opal_init() (bsc#1194869).
- powerpc: clean vdso32 and vdso64 directories (bsc#1194869).
- powerpc: define get_cycles macro for arch-override (bsc#1194869).
- powerpc: update ppc_save_regs to save current r1 in pt_regs (bsc#1194869).
- pwm: ab8500: fix error code in probe() (git-fixes).
- pwm: imx-tpm: force 'real_period' to be zero in suspend (git-fixes).
- pwm: sysfs: do not apply state to already disabled pwms (git-fixes).
- rdma/bnxt_re: fix hang during driver unload (git-fixes)
- rdma/bnxt_re: prevent handling any completions after qp destroy (git-fixes)
- rdma/core: update cma destination address on rdma_resolve_addr (git-fixes)
- rdma/irdma: add missing read barriers (git-fixes)
- rdma/irdma: fix data race on cqp completion stats (git-fixes)
- rdma/irdma: fix data race on cqp request done (git-fixes)
- rdma/irdma: fix op_type reporting in cqes (git-fixes)
- rdma/irdma: report correct wc error (git-fixes)
- rdma/mlx4: make check for invalid flags stricter (git-fixes)
- rdma/mthca: fix crash when polling cq for shared qps (git-fixes)
- rdma/rxe: fix access checks in rxe_check_bind_mw (git-fixes)
- regmap: account for register length in smbus i/o limits (git-fixes).
- regmap: drop initial version of maximum transfer length fixes (git-fixes).
- revert 'arm64: dts: zynqmp: add address-cells property to interrupt (git-fixes)
- revert 'debugfs, coccinelle: check for obsolete define_simple_attribute() usage' (git-fixes).
- revert 'drm/amd/display: edp do not add non-edid timings' (git-fixes).
- revert 'nfsv4: retry lock on old_stateid during delegation return' (git-fixes).
- revert 'usb: dwc3: core: enable autoretry feature in the controller' (git-fixes).
- revert 'usb: gadget: tegra-xudc: fix error check in tegra_xudc_powerdomain_init()' (git-fixes).
- revert 'usb: xhci: tegra: fix error check' (git-fixes).
- revert 'xhci: add quirk for host controllers that do not update endpoint dcs' (git-fixes).
- rpm/check-for-config-changes: ignore also riscv_isa_* and dynamic_sigframe they depend on config_toolchain_has_*.
- rpm: update dependency to match current kmod.
- rsi: remove kernel-doc comment marker (git-fixes).
- rxrpc, afs: fix selection of abort codes (git-fixes).
- s390/ap: fix status returned by ap_aqic() (git-fixes bsc#1213259).
- s390/ap: fix status returned by ap_qact() (git-fixes bsc#1213258).
- s390/bpf: add expoline to tail calls (git-fixes bsc#1213870).
- s390/dasd: fix hanging device after quiesce/resume (git-fixes bsc#1213810).
- s390/debug: add _asm_s390_ prefix to header guard (git-fixes bsc#1213263).
- s390/decompressor: specify __decompress() buf len to avoid overflow (git-fixes bsc#1213863).
- s390/ipl: add missing intersection check to ipl_report handling (git-fixes bsc#1213871).
- s390/percpu: add read_once() to arch_this_cpu_to_op_simple() (git-fixes bsc#1213252).
- s390/qeth: fix vipa deletion (git-fixes bsc#1213713).
- s390/vmem: fix empty page tables cleanup under kasan (git-fixes bsc#1213715).
- s390: define runtime_discard_exit to fix link error with gnu ld &lt; 2.36 (git-fixes bsc#1213264).
- s390: discard .interp section (git-fixes bsc#1213247).
- s390: introduce nospec_uses_trampoline() (git-fixes bsc#1213870).
- scftorture: count reschedule ipis (git-fixes).
- sched/debug: fix dentry leak in update_sched_domain_debugfs (git-fixes)
- sched: fix debug && !schedstats warn (git-fixes)
- scsi: lpfc: abort outstanding els cmds when mailbox timeout error is detected (bsc#1213756).
- scsi: lpfc: avoid -wstringop-overflow warning (bsc#1213756).
- scsi: lpfc: clean up sli-4 sysfs resource reporting (bsc#1213756).
- scsi: lpfc: copyright updates for 14.2.0.14 patches (bsc#1213756).
- scsi: lpfc: fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1213756).
- scsi: lpfc: fix incorrect big endian type assignment in bsg loopback path (bsc#1213756).
- scsi: lpfc: fix incorrect big endian type assignments in fdmi and vmid paths (bsc#1213756).
- scsi: lpfc: fix lpfc_name struct packing (bsc#1213756).
- scsi: lpfc: make fabric zone discovery more robust when handling unsolicited logo (bsc#1213756).
- scsi: lpfc: pull out fw diagnostic dump log message from driver's trace buffer (bsc#1213756).
- scsi: lpfc: qualify ndlp discovery state when processing rscn (bsc#1213756).
- scsi: lpfc: refactor cpu affinity assignment paths (bsc#1213756).
- scsi: lpfc: remove extra ndlp kref decrement in flogi cmpl for loop topology (bsc#1213756).
- scsi: lpfc: replace all non-returning strlcpy() with strscpy() (bsc#1213756).
- scsi: lpfc: replace one-element array with flexible-array member (bsc#1213756).
- scsi: lpfc: revise ndlp kref handling for dev_loss_tmo_callbk and lpfc_drop_node (bsc#1213756).
- scsi: lpfc: set establish image pair service parameter only for target functions (bsc#1213756).
- scsi: lpfc: simplify fcp_abort transport callback log message (bsc#1213756).
- scsi: lpfc: update lpfc version to 14.2.0.14 (bsc#1213756).
- scsi: lpfc: use struct_size() helper (bsc#1213756).
- scsi: qla2xxx: adjust iocb resource on qpair create (bsc#1213747).
- scsi: qla2xxx: array index may go out of bound (bsc#1213747).
- scsi: qla2xxx: avoid fcport pointer dereference (bsc#1213747).
- scsi: qla2xxx: check valid rport returned by fc_bsg_to_rport() (bsc#1213747).
- scsi: qla2xxx: correct the index of array (bsc#1213747).
- scsi: qla2xxx: drop useless list_head (bsc#1213747).
- scsi: qla2xxx: fix buffer overrun (bsc#1213747).
- scsi: qla2xxx: fix command flush during tmf (bsc#1213747).
- scsi: qla2xxx: fix deletion race condition (bsc#1213747).
- scsi: qla2xxx: fix end of loop test (bsc#1213747).
- scsi: qla2xxx: fix erroneous link up failure (bsc#1213747).
- scsi: qla2xxx: fix error code in qla2x00_start_sp() (bsc#1213747).
- scsi: qla2xxx: fix inconsistent tmf timeout (bsc#1213747).
- scsi: qla2xxx: fix null pointer dereference in target mode (bsc#1213747).
- scsi: qla2xxx: fix potential null pointer dereference (bsc#1213747).
- scsi: qla2xxx: fix session hang in gnl (bsc#1213747).
- scsi: qla2xxx: fix tmf leak through (bsc#1213747).
- scsi: qla2xxx: limit tmf to 8 per function (bsc#1213747).
- scsi: qla2xxx: pointer may be dereferenced (bsc#1213747).
- scsi: qla2xxx: remove unused nvme_ls_waitq wait queue (bsc#1213747).
- scsi: qla2xxx: replace one-element array with declare_flex_array() helper (bsc#1213747).
- scsi: qla2xxx: silence a static checker warning (bsc#1213747).
- scsi: qla2xxx: turn off noisy message log (bsc#1213747).
- scsi: qla2xxx: update version to 10.02.08.400-k (bsc#1213747).
- scsi: qla2xxx: update version to 10.02.08.500-k (bsc#1213747).
- scsi: qla2xxx: use vmalloc_array() and vcalloc() (bsc#1213747).
- security: keys: modify mismatched function name (git-fixes).
- selftests: mptcp: depend on syn_cookies (git-fixes).
- selftests: mptcp: sockopt: return error if wrong mark (git-fixes).
- selftests: rtnetlink: remove netdevsim device after ipsec offload test (git-fixes).
- selftests: tc: add 'ct' action kconfig dep (git-fixes).
- selftests: tc: add conntrack procfs kconfig (git-fixes).
- selftests: tc: set timeout to 15 minutes (git-fixes).
- serial: qcom-geni: drop bogus runtime pm state update (git-fixes).
- serial: sifive: fix sifive_serial_console_setup() section (git-fixes).
- signal/powerpc: on swapcontext failure force sigsegv (bsc#1194869).
- signal: replace force_sigsegv(sigsegv) with force_fatal_sig(sigsegv) (bsc#1194869).
- smb3: do not reserve too many oplock credits (bsc#1193629).
- smb3: missing null check in smb2_change_notify (bsc#1193629).
- smb: client: fix broken file attrs with nodfs mounts (bsc#1193629).
- smb: client: fix missed ses refcounting (git-fixes).
- smb: client: fix parsing of source mount option (bsc#1193629).
- smb: client: fix shared dfs root mounts with different prefixes (bsc#1193629).
- smb: client: fix warning in cifs_match_super() (bsc#1193629).
- smb: client: fix warning in cifs_smb3_do_mount() (bsc#1193629).
- smb: client: fix warning in cifsfindfirst() (bsc#1193629).
- smb: client: fix warning in cifsfindnext() (bsc#1193629).
- smb: client: fix warning in generic_ip_connect() (bsc#1193629).
- smb: client: improve dfs mount check (bsc#1193629).
- smb: client: remove redundant pointer 'server' (bsc#1193629).
- smb: delete an unnecessary statement (bsc#1193629).
- smb: move client and server files to common directory fs/smb (bsc#1193629).
- smb: remove obsolete comment (bsc#1193629).
- soundwire: qcom: fix storing port config out-of-bounds (git-fixes).
- soundwire: qcom: update status correctly with mask (git-fixes).
- spi: bcm-qspi: return error if neither hif_mspi nor mspi is available (git-fixes).
- spi: bcm63xx: fix max prepend length (git-fixes).
- staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (git-fixes).
- staging: r8712: fix memory leak in _r8712_init_xmit_priv() (git-fixes).
- sunrpc: always free ctxt when freeing deferred request (git-fixes).
- sunrpc: double free xprt_ctxt while still in use (git-fixes).
- sunrpc: fix trace_svc_register() call site (git-fixes).
- sunrpc: fix uaf in svc_tcp_listen_data_ready() (git-fixes).
- sunrpc: remove dead code in svc_tcp_release_rqst() (git-fixes).
- sunrpc: remove the maximum number of retries in call_bind_status (git-fixes).
- svcrdma: prevent page release when nothing was received (git-fixes).
- tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation (git-fixes).
- tpm_tis: explicitly check for error code (git-fixes).
- tty: n_gsm: fix uaf in gsm_cleanup_mux (git-fixes).
- tty: serial: fsl_lpuart: add earlycon for imx8ulp platform (git-fixes).
- ubi: ensure that vid header offset + vid header size &lt;= alloc, size (bsc#1210584).
- ubi: fix failure attaching when vid_hdr offset equals to (sub)page size (bsc#1210584).
- ubifs: add missing iput if do_tmpfile() failed in rename whiteout (git-fixes).
- ubifs: do_rename: fix wrong space budget when target inode's nlink > 1 (git-fixes).
- ubifs: error path in ubifs_remount_rw() seems to wrongly free write buffers (git-fixes).
- ubifs: fix 'ui->dirty' race between do_tmpfile() and writeback work (git-fixes).
- ubifs: fix aa deadlock when setting xattr for encrypted file (git-fixes).
- ubifs: fix build errors as symbol undefined (git-fixes).
- ubifs: fix deadlock in concurrent rename whiteout and inode writeback (git-fixes).
- ubifs: fix memory leak in alloc_wbufs() (git-fixes).
- ubifs: fix memory leak in do_rename (git-fixes).
- ubifs: fix read out-of-bounds in ubifs_wbuf_write_nolock() (git-fixes).
- ubifs: fix to add refcount once page is set private (git-fixes).
- ubifs: fix wrong dirty space budget for dirty inode (git-fixes).
- ubifs: free memory for tmpfile name (git-fixes).
- ubifs: rectify space amount budget for mkdir/tmpfile operations (git-fixes).
- ubifs: rectify space budget for ubifs_symlink() if symlink is encrypted (git-fixes).
- ubifs: rectify space budget for ubifs_xrename() (git-fixes).
- ubifs: rename whiteout atomically (git-fixes).
- ubifs: rename_whiteout: correct old_dir size computing (git-fixes).
- ubifs: rename_whiteout: fix double free for whiteout_ui->data (git-fixes).
- ubifs: reserve one leb for each journal head while doing budget (git-fixes).
- ubifs: setflags: make dirtied_ino_d 8 bytes aligned (git-fixes).
- ubifs: ubifs_writepage: mark page dirty after writing inode failed (git-fixes).
- udf: avoid double brelse() in udf_rename() (bsc#1213032).
- udf: define efscorrupted error code (bsc#1213038).
- udf: detect system inodes linked into directory hierarchy (bsc#1213114).
- udf: discard preallocation before extending file with a hole (bsc#1213036).
- udf: do not bother looking for prealloc extents if i_lenextents matches i_size (bsc#1213035).
- udf: do not bother merging very long extents (bsc#1213040).
- udf: do not update file length for failed writes to inline files (bsc#1213041).
- udf: fix error handling in udf_new_inode() (bsc#1213112).
- udf: fix extending file within last block (bsc#1213037).
- udf: fix preallocation discarding at indirect extent boundary (bsc#1213034).
- udf: preserve link count of system files (bsc#1213113).
- udf: truncate added extents on failed expansion (bsc#1213039).
- update config and supported.conf files due to renaming.
- update suse/rdma-mthca-fix-crash-when-polling-cq-for-shared-qps. (git-fixes bsc#1212604). added bug reference.
- usb: dwc2: fix some error handling paths (git-fixes).
- usb: dwc2: platform: improve error reporting for problems during .remove() (git-fixes).
- usb: dwc3: do not reset device side if dwc3 was configured as host-only (git-fixes).
- usb: dwc3: pci: skip byt gpio lookup table for hardwired phy (git-fixes).
- usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate (git-fixes).
- usb: gadget: udc: core: offload usb_udc_vbus_handler processing (git-fixes).
- usb: gadget: udc: core: prevent soft_connect_store() race (git-fixes).
- usb: serial: option: add lara-r6 01b pids (git-fixes).
- usb: xhci-mtk: set the dma max_seg_size (git-fixes).
- vhost: support packed when setting-getting vring_base (git-fixes).
- vhost_net: revert upend_idx only on retriable error (git-fixes).
- virtio-net: maintain reverse cleanup order (git-fixes).
- virtio_net: fix error unwinding of xdp initialization (git-fixes).
- wifi: airo: avoid uninitialized warning in airo_get_rate() (git-fixes).
- wifi: ray_cs: drop useless status variable in parse_addr() (git-fixes).
- wifi: ray_cs: utilize strnlen() in parse_addr() (git-fixes).
- wifi: rtw89: debug: fix error code in rtw89_debug_priv_send_h2c_set() (git-fixes).
- wl3501_cs: use eth_hw_addr_set() (git-fixes).
- writeback: fix call of incorrect macro (bsc#1213024).
- x86/pvh: obtain vga console info in dom0 (git-fixes).
- x86: fix .brk attribute in linker script (git-fixes).
- xen/blkfront: only check req_fua for writes (git-fixes).
- xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() (git-fixes).
- xfs: ail needs asynchronous cil forcing (bsc#1211811).
- xfs: async cil flushes need pending pushes to be made stable (bsc#1211811).
- xfs: attach iclog callbacks in xlog_cil_set_ctx_write_state() (bsc#1211811).
- xfs: cil work is serialised, not pipelined (bsc#1211811).
- xfs: clean up the rtbitmap fsmap backend (git-fixes).
- xfs: do not deplete the reserve pool when trying to shrink the fs (git-fixes).
- xfs: do not reverse order of items in bulk ail insertion (git-fixes).
- xfs: do not run shutdown callbacks on active iclogs (bsc#1211811).
- xfs: drop async cache flushes from cil commits (bsc#1211811).
- xfs: factor out log write ordering from xlog_cil_push_work() (bsc#1211811).
- xfs: fix getfsmap reporting past the last rt extent (git-fixes).
- xfs: fix integer overflows in the fsmap rtbitmap and logdev backends (git-fixes).
- xfs: fix interval filtering in multi-step fsmap queries (git-fixes).
- xfs: fix logdev fsmap query result filtering (git-fixes).
- xfs: fix off-by-one error when the last rt extent is in use (git-fixes).
- xfs: fix uninitialized variable access (git-fixes).
- xfs: make fsmap backend function key parameters const (git-fixes).
- xfs: make the record pointer passed to query_range functions const (git-fixes).
- xfs: move the cil workqueue to the cil (bsc#1211811).
- xfs: move xlog_commit_record to xfs_log_cil.c (bsc#1211811).
- xfs: order cil checkpoint start records (bsc#1211811).
- xfs: pass a cil context to xlog_write() (bsc#1211811).
- xfs: pass explicit mount pointer to rtalloc query functions (git-fixes).
- xfs: rework xlog_state_do_callback() (bsc#1211811).
- xfs: run callbacks before waking waiters in xlog_state_shutdown_callbacks (bsc#1211811).
- xfs: separate out log shutdown callback processing (bsc#1211811).
- xfs: wait iclog complete before tearing down ail (bsc#1211811).
- xfs: xlog_state_ioerror must die (bsc#1211811).
- xhci: fix resume issue of some zhaoxin hosts (git-fixes).
- xhci: fix trb prefetch issue of zhaoxin hosts (git-fixes).
- xhci: show zhaoxin xhci root hub speed correctly (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released:    Tue Aug 29 07:33:16 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1103893,1112183
This update for icu fixes the following issues:

- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3470-1
Released:    Tue Aug 29 10:49:33 2023
Summary:     Recommended update for parted
Type:        recommended
Severity:    low
References:  1182142,1193412
This update for parted fixes the following issues:

- fix null pointer dereference (bsc#1193412)
- update mkpart options in manpage (bsc#1182142)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released:    Fri Sep 22 20:30:59 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
  and not just SUSE Linux Enterprise Server. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3816-1
Released:    Wed Sep 27 18:25:44 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released:    Tue Oct  3 20:06:23 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1212475

This update of runc fixes the following issues:

- Update to runc v1.1.8.

  Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3964-1
Released:    Wed Oct  4 09:39:04 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1023051,1120059,1177719,1188885,1193629,1194869,1205462,1208902,1208949,1209284,1209799,1210048,1210448,1212091,1212142,1212526,1212857,1212873,1213026,1213123,1213546,1213580,1213601,1213666,1213757,1213759,1213916,1213921,1213927,1213946,1213968,1213970,1213971,1214000,1214019,1214120,1214149,1214180,1214238,1214285,1214297,1214299,1214350,1214368,1214370,1214371,1214372,1214380,1214386,1214392,1214393,1214397,1214428,1214451,1214635,1214659,1214661,1214729,1214742,1214743,1214756,1215522,1215523,1215552,1215553,CVE-2023-2007,CVE-2023-20588,CVE-2023-34319,CVE-2023-3610,CVE-2023-37453,CVE-2023-3772,CVE-2023-3863,CVE-2023-4128,CVE-2023-4133,CVE-2023-4134,CVE-2023-4147,CVE-2023-4194,CVE-2023-4273,CVE-2023-4387,CVE-2023-4459,CVE-2023-4569
 The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2023-2007: Fixed a flaw in the DPT I2O Controller driver that could allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel (bsc#1210448).
- CVE-2023-20588: Fixed a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality (bsc#1213927).
- CVE-2023-34319: Fixed buffer overrun triggered by unusual packet in xen/netback (XSA-432) (bsc#1213546).
- CVE-2023-3610: Fixed use-after-free vulnerability in nf_tables can be exploited to achieve local privilege escalation (bsc#1213580).
- CVE-2023-37453: Fixed oversight in SuperSpeed initialization  (bsc#1213123).
- CVE-2023-3772: Fixed a flaw in XFRM subsystem that may have allowed a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer leading to a possible kernel crash and denial of service (bsc#1213666).
- CVE-2023-3863: Fixed a use-after-free flaw was found in nfc_llcp_find_local that allowed a local user with special privileges to impact a kernel information leak issue (bsc#1213601).
- CVE-2023-4128: Fixed a use-after-free flaw in net/sched/cls_fw.c that allowed a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue (bsc#1214149).
- CVE-2023-4133: Fixed use after free bugs caused by circular dependency problem in cxgb4 (bsc#1213970).
- CVE-2023-4134: Fixed use-after-free in cyttsp4_watchdog_work() (bsc#1213971).
- CVE-2023-4147: Fixed use-after-free in nf_tables_newrule (bsc#1213968).
- CVE-2023-4194: Fixed a type confusion in net tun_chr_open() (bsc#1214019).
- CVE-2023-4273: Fixed a flaw in the exFAT driver of the Linux kernel that alloawed a local privileged attacker to overflow the kernel stack (bsc#1214120).
- CVE-2023-4387: Fixed use-after-free flaw in vmxnet3_rq_alloc_rx_buf that could allow a local attacker to crash the system due to a double-free (bsc#1214350).
- CVE-2023-4459: Fixed a NULL pointer dereference flaw in vmxnet3_rq_cleanup that may have allowed a local attacker with normal user privilege to cause a denial of service (bsc#1214451).
- CVE-2023-4569: Fixed information leak in nft_set_catchall_flush in net/netfilter/nf_tables_api.c (bsc#1214729).

The following non-security bugs were fixed:

- Drop amdgpu patch causing spamming (bsc#1215523)
- acpi: processor: perflib: avoid updating frequency qos unnecessarily (git-fixes).
- acpi: processor: perflib: use the 'no limit' frequency qos (git-fixes).
- acpi: x86: s2idle: fix a logic error parsing amd constraints table (git-fixes).
- alsa: ac97: fix possible error value of *rac97 (git-fixes).
- alsa: hda/cs8409: support new dell dolphin variants (git-fixes).
- alsa: hda/realtek - remodified 3k pull low procedure (git-fixes).
- alsa: hda/realtek: add quirk for hp victus 16-d1xxx to enable mute led (git-fixes).
- alsa: hda/realtek: add quirk for mute leds on hp envy x360 15-eu0xxx (git-fixes).
- alsa: hda/realtek: add quirks for hp g11 laptops (git-fixes).
- alsa: hda/realtek: switch dell oasis models to use spi (git-fixes).
- alsa: pcm: fix missing fixup call in compat hw_refine ioctl (git-fixes).
- alsa: usb-audio: add support for mythware xa001au capture and playback interfaces (git-fixes).
- alsa: usb-audio: fix init call orders for uac1 (git-fixes).
- alsa: ymfpci: fix the missing snd_card_free() call at probe error (git-fixes).
- amba: bus: fix refcount leak (git-fixes).
- arm64: dts: imx8mn-var-som: add missing pull-up for onboard phy reset pinmux (git-fixes).
- arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict (git-fixes).
- arm64: dts: rockchip: disable hs400 for emmc on rock pi 4 (git-fixes).
- arm: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix usb related warnings (git-fixes).
- arm: dts: imx6sll: fixup of operating points (git-fixes).
- arm: spear: do not use timer namespace for timer_shutdown() function (bsc#1213970).
- asoc: lower 'no backend dais enabled for ... port' log severity (git-fixes).
- asoc: meson: axg-tdm-formatter: fix channel slot allocation (git-fixes).
- asoc: rt5665: add missed regulator_bulk_disable (git-fixes).
- asoc: sof: intel: fix soundwire/hdaudio mutual exclusion (git-fixes).
- asoc: stac9766: fix build errors with regmap_ac97 (git-fixes).
- asoc: tegra: fix sfc conversion for few rates (git-fixes).
- audit: fix possible soft lockup in __audit_inode_child() (git-fixes).
- backlight/bd6107: compare against struct fb_info.device (git-fixes).
- backlight/gpio_backlight: compare against struct fb_info.device (git-fixes).
- backlight/lv5207lp: compare against struct fb_info.device (git-fixes).
- batman-adv: do not get eth header before batadv_check_management_packet (git-fixes).
- batman-adv: do not increase mtu when set by user (git-fixes).
- batman-adv: fix batadv_v_ogm_aggr_send memory leak (git-fixes).
- batman-adv: fix tt global entry leak when client roamed back (git-fixes).
- batman-adv: hold rtnl lock during mtu update via netlink (git-fixes).
- batman-adv: trigger events for auto adjusted mtu (git-fixes).
- bluetooth: btusb: add mt7922 bluetooth id for the asus ally (git-fixes).
- bluetooth: btusb: do not call kfree_skb() under spin_lock_irqsave() (git-fixes).
- bluetooth: fix potential use-after-free when clear keys (git-fixes).
- bluetooth: l2cap: fix use-after-free (git-fixes).
- bluetooth: l2cap: fix use-after-free in l2cap_sock_ready_cb (git-fixes).
- bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() (git-fixes).
- bluetooth: remove unused declaration amp_read_loc_info() (git-fixes).
- bnx2x: fix page fault following eeh recovery (bsc#1214299).
- bpf: disable preemption in bpf_event_output (git-fixes).
- bus: ti-sysc: fix build warning for 64-bit build (git-fixes).
- bus: ti-sysc: fix cast to enum warning (git-fixes).
- bus: ti-sysc: flush posted write on enable before reset (git-fixes).
- can: gs_usb: gs_usb_receive_bulk_callback(): count rx overflow errors also in case of oom (git-fixes).
- ceph: defer stopping mdsc delayed_work (bsc#1214392).
- ceph: do not check for quotas on mds stray dirs (bsc#1214238).
- ceph: never send metrics if disable_send_metrics is set (bsc#1214180).
- check-for-config-changes: ignore builtin_return_address_strips_pac (bsc#1214380). gcc7 on sle 15 does not support this while later gcc does.
- cifs: add missing return value check for cifs_sb_tlink (bsc#1193629).
- cifs: allow dumping keys for directories too (bsc#1193629).
- cifs: fix mid leak during reconnection after timeout threshold (git-fixes).
- cifs: if deferred close is disabled then close files immediately (git-fixes).
- cifs: is_network_name_deleted should return a bool (bsc#1193629).
- cifs: update internal module version number for cifs.ko (bsc#1193629).
- clk: fix slab-out-of-bounds error in devm_clk_release() (git-fixes).
- clk: fix undefined reference to `clk_rate_exclusive_{get,put}' (git-fixes).
- clk: imx8mp: fix sai4 clock (git-fixes).
- clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op (git-fixes).
- clk: imx: pll14xx: dynamically configure pll for 393216000/361267200hz (git-fixes).
- clk: qcom: camcc-sc7180: fix async resume during probe (git-fixes).
- clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock (git-fixes).
- clk: qcom: gcc-sc7180: fix up gcc_sdcc2_apps_clk_src (git-fixes).
- clk: qcom: gcc-sm8250: fix gcc_sdcc2_apps_clk_src (git-fixes).
- clk: sunxi-ng: modify mismatched function name (git-fixes).
- clocksource/drivers/arm_arch_timer: do not use timer namespace for timer_shutdown() function (bsc#1213970).
- clocksource/drivers/sp804: do not use timer namespace for timer_shutdown() function (bsc#1213970).
- config_nvme_verbose_errors=y     gone with a82baa8083b
- config_printk_safe_log_buf_shift=13  gone with 7e152d55123
- cpu/smt: allow enabling partial smt states via sysfs (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpu/smt: create topology_smt_thread_allowed() (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpu/smt: move smt prototypes into cpu_smt.h (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpu/smt: move smt/control simple exit cases earlier (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpu/smt: remove topology_smt_supported() (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpu/smt: store the current/max number of threads (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- cpufreq: fix the race condition while updating the transition_task of policy (git-fixes).
- cpufreq: intel_pstate: adjust balance_performance epp for sapphire rapids (bsc#1214659).
- cpufreq: intel_pstate: enable hwp io boost for all servers (bsc#1208949 jsc#ped-6003 jsc#ped-6004).
- cpufreq: intel_pstate: fix scaling for hybrid-capable systems with disabled e-cores (bsc#1212526 bsc#1214368 jsc#ped-4927 jsc#ped-4929).
- cpufreq: intel_pstate: hybrid: rework hwp calibration (bsc#1212526 bsc#1214368 jsc#ped-4927 jsc#ped-4929).
- cpufreq: intel_pstate: hybrid: use known scaling factor for p-cores (bsc#1212526 bsc#1214368 jsc#ped-4927 jsc#ped-4929).
- cpufreq: intel_pstate: read all msrs on the target cpu (bsc#1212526 bsc#1214368 jsc#ped-4927 jsc#ped-4929).
- created new preempt kernel flavor configs are cloned from the respective $arch/default configs. all changed configs appart from config_preempt->y are a result of dependencies, namely many lock/unlock primitives are no longer inlined in the preempt kernel. tree_rcu has been also changed to preempt_rcu which is the default implementation for preempt kernel.
- crypto: caam - fix unchecked return value error (git-fixes).
- crypto: stm32 - properly handle pm_runtime_get failing (git-fixes).
- dma-buf/sw_sync: avoid recursive lock during fence signal (git-fixes).
- dma-buf/sync_file: fix docs syntax (git-fixes).
- dmaengine: idxd: modify the dependence of attribute pasid_enabled (git-fixes).
- dmaengine: mcf-edma: fix a potential un-allocated memory access (git-fixes).
- dmaengine: pl330: return dma_paused when transaction is paused (git-fixes).
- dmaengine: ste_dma40: add missing irq check in d40_probe (git-fixes).
- docs/process/howto: replace c89 with c11 (bsc#1214756).
- docs: kernel-parameters: refer to the correct bitmap function (git-fixes).
- docs: networking: replace skb_hwtstamp_tx with skb_tstamp_tx (git-fixes).
- docs: printk-formats: fix hex printing of signed values (git-fixes).
- documentation: devices.txt: fix minors for ttycpm* (git-fixes).
- documentation: devices.txt: remove ttyioc* (git-fixes).
- documentation: devices.txt: remove ttysioc* (git-fixes).
- driver core: test_async: fix an error code (git-fixes).
- drivers: clk: keystone: fix parameter judgment in _of_pll_clk_init() (git-fixes).
- drivers: usb: smsusb: fix error handling code in smsusb_init_device (git-fixes).
- drm/amd/display: check attr flag before set cursor degamma on dcn3+ (git-fixes).
- drm/amd/display: check tg is non-null before checking if enabled (git-fixes).
- drm/amd/display: do not wait for mpc idle if tg is disabled (git-fixes).
- drm/amd/display: fix access hdcp_workqueue assert (git-fixes).
- drm/amd/display: phase3 mst hdcp for multiple displays (git-fixes).
- drm/amd/display: save restore hdcp state when display is unplugged from mst hub (git-fixes).
- drm/amd/pm: fix variable dereferenced issue in amdgpu_device_attr_create() (git-fixes).
- drm/amd: flush any delayed gfxoff on suspend entry (git-fixes).
- drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar() (git-fixes).
- drm/amdgpu: fix potential fence use-after-free v2 (git-fixes).
- drm/amdgpu: install stub fence into potential unused fence pointers (git-fixes).
- drm/amdgpu: use rmw accessors for changing lnkctl (git-fixes).
- drm/armada: fix off-by-one error in armada_overlay_get_property() (git-fixes).
- drm/ast: fix dram init on ast2200 (git-fixes).
- drm/atomic-helper: update reference to drm_crtc_force_disable_all() (git-fixes).
- drm/bridge: anx7625: drop device lock before drm_helper_hpd_irq_event() (git-fixes).
- drm/bridge: fix -wunused-const-variable= warning (git-fixes).
- drm/bridge: tc358764: fix debug print parameter order (git-fixes).
- drm/etnaviv: fix dumping of active mmu context (git-fixes).
- drm/mediatek: fix dereference before null check (git-fixes).
- drm/mediatek: fix potential memory leak if vmap() fail (git-fixes).
- drm/msm/a2xx: call adreno_gpu_init() earlier (git-fixes).
- drm/msm/mdp5: do not leak some plane state (git-fixes).
- drm/msm: update dev core dump to not print backwards (git-fixes).
- drm/nouveau/disp: revert a null check inside nouveau_connector_get_modes (git-fixes).
- drm/nouveau/gr: enable memory loads on helper invocation on all channels (git-fixes).
- drm/panel: simple: add missing connector type and pixel format for auo t215hvn01 (git-fixes).
- drm/panel: simple: fix auo g121ean01 panel timings according to the docs (git-fixes).
- drm/qxl: fix uaf on handle creation (git-fixes).
- drm/radeon: use rmw accessors for changing lnkctl (git-fixes).
- drm/rockchip: do not spam logs in atomic check (git-fixes).
- drm/shmem-helper: reset vma->vm_ops before calling dma_buf_mmap() (git-fixes).
- drm/tegra: dpaux: fix incorrect return value of platform_get_irq (git-fixes).
- drm/ttm: check null pointer before accessing when swapping (git-fixes).
- drm/ttm: never consider pinned bos for eviction&swap (git-fixes).
- drm/vmwgfx: fix shader stage validation (git-fixes).
- drm: adv7511: fix low refresh rate register for adv7533/5 (git-fixes).
- drm: xlnx: zynqmp_dpsub: add missing check for dma_set_mask (git-fixes).
- drop cfg80211 lock fix patches that caused a regression (bsc#1213757)
- drop rtsx patch that caused a regression (bsc#1214397,bsc#1214428)
- dt-bindings: clock: xlnx,versal-clk: drop select:false (git-fixes).
- dt-bindings: clocks: imx8mp: make sai4 a dummy clock (git-fixes).
- dt-bindings: crypto: ti,sa2ul: make power-domains conditional (git-fixes).
- e1000: fix typos in comments (jsc#ped-5738).
- e1000: remove unnecessary use of kmap_atomic() (jsc#ped-5738).
- e1000: switch to napi_build_skb() (jsc#ped-5738).
- e1000: switch to napi_consume_skb() (jsc#ped-5738).
- enable analog devices industrial ethernet phy driver (jsc#ped-4759)
- exfat: fix unexpected eof while reading dir (bsc#1214000).
- exfat: release s_lock before calling dir_emit() (bsc#1214000).
- exfat_iterate(): do not open-code file_inode(file) (bsc#1214000).
- fbdev/ep93xx-fb: do not assign to struct fb_info.dev (git-fixes).
- fbdev: fix potential oob read in fast_imageblit() (git-fixes).
- fbdev: fix sys_imageblit() for arbitrary image widths (git-fixes).
- fbdev: improve performance of sys_imageblit() (git-fixes).
- fbdev: mmp: fix value check in mmphw_probe() (git-fixes).
- file: reinstate f_pos locking optimization for regular files (bsc#1213759).
- firmware: arm_scmi: drop of node reference in the transport channel setup (git-fixes).
- firmware: cs_dsp: fix new control name check (git-fixes).
- firmware: meson_sm: fix to avoid potential null pointer dereference (git-fixes).
- firmware: stratix10-svc: fix an null vs is_err() bug in probe (git-fixes).
- fs/sysv: null check to prevent null-ptr-deref bug (git-fixes).
- ftrace: fix possible warning on checking all pages used in ftrace_process_locs() (git-fixes).
- gpio: mvebu: fix irq domain leak (git-fixes).
- gpio: mvebu: make use of devm_pwmchip_add (git-fixes).
- gpio: tps68470: make tps68470_gpio_output() always set the initial value (git-fixes).
- hid: add quirk for 03f0:464a hp elite presenter mouse (git-fixes).
- hid: logitech-dj: fix error handling in logi_dj_recv_switch_to_dj_mode() (git-fixes).
- hid: logitech-hidpp: add usb and bluetooth ids for the logitech g915 tkl keyboard (git-fixes).
- hid: multitouch: correct devm device reference for hidinput input_dev name (git-fixes).
- hid: wacom: remove the battery when the ekr is off (git-fixes).
- hwmon: (pmbus/bel-pfe) enable pmbus_skip_status_check for pfe1100 (git-fixes).
- hwmon: (tmp513) fix the channel number in tmp51x_is_visible() (git-fixes).
- hwpoison: offline support: fix spelling in documentation/abi/ (git-fixes).
- hwrng: iproc-rng200 - implement suspend and resume calls (git-fixes).
- hwrng: nomadik - keep clock enabled while hwrng is registered (git-fixes).
- hwrng: pic32 - use devm_clk_get_enabled (git-fixes).
- i2c: bcm-iproc: fix bcm_iproc_i2c_isr deadlock issue (git-fixes).
- i2c: delete error messages for failed memory allocations (git-fixes).
- i2c: designware: correct length byte validation logic (git-fixes).
- i2c: designware: handle invalid smbus block data response length value (git-fixes).
- i2c: hisi: only handle the interrupt of the driver's transfer (git-fixes).
- i2c: improve size determinations (git-fixes).
- i2c: nomadik: remove a useless call in the remove function (git-fixes).
- i2c: nomadik: remove unnecessary goto label (git-fixes).
- i2c: nomadik: use devm_clk_get_enabled() (git-fixes).
- i40e: fix an null vs is_err() bug for debugfs_create_dir() (git-fixes).
- iavf: fix potential races for fdir filters (git-fixes).
- ib/hfi1: fix possible panic during hotplug remove (git-fixes)
- ib/uverbs: fix an potential error pointer dereference (git-fixes)
- ice: fix crash by keep old cfg when update tcs more than queues (git-fixes).
- ice: fix max_rate check while configuring tx rate limits (git-fixes).
- ice: fix memory management in ice_ethtool_fdir.c (git-fixes).
- ice: fix rdma vsi removal during queue rebuild (git-fixes).
- iio: adc: ina2xx: avoid null pointer dereference on of device match (git-fixes).
- iio: adc: stx104: implement and utilize register structures (git-fixes).
- iio: adc: stx104: utilize iomap interface (git-fixes).
- iio: cros_ec: fix the allocation size for cros_ec_command (git-fixes).
- input: exc3000 - properly stop timer on shutdown (git-fixes).
- intel/e1000:fix repeated words in comments (jsc#ped-5738).
- intel: remove unused macros (jsc#ped-5738).
- iommu/amd: add pci segment support for ivrs_ commands (git-fixes).
- iommu/amd: fix compile warning in init code (git-fixes).
- iommu/amd: fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options (git-fixes).
- iommu/amd: fix ivrs_acpihid cmdline parsing code (git-fixes).
- iommu/amd: fix pci device refcount leak in ppr_notifier() (git-fixes).
- iommu/amd: use full 64-bit value in build_completion_wait() (git-fixes).
- iommu/arm-smmu-v3: check return value after calling platform_get_resource() (git-fixes).
- iommu/arm-smmu-v3: fix event handling soft lockup (git-fixes).
- iommu/arm-smmu-v3: make default domain type of hisilicon ptt device to identity (git-fixes).
- iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe() (git-fixes).
- iommu/dart: initialize dart_streams_enable (git-fixes).
- iommu/dma: fix incorrect error return on iommu deferred attach (git-fixes).
- iommu/dma: fix iova map result check bug (git-fixes).
- iommu/dma: return error code from iommu_dma_map_sg() (git-fixes).
- iommu/fsl_pamu: fix resource leak in fsl_pamu_probe() (git-fixes).
- iommu/io-pgtable-arm-v7s: add a quirk to allow pgtable pa up to 35bit (git-fixes).
- iommu/iova: fix module config properly (git-fixes).
- iommu/omap: fix buffer overflow in debugfs (git-fixes).
- iommu/rockchip: fix permission bits in page table entries v2 (git-fixes).
- iommu/sun50i: consider all fault sources for reset (git-fixes).
- iommu/sun50i: fix flush size (git-fixes).
- iommu/sun50i: fix r/w permission check (git-fixes).
- iommu/sun50i: fix reset release (git-fixes).
- iommu/sun50i: implement .iotlb_sync_map (git-fixes).
- iommu/sun50i: remove iommu_domain_identity (git-fixes).
- iommu/vt-d: add rpls to quirk list to skip te disabling (git-fixes).
- iommu/vt-d: check correct capability for sagaw determination (git-fixes).
- iommu/vt-d: clean up si_domain in the init_dmars() error path (git-fixes).
- iommu/vt-d: correctly calculate sagaw value of iommu (git-fixes).
- iommu/vt-d: fix kdump kernels boot failure with scalable mode (git-fixes).
- iommu/vt-d: fix pci device refcount leak in dmar_dev_scope_init() (git-fixes).
- iommu/vt-d: fix pci device refcount leak in has_external_pci() (git-fixes).
- iommu/vt-d: preset access bit for iova in fl non-leaf paging entries (git-fixes).
- iommu/vt-d: set sre bit only when hardware has srs cap (git-fixes).
- ipmi:ssif: add check for kstrdup (git-fixes).
- ipmi:ssif: fix a memory leak when scanning for an adapter (git-fixes).
- ipmi_si: fix a memleak in try_smi_init() (git-fixes).
- jffs2: correct logic when creating a hole in jffs2_write_begin (git-fixes).
- kabi/severities: ignore newly added srso mitigation functions
- kabi: allow extra bugsints (bsc#1213927).
- kbuild: add -wno-shift-negative-value where -wextra is used (bsc#1214756).
- kbuild: move to -std=gnu11 (bsc#1214756).
- kernel-binary: common dependencies cleanup common dependencies are copied to a subpackage, there is no need for copying defines or build dependencies there.
- kernel-binary: drop code for kerntypes support kerntypes was a suse-specific feature dropped before sle 12.
- kunit: make kunit_test_timeout compatible with comment (git-fixes).
- kvm: s390: fix sthyi error handling (git-fixes bsc#1214370).
- leds: fix bug_on check for led_color_id_multi that is always false (git-fixes).
- leds: multicolor: use rounded division when calculating color components (git-fixes).
- leds: pwm: fix error code in led_pwm_create_fwnode() (git-fixes).
- leds: trigger: tty: do not use led_on/off constants, use led_blink_set_oneshot instead (git-fixes).
- leds: turris-omnia: drop unnecessary mutex locking (git-fixes).
- lib/test_meminit: allocate pages up to order max_order (git-fixes).
- lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test (git-fixes).
- libceph: fix potential hang in ceph_osdc_notify() (bsc#1214393).
- md/raid0: factor out helper for mapping and submitting a bio (bsc#1213916).
- md/raid0: fix performance regression for large sequential writes (bsc#1213916).
- media: ad5820: drop unsupported ad5823 from i2c_ and of_device_id tables (git-fixes).
- media: cx24120: add retval check for cx24120_message_send() (git-fixes).
- media: dib7000p: fix potential division by zero (git-fixes).
- media: dvb-usb: m920x: fix a potential memory leak in m920x_i2c_xfer() (git-fixes).
- media: go7007: remove redundant if statement (git-fixes).
- media: i2c: ccs: check rules is non-null (git-fixes).
- media: i2c: rdacm21: fix uninitialized value (git-fixes).
- media: i2c: tvp5150: check return value of devm_kasprintf() (git-fixes).
- media: ov2680: add ov2680_fill_format() helper function (git-fixes).
- media: ov2680: do not take the lock for try_fmt calls (git-fixes).
- media: ov2680: fix ov2680_bayer_order() (git-fixes).
- media: ov2680: fix ov2680_set_fmt() which == v4l2_subdev_format_try not working (git-fixes).
- media: ov2680: fix regulators being left enabled on ov2680_power_on() errors (git-fixes).
- media: ov2680: fix vflip / hflip set functions (git-fixes).
- media: ov2680: remove video_v4l2_subdev_api ifdef-s (git-fixes).
- media: ov5640: enable mipi interface in ov5640_set_power_mipi() (git-fixes).
- media: rkvdec: increase max supported height for h.264 (git-fixes).
- media: v4l2-core: fix a potential resource leak in v4l2_fwnode_parse_link() (git-fixes).
- media: v4l2-mem2mem: add lock to protect parameter num_rdy (git-fixes).
- media: venus: hfi_venus: only consider sys_idle_indicator on v1 (git-fixes).
- media: venus: hfi_venus: write to vidc_ctrl_init after unmasking interrupts (git-fixes).
- misc: rtsx: judge aspm mode to set petxcfg reg (git-fixes).
- mkspec: allow unsupported kmps (bsc#1214386)
- mlxsw: pci: add shutdown method in pci driver (git-fixes).
- mmc: block: fix in_flight[issue_type] value error (git-fixes).
- mmc: moxart: read scr register without changing byte order (git-fixes).
- mmc: wbsd: fix double mmc_free_host() in wbsd_init() (git-fixes).
- module: avoid allocation if module is already present and ready (bsc#1213921).
- module: extract patient module check into helper (bsc#1213921).
- module: move check_modinfo() early to early_mod_check() (bsc#1213921).
- module: move early sanity checks into a helper (bsc#1213921).
- move upstreamed powerpc patches into sorted section
- mtd: rawnand: brcmnand: fix crash during the panic_write (git-fixes).
- mtd: rawnand: brcmnand: fix mtd oobsize (git-fixes).
- mtd: rawnand: brcmnand: fix potential false time out warning (git-fixes).
- mtd: rawnand: brcmnand: fix potential out-of-bounds access in oob write (git-fixes).
- mtd: rawnand: fsl_upm: fix an off-by one test in fun_exec_op() (git-fixes).
- mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() (git-fixes).
- mtd: rawnand: omap_elm: fix incorrect type in assignment (git-fixes).
- mtd: rawnand: rockchip: align hwecc vs. raw page helper layouts (git-fixes).
- mtd: rawnand: rockchip: fix oobfree offset and description (git-fixes).
- mtd: spi-nor: check bus width while setting qe bit (git-fixes).
- mtd: spinand: toshiba: fix ecc_get_status (git-fixes).
- n_tty: rename tail to old_tail in n_tty_read() (git-fixes).
- net: hns3: fix wrong bw weight of disabled tc issue (git-fixes).
- net: ieee802154: at86rf230: stop leaking skb's (git-fixes).
- net: mana: fix mana vf unload when hardware is unresponsive (git-fixes).
- net: phy: at803x: remove set/get wol callbacks for ar8032 (git-fixes).
- net: phy: broadcom: stub c45 read/write for 54810 (git-fixes).
- net: phy: fix irq-based wake-on-lan over hibernate / power off (git-fixes).
- net: usb: lan78xx: reorder cleanup operations to avoid uaf bugs (git-fixes).
- net: usbnet: fix warning in usbnet_start_xmit/usb_submit_urb (git-fixes).
- netfs: fix lockdep warning from taking sb_writers whilst holding mmap_lock (bsc#1214742).
- netfs: fix missing xas_retry() calls in xarray iteration (bsc#1213946).
- netfs: fix parameter of cleanup() (bsc#1214743).
- nfsd: remove incorrect check in nfsd4_validate_stateid (git-fixes).
- nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput (git-fixes).
- nilfs2: fix warning in mark_buffer_dirty due to discarded buffer reuse (git-fixes).
- nvme-rdma: fix potential unbalanced freeze & unfreeze (bsc#1208902).
- nvme-tcp: fix potential unbalanced freeze & unfreeze (bsc#1208902).
- objtool/x86: fix srso mess (git-fixes).
- objtool/x86: fixup frame-pointer vs rethunk (git-fixes).
- objtool: union instruction::{call_dest,jump_table} (git-fixes).
- old-flavors: drop 2.6 kernels. 2.6 based kernels are eol, upgrading from them is no longer suported.
- pci/aspm: avoid link retraining race (git-fixes).
- pci/aspm: factor out pcie_wait_for_retrain() (git-fixes).
- pci/aspm: return 0 or -etimedout from pcie_retrain_link() (git-fixes).
- pci: acpiphp: reassign resources on bridge if necessary (git-fixes).
- pci: acpiphp: use pci_assign_unassigned_bridge_resources() only for non-root bus (git-fixes).
- pci: mark nvidia t4 gpus to avoid bus reset (git-fixes).
- pci: meson: remove cast between incompatible function type (git-fixes).
- pci: microchip: correct the ded and sec interrupt bit offsets (git-fixes).
- pci: microchip: remove cast between incompatible function type (git-fixes).
- pci: pciehp: use rmw accessors for changing lnkctl (git-fixes).
- pci: rockchip: remove writes to unused registers (git-fixes).
- pci: s390: fix use-after-free of pci resources with per-function hotplug (git-fixes).
- pci: tegra194: fix possible array out of bounds access (git-fixes).
- pcmcia: rsrc_nonstatic: fix memory leak in nonstatic_release_resource_db() (git-fixes).
- phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write (git-fixes).
- phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate (git-fixes).
- phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 (git-fixes).
- phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend (git-fixes).
- phy: qcom-snps-femto-v2: properly enable ref clock (git-fixes).
- phy: qcom-snps: correct struct qcom_snps_hsphy kerneldoc (git-fixes).
- phy: qcom-snps: use dev_err_probe() to simplify code (git-fixes).
- pinctrl: cherryview: fix address_space_handler() argument (git-fixes).
- pinctrl: mcp23s08: check return value of devm_kasprintf() (git-fixes).
- pinctrl: renesas: rza2: add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} (git-fixes).
- platform/x86: dell-sysman: fix reference leak (git-fixes).
- pm / devfreq: fix leak in devfreq_dev_release() (git-fixes).
- powerpc/64e: fix kexec build error (bsc#1212091 ltc#199106).
- powerpc/iommu: do not set failed sg dma_address to dma_mapping_error (bsc#1212091 ltc#199106).
- powerpc/iommu: fix iommu_table_in_use for a small default dma window case (bsc#1212091 ltc#199106).
- powerpc/iommu: incorrect ddw table is referenced for sr-iov device (bsc#1212091 ltc#199106).
- powerpc/iommu: return error code from .map_sg() ops (bsc#1212091 ltc#199106).
- powerpc/iommu: tces are incorrectly manipulated with dlpar add/remove of memory (bsc#1212091 ltc#199106).
- powerpc/kernel/iommu: add new iommu_table_in_use() helper (bsc#1212091 ltc#199106).
- powerpc/kexec: fix build failure from uninitialised variable (bsc#1212091 ltc#199106).
- powerpc/mm/altmap: fix altmap boundary check (bsc#1120059 git-fixes).
- powerpc/pseries/ddw: do not try direct mapping with persistent memory and one window (bsc#1212091 ltc#199106).
- powerpc/pseries/ddw: simplify enable_ddw() (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: add ddw_list_new_entry() helper (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: add ddw_property_create() and refactor enable_ddw() (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: add iommu_pseries_alloc_table() helper (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: add of_node_put() before break (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: allow ddw windows starting at 0x00 (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: check if the default window in use before removing it (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: create huge dma window if no mmio32 is present (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: find existing ddw with given property name (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: make use of ddw for indirect mapping (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: print ibm,query-pe-dma-windows parameters (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: rename 'direct window' to 'dma window' (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: reorganize iommu_table_setparms*() with new helper (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: replace hard-coded page shift (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: update remove_dma_window() to accept property name (bsc#1212091 ltc#199106).
- powerpc/pseries/iommu: use correct vfree for it_map (bsc#1212091 ltc#199106).
- powerpc/pseries: add __init attribute to eligible functions (bsc#1212091 ltc#199106).
- powerpc/pseries: honour current smt state when dlpar onlining cpus (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- powerpc/pseries: initialise cpu hotplug callbacks earlier (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- powerpc/rtas: block error injection when locked down (bsc#1023051).
- powerpc/rtas: enture rtas_call is called with mmu enabled (bsc#1023051).
- powerpc/rtas_flash: allow user copy to flash block cache objects (bsc#1194869).
- powerpc/security: fix speculation_store_bypass reporting on power10 (bsc#1188885 ltc#193722 git-fixes).
- powerpc: add hotplug_smt support (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). update config files.
- powerpc: fix typos in comments (bsc#1212091 ltc#199106).
- powerpc: move dma64_propname define to a header (bsc#1214297 ltc#197503).
- pseries/iommu/ddw: fix kdump to work in absence of ibm,dma-window (bsc#1214297 ltc#197503).
- pstore/ram: check start of empty przs during init (git-fixes).
- pwm: add a stub for devm_pwmchip_add() (git-fixes).
- pwm: meson: fix handling of period/duty if greater than uint_max (git-fixes).
- pwm: meson: simplify duplicated per-channel tracking (git-fixes).
- qed: fix scheduling in a tasklet while getting stats (git-fixes).
- rdma/bnxt_re: fix error handling in probe failure path (git-fixes)
- rdma/bnxt_re: fix max_qp count for virtual functions (git-fixes)
- rdma/efa: fix wrong resources deallocation order (git-fixes)
- rdma/hns: fix cq and qp cache affinity (git-fixes)
- rdma/hns: fix incorrect post-send with direct wqe of wr-list (git-fixes)
- rdma/hns: fix port active speed (git-fixes)
- rdma/irdma: prevent zero-length stag registration (git-fixes)
- rdma/irdma: replace one-element array with flexible-array member (git-fixes)
- rdma/mlx5: return the firmware result upon destroying qp/rq (git-fixes)
- rdma/qedr: remove a duplicate assignment in irdma_query_ah() (git-fixes)
- rdma/siw: balance the reference of cep->kref in the error path (git-fixes)
- rdma/siw: correct wrong debug message (git-fixes)
- rdma/umem: set iova in odp flow (git-fixes)
- readme.branch: add miroslav franc as a sle15-sp4 co-maintainer.
- regmap: rbtree: use alloc_flags for memory allocations (git-fixes).
- revert 'ib/isert: fix incorrect release of isert connection' (git-fixes)
- revert 'tracing: add '(fault)' name injection to kernel probes' (git-fixes).
- ring-buffer: do not swap cpu_buffer during resize process (git-fixes).
- ring-buffer: fix deadloop issue on reading trace_pipe (git-fixes).
- ring-buffer: fix wrong stat of cpu_buffer->read (git-fixes).
- rpmsg: glink: add check for kstrdup (git-fixes).
- s390/purgatory: disable branch profiling (git-fixes bsc#1214372).
- sched/fair: fix inaccurate tally of ttwu_move_affine (git fixes).
- sched/fair: use recent_used_cpu to test p->cpus_ptr (git fixes).
- sched/psi: use kernfs polling functions for psi trigger polling (bsc#1209799).
- scsi: bsg: increase number of devices (bsc#1210048).
- scsi: core: do not wait for quiesce in scsi_device_block() (bsc#1209284).
- scsi: core: do not wait for quiesce in scsi_stop_queue() (bsc#1209284).
- scsi: core: improve warning message in scsi_device_block() (bsc#1209284).
- scsi: core: merge scsi_internal_device_block() and device_block() (bsc#1209284).
- scsi: rdma/srp: fix residual handling (git-fixes)
- scsi: sg: increase number of devices (bsc#1210048).
- scsi: storvsc: always set no_report_opcodes (git-fixes).
- scsi: storvsc: fix handling of virtual fibre channel timeouts (git-fixes).
- scsi: storvsc: handle srb status value 0x30 (git-fixes).
- scsi: storvsc: limit max_sectors for virtual fibre channel devices (git-fixes).
- scsi: zfcp: defer fc_rport blocking until after adisc response (git-fixes bsc#1214371).
- selftests/futex: order calls to futex_lock_pi (git-fixes).
- selftests/harness: actually report skip for signal tests (git-fixes).
- selftests/resctrl: close perf value read fd on errors (git-fixes).
- selftests/resctrl: do not leak buffer in fill_cache() (git-fixes).
- selftests/resctrl: unmount resctrl fs if child fails to run benchmark (git-fixes).
- selftests/rseq: check if libc rseq support is registered (git-fixes).
- selftests: forwarding: add a helper to skip test when using veth pairs (git-fixes).
- selftests: forwarding: ethtool: skip when using veth pairs (git-fixes).
- selftests: forwarding: ethtool_extended_state: skip when using veth pairs (git-fixes).
- selftests: forwarding: skip test when no interfaces are specified (git-fixes).
- selftests: forwarding: switch off timeout (git-fixes).
- selftests: forwarding: tc_actions: cleanup temporary files when test is aborted (git-fixes).
- selftests: forwarding: tc_actions: use ncat instead of nc (git-fixes).
- selftests: forwarding: tc_flower: relax success criterion (git-fixes).
- selftests: mirror_gre_changes: tighten up the ttl test match (git-fixes).
- serial: sc16is7xx: fix broken port 0 uart init (git-fixes).
- serial: sc16is7xx: fix bug when first setting gpio direction (git-fixes).
- serial: sprd: assign sprd_port after initialized to avoid wrong access (git-fixes).
- serial: sprd: fix dma buffer leak issue (git-fixes).
- serial: tegra: handle clk prepare error in tegra_uart_hw_init() (git-fixes).
- sfc: fix crash when reading stats while nic is resetting (git-fixes).
- smb3: do not send lease break acknowledgment if all file handles have been closed (git-fixes).
- smb3: do not set ntlmssp_version flag for negotiate not auth request (bsc#1193629).
- smb: client: fix -wstringop-overflow issues (bsc#1193629).
- smb: client: fix dfs link mount against w2k8 (bsc#1212142).
- smb: client: fix null auth (git-fixes).
- soc: aspeed: socinfo: add kfree for kstrdup (git-fixes).
- soundwire: bus: pm_runtime_request_resume on peripheral attachment (git-fixes).
- soundwire: fix enumeration completion (git-fixes).
- spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe() (git-fixes).
- supported.conf: fix typos for -!optional markers
- target: compare and write backend driver sense handling (bsc#1177719 bsc#1213026).
- target_core_rbd: fix leak and reduce kmalloc calls (bsc#1212873).
- target_core_rbd: fix rbd_img_request.snap_id assignment (bsc#1212857).
- target_core_rbd: remove snapshot existence validation code (bsc#1212857).
- thunderbolt: read retimer nvm authentication status prior tb_retimer_set_inbound_sbtx() (git-fixes).
- timers: add shutdown mechanism to the internal functions (bsc#1213970).
- timers: provide timer_shutdown[_sync]() (bsc#1213970).
- timers: rename del_timer() to timer_delete() (bsc#1213970).
- timers: rename del_timer_sync() to timer_delete_sync() (bsc#1213970).
- timers: replace bug_on()s (bsc#1213970).
- timers: silently ignore timers with a null function (bsc#1213970).
- timers: split [try_to_]del_timer[_sync]() to prepare for shutdown mode (bsc#1213970).
- timers: update kernel-doc for various functions (bsc#1213970).
- timers: use del_timer_sync() even on up (bsc#1213970).
- tracing/histograms: add histograms to hist_vars if they have referenced variables (git-fixes).
- tracing/histograms: return an error if we fail to add histogram to hist_vars list (git-fixes).
- tracing/probes: fix not to count error code to total length (git-fixes).
- tracing/probes: fix to avoid double count of the string length on the array (git-fixes).
- tracing/probes: fix to record 0-length data_loc in fetch_store_string*() if fails (git-fixes).
- tracing/probes: fix to update dynamic data counter if fetcharg uses it (git-fixes).
- tracing: fix cpu buffers unavailable due to 'record_disabled' missed (git-fixes).
- tracing: fix memleak due to race between current_tracer and trace (git-fixes).
- tracing: fix memory leak of iter->temp when reading trace_pipe (git-fixes).
- tracing: fix null pointer dereference in tracing_err_log_open() (git-fixes).
- tracing: fix warning in trace_buffered_event_disable() (git-fixes).
- tty: fix hang on tty device with no_room set (git-fixes).
- tty: n_gsm: fix the uaf caused by race condition in gsm_cleanup_mux (git-fixes).
- tty: serial: fsl_lpuart: add i.mxrt1050 support (git-fixes).
- tty: serial: fsl_lpuart: clear the error flags by writing 1 for lpuart32 platforms (git-fixes).
- tty: serial: fsl_lpuart: make rx_watermark configurable for different platforms (git-fixes).
- tty: serial: fsl_lpuart: reduce rx watermark to 0 on ls1028a (git-fixes).
- ubifs: fix memleak when insert_old_idx() failed (git-fixes).
- update patches.suse/cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi (git-fixes bsc#1212526 bsc#1214368 jsc#ped-4927 jsc#ped-4929).
- usb-storage: alauda: fix uninit-value in alauda_check_media() (git-fixes).
- usb: chipidea: imx: add missing usb phy dpdm wakeup setting (git-fixes).
- usb: chipidea: imx: do not request qos for imx8ulp (git-fixes).
- usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 (git-fixes).
- usb: common: usb-conn-gpio: prevent bailing out if initial role is none (git-fixes).
- usb: dwc3: fix typos in gadget.c (git-fixes).
- usb: dwc3: meson-g12a: do post init to fix broken usb after resumption (git-fixes).
- usb: dwc3: properly handle processing of pending events (git-fixes).
- usb: gadget: f_mass_storage: fix unused variable warning (git-fixes).
- usb: gadget: fix the memory leak in raw_gadget driver (git-fixes).
- usb: gadget: u_serial: avoid spinlock recursion in __gs_console_push (git-fixes).
- usb: ohci-at91: fix the unhandle interrupt when resume (git-fixes).
- usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() (git-fixes).
- usb: quirks: add quirk for focusrite scarlett (git-fixes).
- usb: serial: option: add quectel ec200a module support (git-fixes).
- usb: serial: option: support quectel em060k_128 (git-fixes).
- usb: serial: simple: add kaufmann rks+can vcp (git-fixes).
- usb: serial: simple: sort driver entries (git-fixes).
- usb: typec: altmodes/displayport: signal hpd when configuring pin assignment (git-fixes).
- usb: typec: tcpm: fix response to vsafe0v event (git-fixes).
- usb: typec: tcpm: set initial svdm version based on pd revision (git-fixes).
- usb: zaurus: add id for a-300/b-500/c-700 (git-fixes).
- watchdog: sp5100_tco: support hygon fch/sch (server controller hub) (git-fixes).
- wifi: ath10k: use rmw accessors for changing lnkctl (git-fixes).
- wifi: ath11k: use rmw accessors for changing lnkctl (git-fixes).
- wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx (git-fixes).
- wifi: ath9k: protect wmi command response buffer replacement with a lock (git-fixes).
- wifi: ath9k: use is_err() with debugfs_create_dir() (git-fixes).
- wifi: cfg80211: fix return value in scan logic (git-fixes).
- wifi: cfg80211: fix sband iftype data lookup for ap_vlan (git-fixes).
- wifi: mt76: mt7615: do not advertise 5 ghz on first phy of mt7615d (dbdc) (git-fixes).
- wifi: mt76: mt7915: fix power-limits while chan_switch (git-fixes).
- wifi: mt76: mt7921: do not support one stream on secondary antenna only (git-fixes).
- wifi: mt76: testmode: add nla_policy for mt76_tm_attr_tx_length (git-fixes).
- wifi: mwifiex: avoid possible null skb pointer dereference (git-fixes).
- wifi: mwifiex: fix error recovery in pcie buffer descriptor management (git-fixes).
- wifi: mwifiex: fix memory leak in mwifiex_histogram_read() (git-fixes).
- wifi: mwifiex: fix missed return in oob checks failed path (git-fixes).
- wifi: mwifiex: fix oob and integer underflow when rx packets (git-fixes).
- wifi: nl80211/cfg80211: add forgotten nla_policy for bss color attribute (git-fixes).
- wifi: radiotap: fix kernel-doc notation warnings (git-fixes).
- wifi: rtw89: debug: fix error handling in rtw89_debug_priv_btc_manual_set() (git-fixes).
- x86/alternative: make custom return thunk unconditional (git-fixes).
- x86/cpu/amd: disable xsaves on amd family 0x17 (git-fixes).
- x86/cpu/kvm: provide untrain_ret_vm (git-fixes).
- x86/cpu: clean up srso return thunk mess (git-fixes).
- x86/cpu: cleanup the untrain mess (git-fixes).
- x86/cpu: fix __x86_return_thunk symbol type (git-fixes).
- x86/cpu: fix up srso_safe_ret() and __x86_return_thunk() (git-fixes).
- x86/cpu: rename original retbleed methods (git-fixes).
- x86/cpu: rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- x86/mce: make sure logged mces are processed after sysfs update (git-fixes).
- x86/retpoline,kprobes: fix position of thunk sections with config_lto_clang (git-fixes).
- x86/retpoline,kprobes: skip optprobe check for indirect jumps with retpolines and ibt (git-fixes).
- x86/retpoline: do not clobber rflags during srso_safe_ret() (git-fixes).
- x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635).
- x86/speculation: add cpu_show_gds() prototype (git-fixes).
- x86/speculation: mark all skylake cpus as vulnerable to gds (git-fixes).
- x86/srso: correct the mitigation status when smt is disabled (git-fixes).
- x86/srso: disable the mitigation on unaffected configurations (git-fixes).
- x86/srso: explain the untraining sequences a bit more (git-fixes).
- x86/srso: fix build breakage with the llvm linker (git-fixes).
- x86/srso: fix return thunks in generated code (git-fixes).
- x86/static_call: fix __static_call_fixup() (git-fixes).
- xfs: fix sb write verify for lazysbcount (bsc#1214661).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4042-1
Released:    Tue Oct 10 19:11:00 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1215806
This update for conmon fixes the following issues:

conmon was rebuilt using go1.21 (bsc#1215806)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4093-1
Released:    Tue Oct 17 09:50:35 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1202845,1213808,1214928,1214940,1214941,1214942,1214943,1214944,1214950,1214951,1214954,1214957,1214986,1214988,1214992,1214993,1215322,1215877,1215894,1215895,1215896,1215911,1215915,1215916,CVE-2023-1192,CVE-2023-1206,CVE-2023-1859,CVE-2023-2177,CVE-2023-39192,CVE-2023-39193,CVE-2023-39194,CVE-2023-4155,CVE-2023-42753,CVE-2023-42754,CVE-2023-4389,CVE-2023-4563,CVE-2023-4622,CVE-2023-4623,CVE-2023-4881,CVE-2023-4921,CVE-2023-5345

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861).
- CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860).
- CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858).
- CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467).
- CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351).
- CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899)
- CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150).
- CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703).
- CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275).
- CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117).
- CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115).
- CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022)
- CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169).
- CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221).
- CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643).
- CVE-2023-4563: Fixed an use-after-free flaw in the nftables sub-component. This vulnerability could allow a local attacker to crash the system or lead to a kernel information leak problem. (bsc#1214727)
- CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995).

The following non-security bugs were fixed:

- ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git-fixes).
- ALSA: hda/realtek: Splitting the UX3402 into two separate models (git-fixes).
- ARM: pxa: remove use of symbol_get() (git-fixes).
- arm64: csum: Fix OoB access in IP checksum code for negative lengths (git-fixes).
- arm64: module-plts: inline linux/moduleloader.h (git-fixes)
- arm64: module: Use module_init_layout_section() to spot init sections (git-fixes)
- arm64: sdei: abort running SDEI handlers during crash (git-fixes)
- arm64: tegra: Update AHUB clock parent and rate (git-fixes)
- arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git-fixes)
- ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes).
- ASoC: meson: spdifin: start hw on dai probe (git-fixes).
- ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes).
- ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes).
- ata: libata: disallow dev-initiated LPM transitions to unsupported states (git-fixes).
- ata: pata_falcon: fix IO base selection for Q40 (git-fixes).
- ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes).
- ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes).
- backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes).
- blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986).
- blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992).
- block/mq-deadline: use correct way to throttling write requests (bsc#1214993).
- Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes).
- bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322).
- bpf: Clear the probe_addr for uprobe (git-fixes).
- btrfs: do not hold CPU for too long when defragging a file (bsc#1214988).
- drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes).
- drm/amd/display: fix the white screen issue when >= 64GB DRAM (git-fixes).
- drm/amd/display: prevent potential division by zero errors (git-fixes).
- drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808).
- drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes).
- drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes).
- drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes).
- drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes).
- ext4: avoid potential data overflow in next_linear_group (bsc#1214951).
- ext4: correct inline offset when handling xattrs in inode body (bsc#1214950).
- ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954).
- ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943).
- ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944).
- ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942).
- ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941).
- ext4: Remove ext4 locking of moved directory (bsc#1214957).
- ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940).
- fs: do not update freeing inode i_io_list (bsc#1214813).
- fs: Establish locking order for unrelated directories (bsc#1214958).
- fs: Lock moved directories (bsc#1214959).
- fs: lockd: avoid possible wrong NULL parameter (git-fixes).
- fs: no need to check source (bsc#1215752).
- fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813).
- fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581).
- gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479).
- gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479).
- gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
- gve: Changes to add new TX queues (bsc#1214479).
- gve: Control path for DQO-QPL (bsc#1214479).
- gve: fix frag_list chaining (bsc#1214479).
- gve: Fix gve interrupt names (bsc#1214479).
- gve: RX path for DQO-QPL (bsc#1214479).
- gve: trivial spell fix Recive to Receive (bsc#1214479).
- gve: Tx path for DQO-QPL (bsc#1214479).
- gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479).
- gve: use vmalloc_array and vcalloc (bsc#1214479).
- gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
- hwrng: virtio - add an internal buffer (git-fixes).
- hwrng: virtio - always add a pending request (git-fixes).
- hwrng: virtio - do not wait on cleanup (git-fixes).
- hwrng: virtio - do not waste entropy (git-fixes).
- hwrng: virtio - Fix race on data_avail and actual data (git-fixes).
- i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes).
- i3c: master: svc: fix probe failure when no i3c device exist (git-fixes).
- idr: fix param name in idr_alloc_cyclic() doc (git-fixes).
- Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes).
- iommu/virtio: Detach domain on endpoint release (git-fixes).
- jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953).
- jbd2: correct the end of the journal recovery scan range (bsc#1214955).
- jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949).
- jbd2: fix checkpoint cleanup performance regression (bsc#1214952).
- jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948).
- jbd2: recheck chechpointing non-dirty buffer (bsc#1214945).
- jbd2: remove journal_clean_one_cp_list() (bsc#1214947).
- jbd2: remove t_checkpoint_io_list (bsc#1214946).
- jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946).
- kabi/severities: ignore mlx4 internal symbols
- kconfig: fix possible buffer overflow (git-fixes).
- kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template.
- kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist.
- kselftest/runner.sh: Propagate SIGTERM to runner child (git-fixes).
- KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915).
- KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896).
- KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916).
- KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894).
- KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895).
- KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911).
- KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git-fixes).
- KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes).
- KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes).
- KVM: x86/mmu: Include mmu.h in spte.h (git-fixes).
- loop: Fix use-after-free issues (bsc#1214991).
- loop: loop_set_status_from_info() check before assignment (bsc#1214990).
- mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236).
- mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236).
- mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236).
- mlx4: Delete custom device management logic (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236).
- mlx4: Move the bond work to the core driver (bsc#1187236).
- mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236).
- mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236).
- mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236).
- mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236).
- net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes).
- net: mana: Add page pool for RX buffers (bsc#1214040).
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes).
- net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
- net/mlx4: Remove many unnecessary NULL values (bsc#1187236).
- NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git-fixes).
- NFS/blocklayout: Use the passed in gfp flags (git-fixes).
- NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes).
- NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes).
- NFSD: fix change_info in NFSv4 RENAME replies (git-fixes).
- NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes).
- NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes).
- NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes).
- NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes).
- NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes).
- NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes).
- ntb: Clean up tx tail index on link down (git-fixes).
- ntb: Drop packets when qp link is down (git-fixes).
- ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes).
- nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543).
- nvme-tcp: add recovery_delay to sysfs (bsc#1201284).
- nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284).
- nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284).
- nvme-tcp: make 'err_work' a delayed work (bsc#1201284).
- PCI: Free released resource after coalescing (git-fixes).
- platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes).
- platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes).
- platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git-fixes).
- platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes).
- platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes).
- platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes).
- pNFS: Fix assignment of xprtdata.cred (git-fixes).
- powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582).
- powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729).
- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- powerpc/xics: Remove unnecessary endian conversion (bsc#1065729).
- printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875).
- pwm: lpc32xx: Remove handling of PWM channels (git-fixes).
- quota: add new helper dquot_active() (bsc#1214998).
- quota: factor out dquot_write_dquot() (bsc#1214995).
- quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963).
- quota: fix warning in dqgrab() (bsc#1214962).
- quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961).
- quota: rename dquot_active() to inode_quota_active() (bsc#1214997).
- s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148).
- scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes).
- scsi: 53c700: Check that command slot is not NULL (git-fixes).
- scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes).
- scsi: core: Fix possible memory leak if device_add() fails (git-fixes).
- scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes).
- scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes).
- scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes).
- scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git-fixes).
- scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes).
- scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes).
- scsi: lpfc: Remove reftag check in DIF paths (git-fixes).
- scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658).
- scsi: qedf: Fix firmware halt over suspend and resume (git-fixes).
- scsi: qedf: Fix NULL dereference in error handling (git-fixes).
- scsi: qedi: Fix firmware halt over suspend and resume (git-fixes).
- scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928).
- scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928).
- scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928).
- scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928).
- scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git-fixes).
- scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928).
- scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928).
- scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928).
- scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928).
- scsi: qla2xxx: Remove unused declarations (bsc#1214928).
- scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928).
- scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928).
- scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes).
- scsi: scsi_debug: Remove dead code (git-fixes).
- scsi: snic: Fix double free in snic_tgt_create() (git-fixes).
- scsi: snic: Fix possible memory leak if device_add() fails (git-fixes).
- scsi: storvsc: Handle additional SRB status values (git-fixes).
- scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941).
- selftests: tracing: Fix to unmount tracefs for recovering environment (git-fixes).
- SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes).
- tcpm: Avoid soft reset when partner does not support get_status (git-fixes).
- tracing: Fix race issue between cpu buffer write and swap (git-fixes).
- tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes).
- tracing: Remove unnecessary copying of tr->current_trace (git-fixes).
- uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes).
- udf: Fix extension of the last extent in the file (bsc#1214964).
- udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965).
- udf: Fix off-by-one error when discarding preallocation (bsc#1214966).
- udf: Fix uninitialized array access for some pathnames (bsc#1214967).
- uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes).
- usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes).
- usb: ehci: move new member has_ci_pec_bug into hole (git-fixes).
- usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes).
- usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes).
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes).
- vhost_vdpa: fix the crash in unmap a large memory (git-fixes).
- vhost-scsi: unbreak any layout for response (git-fixes).
- vhost: allow batching hint without size (git-fixes).
- vhost: fix hung thread due to erroneous iotlb entries (git-fixes).
- vhost: handle error while adding split ranges to iotlb (git-fixes).
- virtio_net: add checking sq is full inside xdp xmit (git-fixes).
- virtio_net: Fix probe failed when modprobe virtio_net (git-fixes).
- virtio_net: reorder some funcs (git-fixes).
- virtio_net: separate the logic of checking whether sq is full (git-fixes).
- virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes).
- virtio-mmio: do not break lifecycle of vm_dev (git-fixes).
- virtio-net: fix race between set queues and probe (git-fixes).
- virtio-net: set queues after driver_ok (git-fixes).
- virtio-rng: make device ready before making request (git-fixes).
- virtio: acknowledge all features before access (git-fixes).
- vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582).
- watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes).
- word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729).
- x86/alternative: Fix race in try_get_desc() (git-fixes).
- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- x86/bugs: Reset speculation control settings on init (git-fixes).
- x86/cpu: Add Lunar Lake M (git-fixes).
- x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes).
- x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git-fixes).
- x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git-fixes).
- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes).
- x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes).
- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- x86/mce: Retrieve poison range from hardware (git-fixes).
- x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes).
- x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes).
- x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes).
- x86/purgatory: remove PGO flags (git-fixes).
- x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git-fixes).
- x86/reboot: Disable virtualization in an emergency if SVM is supported (git-fixes).
- x86/resctl: fix scheduler confusion with 'current' (git-fixes).
- x86/resctrl: Fix task CLOSID/RMID update race (git-fixes).
- x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes).
- x86/rtc: Remove __init for runtime functions (git-fixes).
- x86/sgx: Reduce delay and interference of enclave release (git-fixes).
- x86/srso: Do not probe microcode in a guest (git-fixes).
- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- x86/srso: Fix srso_show_state() side effect (git-fixes).
- x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes).
- x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes).
- xen: remove a confusing comment on auto-translated guest I/O (git-fixes).
- xprtrdma: Remap Receive buffers after a reconnect (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4127-1
Released:    Thu Oct 19 09:43:23 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released:    Fri Oct 20 10:06:58 2023
Summary:     Recommended update for containerd, runc
Type:        recommended
Severity:    moderate
References:  1215323
This update for containerd, runc fixes the following issues:

runc was updated to v1.1.9. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.1.9

containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4140-1
Released:    Fri Oct 20 11:34:03 2023
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693
This update for grub2 fixes the following issues:

Security fixes:
- CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935)
- CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936)

Other fixes:
- Fix a boot delay issue in PowerPC PXE boot (bsc#1201300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4351-1
Released:    Thu Nov  2 17:11:29 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1211307,1212423,1213772,1215955,1216062,1216512,CVE-2023-2163,CVE-2023-31085,CVE-2023-34324,CVE-2023-3777,CVE-2023-39189,CVE-2023-45862,CVE-2023-46813,CVE-2023-5178
The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095)
- CVE-2023-46813: Fixed a local privilege escalation with user-space programs that have access to MMIO regions (bsc#1212649).
- CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778)
- CVE-2023-45862: Fixed an issue in the ENE UB6250 reader driver whwere an object could potentially extend beyond the end of an allocation causing. (bsc#1216051)
- CVE-2023-5178: Fixed an UAF in queue intialization setup.  (bsc#1215768)
- CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518)
- CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745).
- CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046)

The following non-security bugs were fixed:

- 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes).
- ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes).
- ALSA: hda/realtek: Change model for Intel RVP board (git-fixes).
- ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes).
- ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes).
- ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes).
- ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes).
- ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes).
- ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes).
- ASoC: pxa: fix a memory leak in probe() (git-fixes).
- Bluetooth: Avoid redundant authentication (git-fixes).
- Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes).
- Bluetooth: Reject connection with the device which has same BD_ADDR (git-fixes).
- Bluetooth: avoid memcmp() out of bounds warning (git-fixes).
- Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes).
- Bluetooth: hci_event: Fix coding style (git-fixes).
- Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes).
- Bluetooth: hci_event: Ignore NULL link key (git-fixes).
- Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes).
- Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes).
- Bluetooth: vhci: Fix race when opening vhci device (git-fixes).
- Documentation: qat: change kernel version (PED-6401).
- Documentation: qat: rewrite description (PED-6401).
- Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git-fixes).
- Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git-fixes).
- Fix metadata references
- HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git-fixes).
- HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git-fixes).
- HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes).
- HID: sony: Fix a potential memory leak in sony_probe() (git-fixes).
- HID: sony: remove duplicate NULL check before calling usb_free_urb() (git-fixes).
- IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes)
- Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes).
- Input: powermate - fix use-after-free in powermate_config_complete (git-fixes).
- Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes).
- Input: xpad - add PXN V900 support (git-fixes).
- KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git-fixes).
- KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512).
- KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes).
- KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes).
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772).
- KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772).
- KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772).
- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772).
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes)
- RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes)
- RDMA/core: Require admin capabilities to set system parameters (git-fixes)
- RDMA/cxgb4: Check skb value for failure to allocate (git-fixes)
- RDMA/mlx5: Fix NULL string error (git-fixes)
- RDMA/siw: Fix connection failure handling (git-fixes)
- RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes)
- RDMA/uverbs: Fix typo of sizeof argument (git-fixes)
- Revert 'pinctrl: avoid unsafe code pattern in find_pinctrl()' (git-fixes).
- Revert 'tty: n_gsm: fix UAF in gsm_cleanup_mux' (git-fixes).
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes).
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes).
- USB: serial: option: add entry for Sierra EM9191 with new firmware (git-fixes).
- ata: libata-core: Do not register PM operations for SAS ports (git-fixes).
- ata: libata-core: Fix ata_port_request_pm() locking (git-fixes).
- ata: libata-core: Fix port and device removal (git-fixes).
- ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes).
- ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes).
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062).
- blk-cgroup: support to track if policy is online (bsc#1216062).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes).
- bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git-fixes).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955).
- cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307).
- clk: tegra: fix error return case for recalc_rate (git-fixes).
- counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git-fixes).
- crypto: qat - Include algapi.h for low-level Crypto API (PED-6401).
- crypto: qat - Remove unused function declarations (PED-6401).
- crypto: qat - add fw_counters debugfs file (PED-6401).
- crypto: qat - add heartbeat counters check (PED-6401).
- crypto: qat - add heartbeat feature (PED-6401).
- crypto: qat - add internal timer for qat 4xxx (PED-6401).
- crypto: qat - add measure clock frequency (PED-6401).
- crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401).
- crypto: qat - add qat_zlib_deflate (PED-6401).
- crypto: qat - add support for 402xx devices (PED-6401).
- crypto: qat - change value of default idle filter (PED-6401).
- crypto: qat - delay sysfs initialization (PED-6401).
- crypto: qat - do not export adf_init_admin_pm() (PED-6401).
- crypto: qat - drop log level of msg in get_instance_node() (PED-6401).
- crypto: qat - drop obsolete heartbeat interface (PED-6401).
- crypto: qat - drop redundant adf_enable_aer() (PED-6401).
- crypto: qat - expose pm_idle_enabled through sysfs (PED-6401).
- crypto: qat - extend buffer list logic interface (PED-6401).
- crypto: qat - extend configuration for 4xxx (PED-6401).
- crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401).
- crypto: qat - fix concurrency issue when device state changes (PED-6401).
- crypto: qat - fix crypto capability detection for 4xxx (PED-6401).
- crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401).
- crypto: qat - make fw images name constant (PED-6401).
- crypto: qat - make state machine functions static (PED-6401).
- crypto: qat - move dbgfs init to separate file (PED-6401).
- crypto: qat - move returns to default case (PED-6401).
- crypto: qat - refactor device restart logic (PED-6401).
- crypto: qat - refactor fw config logic for 4xxx (PED-6401).
- crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401).
- crypto: qat - replace state machine calls (PED-6401).
- crypto: qat - replace the if statement with min() (PED-6401).
- crypto: qat - set deprecated capabilities as reserved (PED-6401).
- crypto: qat - unmap buffer before free for DH (PED-6401).
- crypto: qat - unmap buffers before free for RSA (PED-6401).
- crypto: qat - update slice mask for 4xxx devices (PED-6401).
- crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401).
- dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git-fixes).
- dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes).
- dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes).
- drm/amd/display: Do not check registers, if using AUX BL control (git-fixes).
- drm/amd/display: Do not set dpms_off for seamless boot (git-fixes).
- drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes).
- drm/amdgpu: add missing NULL check (git-fixes).
- drm/i915: Retry gtt fault when out of fence registers (git-fixes).
- drm/msm/dp: do not reinitialize phy unless retry during link training (git-fixes).
- drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git-fixes).
- drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes).
- drm/msm/dsi: skip the wait for video mode done if not applicable (git-fixes).
- drm/vmwgfx: fix typo of sizeof argument (git-fixes).
- drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes).
- firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes).
- firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes).
- gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git-fixes).
- gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes).
- gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes).
- gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes).
- gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes).
- gpio: vf610: set value before the direction to avoid a glitch (git-fixes).
- gve: Do not fully free QPL pages on prefill errors (git-fixes).
- i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes).
- i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git-fixes).
- i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git-fixes).
- i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes).
- i2c: mux: gpio:??Replace custom acpi_get_local_address() (git-fixes).
- i2c: npcm7xx: Fix callback completion ordering (git-fixes).
- ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes).
- iio: pressure: bmp280: Fix NULL pointer exception (git-fixes).
- iio: pressure: dps310: Adjust Timeout Settings (git-fixes).
- iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes).
- iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423).
- iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423).
- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423).
- kabi: blkcg_policy_data fix KABI (bsc#1216062).
- kabi: workaround for enum nft_trans_phase (bsc#1215104).
- kprobes: Prohibit probing on CFI preamble symbol (git-fixes).
- leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes).
- mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705).
- mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes).
- mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes).
- mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes).
- mtd: physmap-core: Restore map_rom fallback (git-fixes).
- mtd: rawnand: arasan: Ensure program page operations are successful (git-fixes).
- mtd: rawnand: marvell: Ensure program page operations are successful (git-fixes).
- mtd: rawnand: pl353: Ensure program page operations are successful (git-fixes).
- mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes).
- mtd: spinand: micron: correct bitmask for ecc status (git-fixes).
- net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git-fixes).
- net: mana: Fix TX CQE error handling (bsc#1215986).
- net: mana: Fix oversized sge0 for GSO packets (bsc#1215986).
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- net: rfkill: gpio: prevent value glitch during probe (git-fixes).
- net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345).
- net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345).
- net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git-fixes).
- net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes).
- netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes).
- netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes).
- nfc: nci: assert requested protocol is valid (git-fixes).
- nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git-fixes).
- nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes).
- nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842).
- phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes).
- phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes).
- phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes).
- pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes).
- pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes).
- platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes).
- platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes).
- platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git-fixes).
- platform/x86: think-lmi: Fix reference leak (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes).
- power: supply: ucs1002: fix error code in ucs1002_get_property() (git-fixes).
- quota: Fix slow quotaoff (bsc#1216621).
- r8152: check budget for r8152_poll() (git-fixes).
- regmap: fix NULL deref on lookup (git-fixes).
- regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes).
- ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes).
- ring-buffer: Do not attempt to read past 'commit' (git-fixes).
- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- ring-buffer: Update 'shortest_full' in polling (git-fixes).
- s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510).
- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511).
- s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957).
- sched/cpuset: Bring back cpuset_mutex (bsc#1215955).
- sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)).
- sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)).
- sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)).
- serial: 8250_port: Check IRQ data before use (git-fixes).
- soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git-fixes).
- spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes).
- spi: stm32: add a delay before SPI disable (git-fixes).
- spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes).
- spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes).
- thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git-fixes).
- thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes).
- tracing: Have current_trace inc the trace array ref count (git-fixes).
- tracing: Have event inject files inc the trace array ref count (git-fixes).
- tracing: Have option files inc the trace array ref count (git-fixes).
- tracing: Have tracing_max_latency inc the trace array ref count (git-fixes).
- tracing: Increase trace array ref count on enable and filter files (git-fixes).
- tracing: Make trace_marker{,_raw} stream-like (git-fixes).
- usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes).
- usb: dwc3: Soft reset phy on probe for host (git-fixes).
- usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git-fixes).
- usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes).
- usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes).
- usb: musb: Modify the 'HWVers' register address (git-fixes).
- usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git-fixes).
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes).
- vmbus_testing: fix wrong python syntax for integer value comparison (git-fixes).
- vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes).
- watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes).
- watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes).
- wifi: cfg80211: Fix 6GHz scan configuration (git-fixes).
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes).
- wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes).
- wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes).
- wifi: mac80211: allow transmitting EAPOL frames with tainted key (git-fixes).
- wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes).
- wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git-fixes).
- wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes).
- wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes).
- x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772).
- x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772).
- x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772).
- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772).
- x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772).
- x86/cpu: Support AMD Automatic IBRS (bsc#1213772).
- x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649).
- x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649).
- x86/sev: Disable MMIO emulation from user mode (bsc#1212649).
- xen-netback: use default TX queue size for vifs (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4477-1
Released:    Fri Nov 17 10:21:21 2023
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1216010,1216075,1216253
This update for grub2 fixes the following issues:

- Fix failure to identify recent ext4 filesystem (bsc#1216010)
- Fix reading files from btrfs with 'implicit' holes
- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) 
- Fix detection of encrypted disk's uuid in powerpc (bsc#1216075)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released:    Wed Nov 29 20:33:38 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1217472

This update of icu fixes the following issue:

- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4664-1
Released:    Wed Dec  6 13:33:47 2023
Summary:     Security update for kernel-firmware
Type:        security
Severity:    important
References:  1215823,1215831,CVE-2021-26345,CVE-2021-46766,CVE-2021-46774,CVE-2022-23820,CVE-2022-23830,CVE-2023-20519,CVE-2023-20521,CVE-2023-20526,CVE-2023-20533,CVE-2023-20566,CVE-2023-20592
This update for kernel-firmware fixes the following issues:

Update AMD ucode to 20231030 (bsc#1215831):

- CVE-2022-23820: Failure to validate the AMD SMM communication buffer may allow an attacker to corrupt the SMRAM potentially leading to arbitrary code execution.
- CVE-2021-46774: Insufficient input validation in ABL may enable a privileged attacker to perform arbitrary DRAM writes, potentially resulting in code execution and privilege escalation.
- CVE-2023-20533: Insufficient DRAM address validation in System Management Unit (SMU) may allow an attacker using DMA to read/write from/to invalid DRAM address potentially resulting in denial-of-service.
0 CVE-2023-20519: A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity.
- CVE-2023-20566: Improper address validation in ASP with SNP enabled may potentially allow an attacker to compromise guest memory integrity.
- CVE-2023-20521: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.
- CVE-2021-46766: Improper clearing of sensitive data in the ASP Bootloader may expose secret keys to a privileged attacker accessing ASP SRAM, potentially leading to a loss of confidentiality.
- CVE-2022-23830: SMM configuration may not be immutable, as intended, when SNP is enabled resulting in a potential limited loss of guest memory integrity.
- CVE-2023-20526: Insufficient input validation in the ASP Bootloader may enable a privileged attacker with physical access to expose the contents of ASP memory potentially leading to a loss of confidentiality.
- CVE-2021-26345: Failure to validate the value in APCB may allow an attacker with physical access to tamper with the APCB token to force an out-of-bounds memory read potentially resulting in a denial of service.
- CVE-2023-20592: Issue with INVD instruction aka CacheWarpAttack (bsc#1215823).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4705-1
Released:    Mon Dec 11 07:21:46 2023
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1192986,1217031
This update for dracut fixes the following issues:

- Update to version 055+suse.351.g30f0cda6
- Fix network device naming in udev-rules (bsc#1192986)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4726-1
Released:    Tue Dec 12 12:11:02 2023
Summary:     Recommended update for podman
Type:        recommended
Severity:    low
References:  1210299
This update for podman fixes the following issues:

- Build against latest stable Go version (bsc#1210299)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released:    Tue Dec 12 12:27:39 2023
Summary:     Security update for catatonit, containerd, runc
Type:        security
Severity:    important
References:  1200528,CVE-2022-1996

This update of runc and containerd fixes the following issues:

containerd:

- Update to containerd v1.7.8. Upstream release notes:
  https://github.com/containerd/containerd/releases/tag/v1.7.8

    * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)

catatonit:

- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.

- Update to catatont v0.1.7
  * This release adds the ability for catatonit to be used as the only
    process in a pause container, by passing the -P flag (in this mode no
    subprocess is spawned and thus no signal forwarding is done).

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).

runc:

- Update to runc v1.1.10. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.10


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4731-1
Released:    Tue Dec 12 15:14:07 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1084909,1189998,1210447,1214286,1214976,1215124,1215292,1215420,1215458,1215710,1216058,1216105,1216259,1216584,1216693,1216759,1216761,1216844,1216861,1216909,1216959,1216965,1216976,1217036,1217068,1217086,1217124,1217140,1217195,1217200,1217205,1217332,1217366,1217515,1217598,1217599,1217609,1217687,1217731,1217780,CVE-2023-2006,CVE-2023-25775,CVE-2023-39197,CVE-2023-39198,CVE-2023-4244,CVE-2023-45863,CVE-2023-45871,CVE-2023-46862,CVE-2023-5158,CVE-2023-5717,CVE-2023-6039,CVE-2023-6176
The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-6176: Fixed a denial of service in the cryptographic algorithm scatterwalk functionality (bsc#1217332).
- CVE-2023-2006: Fixed a race condition in the RxRPC network protocol (bsc#1210447).
- CVE-2023-39197: Fixed a out-of-bounds read in nf_conntrack_dccp_packet() (bsc#1216976).
- CVE-2023-4244: Fixed a use-after-free in the nf_tables component, which could be exploited to achieve local privilege escalation (bsc#1215420).
- CVE-2023-6039: Fixed a use-after-free in lan78xx_disconnect in drivers/net/usb/lan78xx.c (bsc#1217068).
- CVE-2023-45863: Fixed a out-of-bounds write in fill_kobj_path() (bsc#1216058).
- CVE-2023-5158: Fixed a denial of service in vringh_kiov_advance() in drivers/vhost/vringh.c in the host side of a virtio ring (bsc#1215710).
- CVE-2023-45871: Fixed an issue in the IGB driver, where the buffer size may not be adequate for frames larger than the MTU (bsc#1216259).
- CVE-2023-5717: Fixed a heap out-of-bounds write vulnerability in the Performance Events component (bsc#1216584).
- CVE-2023-39198: Fixed a race condition leading to use-after-free in qxl_mode_dumb_create() (bsc#1216965).
- CVE-2023-25775: Fixed improper access control in the Intel Ethernet Controller RDMA driver (bsc#1216959).
- CVE-2023-46862: Fixed a NULL pointer dereference in io_uring_show_fdinfo() (bsc#1216693).

The following non-security bugs were fixed:

- ACPI: FPDT: properly handle invalid FPDT subtables (git-fixes).
- ACPI: resource: Do IRQ override on TongFang GMxXGxx (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA (git-fixes).
- ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() (git-fixes).
- ALSA: hda/realtek - Add Dell ALC295 to pin fall back table (git-fixes).
- ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC (git-fixes).
- ALSA: hda/realtek: Add quirks for HP Laptops (git-fixes).
- ALSA: hda/realtek: Enable Mute LED on HP 255 G10 (git-fixes).
- ALSA: hda/realtek: Enable Mute LED on HP 255 G8 (git-fixes).
- ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140).
- ALSA: hda: Fix possible null-ptr-deref when assigning a stream (git-fixes).
- ALSA: hda: cs35l41: Fix unbalanced pm_runtime_get() (git-fixes).
- ALSA: hda: cs35l41: Undo runtime PM changes at driver exit time (git-fixes).
- ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection (git-fixes).
- ALSA: info: Fix potential deadlock at disconnection (git-fixes).
- ARM: 9321/1: memset: cast the constant byte to unsigned char (git-fixes).
- ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails (git-fixes).
- ASoC: ams-delta.c: use component after check (git-fixes).
- ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix (git-fixes).
- ASoC: cs35l41: Undo runtime PM changes at driver exit time (git-fixes).
- ASoC: cs35l41: Verify PM runtime resume errors in IRQ handler (git-fixes).
- ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe (git-fixes).
- ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described (git-fixes).
- ASoC: hdmi-codec: register hpd callback on component probe (git-fixes).
- ASoC: rt5650: fix the wrong result of key button (git-fixes).
- ASoC: simple-card: fixup asoc_simple_probe() error handling (git-fixes).
- ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings (git-fixes).
- Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE (git-fixes).
- Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables (git-fixes).
- Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 (git-fixes).
- Bluetooth: btusb: Add date->evt_skb is NULL check (git-fixes).
- Disable Loongson drivers Loongson is a mips architecture, it does not make sense to build Loongson drivers on other architectures.
- Documentation: networking: correct possessive 'its' (bsc#1215458).
- Drivers: hv: vmbus: Remove unused extern declaration vmbus_ontimer() (git-fixes).
- Ensure ia32_emulation is always enabled for kernel-obs-build If ia32_emulation is disabled by default, ensure it is enabled back for OBS kernel to allow building 32bit binaries (jsc#PED-3184) [ms: Always pass the parameter, no need to grep through the config which may not be very reliable]
- Fix termination state for idr_for_each_entry_ul() (git-fixes).
- HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W (git-fixes).
- HID: hyperv: Replace one-element array with flexible-array member (git-fixes).
- HID: hyperv: avoid struct memcpy overrun warning (git-fixes).
- HID: hyperv: remove unused struct synthhid_msg (git-fixes).
- HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround (git-fixes).
- HID: logitech-hidpp: Do not restart IO, instead defer hid_connect() only (git-fixes).
- HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event() (git-fixes).
- HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk (git-fixes).
- HID: logitech-hidpp: Revert 'Do not restart communication if not necessary' (git-fixes).
- Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() (git-fixes).
- Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport (git-fixes).
- Input: xpad - add VID for Turtle Beach controllers (git-fixes).
- PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common() (git-fixes).
- PCI/sysfs: Protect driver's D3cold preference from user space (git-fixes).
- PCI: Disable ATS for specific Intel IPU E2000 devices (bsc#1215458).
- PCI: Extract ATS disabling to a helper function (bsc#1215458).
- PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device (git-fixes).
- PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk (git-fixes).
- PCI: Use FIELD_GET() to extract Link Width (git-fixes).
- PCI: exynos: Do not discard .remove() callback (git-fixes).
- PCI: keystone: Do not discard .probe() callback (git-fixes).
- PCI: keystone: Do not discard .remove() callback (git-fixes).
- PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields (git-fixes).
- PM / devfreq: rockchip-dfi: Make pmu regmap mandatory (git-fixes).
- PM: hibernate: Use __get_safe_page() rather than touching the list (git-fixes).
- USB: dwc2: write HCINT with INTMASK applied (bsc#1214286).
- USB: dwc3: qcom: fix ACPI platform device leak (git-fixes).
- USB: dwc3: qcom: fix resource leaks on probe deferral (git-fixes).
- USB: dwc3: qcom: fix software node leak on probe errors (git-fixes).
- USB: dwc3: qcom: fix wakeup after probe deferral (git-fixes).
- USB: serial: option: add Fibocom L7xx modules (git-fixes).
- USB: serial: option: add Luat Air72*U series products (git-fixes).
- USB: serial: option: do not claim interface 4 for ZTE MF290 (git-fixes).
- USB: serial: option: fix FM101R-GL defines (git-fixes).
- USB: usbip: fix stub_dev hub disconnect (git-fixes).
- arm/xen: fix xen_vcpu_info allocation alignment (git-fixes).
- arm64: Add Cortex-A520 CPU part definition (git-fixes)
- arm64: allow kprobes on EL0 handlers (git-fixes)
- arm64: armv8_deprecated move emulation functions (git-fixes)
- arm64: armv8_deprecated: fix unused-function error (git-fixes)
- arm64: armv8_deprecated: fold ops into insn_emulation (git-fixes)
- arm64: armv8_deprecated: move aarch32 helper earlier (git-fixes)
- arm64: armv8_deprecated: rework deprected instruction handling (git-fixes)
- arm64: consistently pass ESR_ELx to die() (git-fixes)
- arm64: die(): pass 'err' as long (git-fixes)
- arm64: factor insn read out of call_undef_hook() (git-fixes)
- arm64: factor out EL1 SSBS emulation hook (git-fixes)
- arm64: report EL1 UNDEFs better (git-fixes)
- arm64: rework BTI exception handling (git-fixes)
- arm64: rework EL0 MRS emulation (git-fixes)
- arm64: rework FPAC exception handling (git-fixes)
- arm64: split EL0/EL1 UNDEF handlers (git-fixes)
- ata: pata_isapnp: Add missing error check for devm_ioport_map() (git-fixes).
- atl1c: Work around the DMA RX overflow issue (git-fixes).
- atm: iphase: Do PCI error checks on own line (git-fixes).
- blk-mq: Do not clear driver tags own mapping (bsc#1217366).
- blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping() (bsc#1217366).
- bluetooth: Add device 0bda:887b to device tables (git-fixes).
- bluetooth: Add device 13d3:3571 to device tables (git-fixes).
- can: dev: can_put_echo_skb(): do not crash kernel if can_priv::echo_skb is accessed out of bounds (git-fixes).
- can: dev: can_restart(): do not crash kernel if carrier is OK (git-fixes).
- can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() (git-fixes).
- can: isotp: add local echo tx processing for consecutive frames (git-fixes).
- can: isotp: fix race between isotp_sendsmg() and isotp_release() (git-fixes).
- can: isotp: fix tx state handling for echo tx processing (git-fixes).
- can: isotp: handle wait_event_interruptible() return values (git-fixes).
- can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting (git-fixes).
- can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior (git-fixes).
- can: isotp: remove re-binding of bound socket (git-fixes).
- can: isotp: sanitize CAN ID checks in isotp_bind() (git-fixes).
- can: isotp: set max PDU size to 64 kByte (git-fixes).
- can: isotp: split tx timer into transmission and timeout (git-fixes).
- can: sja1000: Fix comment (git-fixes).
- clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name (git-fixes).
- clk: imx: Select MXC_CLK for CLK_IMX8QXP (git-fixes).
- clk: imx: imx8mq: correct error handling path (git-fixes).
- clk: imx: imx8qxp: Fix elcdif_pll clock (git-fixes).
- clk: keystone: pll: fix a couple NULL vs IS_ERR() checks (git-fixes).
- clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data (git-fixes).
- clk: npcm7xx: Fix incorrect kfree (git-fixes).
- clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies (git-fixes).
- clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM (git-fixes).
- clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src (git-fixes).
- clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks (git-fixes).
- clk: qcom: mmcc-msm8998: Do not check halt bit on some branch clks (git-fixes).
- clk: qcom: mmcc-msm8998: Fix the SMMU GDSC (git-fixes).
- clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped (git-fixes).
- clk: ti: Add ti_dt_clk_name() helper to use clock-output-names (git-fixes).
- clk: ti: Update component clocks to use ti_dt_clk_name() (git-fixes).
- clk: ti: Update pll and clockdomain clocks to use ti_dt_clk_name() (git-fixes).
- clk: ti: change ti_clk_register[_omap_hw]() API (git-fixes).
- clk: ti: fix double free in of_ti_divider_clk_setup() (git-fixes).
- crypto: caam/jr - fix Chacha20 + Poly1305 self test failure (git-fixes).
- crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure (git-fixes).
- crypto: hisilicon/hpre - Fix a erroneous check after snprintf() (git-fixes).
- dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() (git-fixes).
- dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe (git-fixes).
- dmaengine: stm32-mdma: correct desc prep when channel running (git-fixes).
- dmaengine: ti: edma: handle irq_of_parse_and_map() errors (git-fixes).
- docs: net: move the probe and open/close sections of driver.rst up (bsc#1215458).
- docs: net: reformat driver.rst from a list to sections (bsc#1215458).
- docs: net: use C syntax highlight in driver.rst (bsc#1215458).
- drm/amd/display: Avoid NULL dereference of timing generator (git-fixes).
- drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox (git-fixes).
- drm/amd/display: remove useless check in should_enable_fbc() (git-fixes).
- drm/amd/display: use full update for clip size increase of large plane source (git-fixes).
- drm/amd/pm: Handle non-terminated overdrive commands (git-fixes).
- drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga (git-fixes).
- drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 (git-fixes).
- drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL (git-fixes).
- drm/amdgpu: Fix potential null pointer derefernce (git-fixes).
- drm/amdgpu: do not use ATRM for external devices (git-fixes).
- drm/amdgpu: fix error handling in amdgpu_bo_list_get() (git-fixes).
- drm/amdgpu: fix software pci_unplug on some chips (git-fixes).
- drm/amdkfd: Fix a race condition of vram buffer unref in svm code (git-fixes).
- drm/amdkfd: Fix shift out-of-bounds issue (git-fixes).
- drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code (git-fixes).
- drm/bridge: Fix kernel-doc typo in desc of output_bus_cfg in drm_bridge_state (git-fixes).
- drm/bridge: lt8912b: Add missing drm_bridge_attach call (git-fixes).
- drm/bridge: lt8912b: Fix bridge_detach (git-fixes).
- drm/bridge: lt8912b: Fix crash on bridge detach (git-fixes).
- drm/bridge: lt8912b: Manually disable HPD only if it was enabled (git-fixes).
- drm/bridge: lt8912b: Register and attach our DSI device at probe (git-fixes).
- drm/bridge: lt8912b: Switch to devm MIPI-DSI helpers (git-fixes).
- drm/bridge: lt9611uxc: Register and attach our DSI device at probe (git-fixes).
- drm/bridge: lt9611uxc: Switch to devm MIPI-DSI helpers (git-fixes).
- drm/bridge: lt9611uxc: fix the race in the error path (git-fixes).
- drm/bridge: tc358768: Disable non-continuous clock mode (git-fixes).
- drm/bridge: tc358768: Fix bit updates (git-fixes).
- drm/bridge: tc358768: Fix use of uninitialized variable (git-fixes).
- drm/gud: Use size_add() in call to struct_size() (git-fixes).
- drm/i915/pmu: Check if pmu is closed before stopping event (git-fixes).
- drm/i915: Fix potential spectre vulnerability (git-fixes).
- drm/komeda: drop all currently held locks if deadlock happens (git-fixes).
- drm/mediatek: Fix iommu fault by swapping FBs after updating plane state (git-fixes).
- drm/mediatek: Fix iommu fault during crtc enabling (git-fixes).
- drm/mipi-dsi: Create devm device attachment (git-fixes).
- drm/mipi-dsi: Create devm device registration (git-fixes).
- drm/msm/dp: skip validity check for DP CTS EDID checksum (git-fixes).
- drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference (git-fixes).
- drm/panel: fix a possible null pointer dereference (git-fixes).
- drm/panel: simple: Fix Innolux G101ICE-L01 bus flags (git-fixes).
- drm/panel: simple: Fix Innolux G101ICE-L01 timings (git-fixes).
- drm/panel: st7703: Pick different reset sequence (git-fixes).
- drm/qxl: prevent memory leak (git-fixes).
- drm/radeon: possible buffer overflow (git-fixes).
- drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map() (git-fixes).
- drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() (git-fixes).
- drm/rockchip: vop: Fix call to crtc reset helper (git-fixes).
- drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full (git-fixes).
- drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs (git-fixes).
- drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE (git-fixes).
- drm/vc4: fix typo (git-fixes).
- drm: vmwgfx_surface.c: copy user-array safely (git-fixes).
- dt-bindings: usb: hcd: add missing phy name to example (git-fixes).
- dt-bindings: usb: qcom,dwc3: fix example wakeup interrupt types (git-fixes).
- fbdev: fsl-diu-fb: mark wr_reg_wa() static (git-fixes).
- fbdev: imsttfb: Fix error path of imsttfb_probe() (git-fixes).
- fbdev: imsttfb: Release framebuffer and dealloc cmap on error path (git-fixes).
- fbdev: imsttfb: fix a resource leak in probe (git-fixes).
- fbdev: imsttfb: fix double free in probe() (git-fixes).
- fbdev: omapfb: Drop unused remove function (git-fixes).
- firewire: core: fix possible memory leak in create_units() (git-fixes).
- firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() (git-fixes).
- gpio: mockup: fix kerneldoc (git-fixes).
- gpio: mockup: remove unused field (git-fixes).
- hid: cp2112: Fix duplicate workqueue initialization (git-fixes).
- hv: simplify sysctl registration (git-fixes).
- hv_netvsc: Fix race of register_netdevice_notifier and VF register (git-fixes).
- hv_netvsc: Mark VF as slave before exposing it to user-mode (git-fixes).
- hv_netvsc: fix netvsc_send_completion to avoid multiple message length checks (git-fixes).
- hv_netvsc: fix race of netvsc and VF register_netdevice (git-fixes).
- hwmon: (coretemp) Fix potentially truncated sysfs attribute name (git-fixes).
- i2c: aspeed: Fix i2c bus hang in slave read (git-fixes).
- i2c: core: Run atomic i2c xfer when !preemptible (git-fixes).
- i2c: designware: Disable TX_EMPTY irq while waiting for block length byte (git-fixes).
- i2c: dev: copy userspace array safely (git-fixes).
- i2c: i801: fix potential race in i801_block_transaction_byte_by_byte (git-fixes).
- i2c: iproc: handle invalid slave state (git-fixes).
- i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: stm32f7: Fix PEC handling in case of SMBUS transfers (git-fixes).
- i2c: sun6i-p2wi: Prevent potential division by zero (git-fixes).
- i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs (git-fixes).
- i3c: master: cdns: Fix reading status register (git-fixes).
- i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data (git-fixes).
- i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen (git-fixes).
- i3c: master: svc: fix check wrong status register in irq handler (git-fixes).
- i3c: master: svc: fix ibi may not return mandatory data byte (git-fixes).
- i3c: master: svc: fix race condition in ibi work thread (git-fixes).
- i3c: master: svc: fix wrong data return when IBI happen during start frame (git-fixes).
- i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler (git-fixes).
- i915/perf: Fix NULL deref bugs with drm_dbg() calls (git-fixes).
- idpf: add RX splitq napi poll support (bsc#1215458).
- idpf: add SRIOV support and other ndo_ops (bsc#1215458).
- idpf: add TX splitq napi poll support (bsc#1215458).
- idpf: add controlq init and reset checks (bsc#1215458).
- idpf: add core init and interrupt request (bsc#1215458).
- idpf: add create vport and netdev configuration (bsc#1215458).
- idpf: add ethtool callbacks (bsc#1215458).
- idpf: add module register and probe functionality (bsc#1215458).
- idpf: add ptypes and MAC filter support (bsc#1215458).
- idpf: add singleq start_xmit and napi poll (bsc#1215458).
- idpf: add splitq start_xmit (bsc#1215458).
- idpf: cancel mailbox work in error path (bsc#1215458).
- idpf: configure resources for RX queues (bsc#1215458).
- idpf: configure resources for TX queues (bsc#1215458).
- idpf: fix potential use-after-free in idpf_tso() (bsc#1215458).
- idpf: initialize interrupts and enable vport (bsc#1215458).
- idpf: set scheduling mode for completion queue (bsc#1215458).
- iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale (git-fixes).
- iio: adc: xilinx-xadc: Do not clobber preset voltage/temperature thresholds (git-fixes).
- iio: exynos-adc: request second interupt only when touchscreen mode is used (git-fixes).
- irqchip/stm32-exti: add missing DT IRQ flag translation (git-fixes).
- kabi/severities: ignore kabi in rxrpc (bsc#1210447) The rxrpc module is built since SLE15-SP3 but it is not shipped as part of any SLE product, only in Leap (in kernel-*-optional).
- kernel-binary: suse-module-tools is also required when installed Requires(pre) adds dependency for the specific sciptlet. However, suse-module-tools also ships modprobe.d files which may be needed at posttrans time or any time the kernel is on the system for generating ramdisk. Add plain Requires as well.
- kernel-source: Move provides after sources
- kernel/fork: beware of __put_task_struct() calling context (bsc#1189998 (PREEMPT_RT prerequisite backports)).
- kernel/fork: beware of __put_task_struct() calling context (bsc#1216761).
- leds: pwm: Do not disable the PWM when the LED should be off (git-fixes).
- leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' (git-fixes).
- leds: turris-omnia: Do not use SMBUS calls (git-fixes).
- lsm: fix default return value for inode_getsecctx (git-fixes).
- lsm: fix default return value for vm_enough_memory (git-fixes).
- media: bttv: fix use after free error due to btv->timeout timer (git-fixes).
- media: ccs: Correctly initialise try compose rectangle (git-fixes).
- media: ccs: Fix driver quirk struct documentation (git-fixes).
- media: cedrus: Fix clock/reset sequence (git-fixes).
- media: cobalt: Use FIELD_GET() to extract Link Width (git-fixes).
- media: gspca: cpia1: shift-out-of-bounds in set_flicker (git-fixes).
- media: i2c: max9286: Fix some redundant of_node_put() calls (git-fixes).
- media: imon: fix access to invalid resource for the second interface (git-fixes).
- media: lirc: drop trailing space from scancode transmit (git-fixes).
- media: qcom: camss: Fix VFE-17x vfe_disable_output() (git-fixes).
- media: qcom: camss: Fix missing vfe_lite clocks check (git-fixes).
- media: qcom: camss: Fix pm_domain_on sequence in probe (git-fixes).
- media: qcom: camss: Fix vfe_get() error jump (git-fixes).
- media: sharp: fix sharp encoding (git-fixes).
- media: siano: Drop unnecessary error check for debugfs_create_dir/file() (git-fixes).
- media: venus: hfi: add checks to handle capabilities from firmware (git-fixes).
- media: venus: hfi: add checks to perform sanity on queue pointers (git-fixes).
- media: venus: hfi: fix the check to handle session buffer requirement (git-fixes).
- media: venus: hfi_parser: Add check to keep the number of codecs within range (git-fixes).
- media: vidtv: mux: Add check and kfree for kstrdup (git-fixes).
- media: vidtv: psi: Add check for kstrdup (git-fixes).
- media: vivid: avoid integer overflow (git-fixes).
- mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs (git-fixes).
- mfd: core: Ensure disabled devices are skipped without aborting (git-fixes).
- mfd: dln2: Fix double put in dln2_probe (git-fixes).
- misc: fastrpc: Clean buffers on remote invocation failures (git-fixes).
- misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller (git-fixes).
- mm/hmm: fault non-owner device private entries (bsc#1216844, jsc#PED-7237, git-fixes).
- mmc: block: Be sure to wait while busy in CQE error recovery (git-fixes).
- mmc: block: Do not lose cache flush during CQE error recovery (git-fixes).
- mmc: block: Retry commands in CQE error recovery (git-fixes).
- mmc: cqhci: Fix task clearing in CQE error recovery (git-fixes).
- mmc: cqhci: Increase recovery halt timeout (git-fixes).
- mmc: cqhci: Warn of halt or task clear failure (git-fixes).
- mmc: meson-gx: Remove setting of CMD_CFG_ERROR (git-fixes).
- mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 (git-fixes).
- mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER (git-fixes).
- mmc: sdhci_am654: fix start loop index for TAP value parsing (git-fixes).
- mmc: vub300: fix an error code (git-fixes).
- modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host (git-fixes).
- mt76: dma: use kzalloc instead of devm_kzalloc for txwi (git-fixes).
- mtd: cfi_cmdset_0001: Byte swap OTP info (git-fixes).
- mtd: rawnand: arasan: Include ECC syndrome along with in-band data while checking for ECC failure (git-fixes).
- net-memcg: Fix scope of sockmem pressure indicators (bsc#1216759).
- net: Avoid address overwrite in kernel_connect (bsc#1216861).
- net: add macro netif_subqueue_completed_wake (bsc#1215458).
- net: fix use-after-free in tw_timer_handler (bsc#1217195).
- net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() (git-fixes).
- net: mana: Fix return type of mana_start_xmit() (git-fixes).
- net: piggy back on the memory barrier in bql when waking queues (bsc#1215458).
- net: provide macros for commonly copied lockless queue stop/wake code (bsc#1215458).
- net: usb: ax88179_178a: fix failed operations during ax88179_reset (git-fixes).
- net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg (git-fixes).
- nvme: update firmware version after commit (bsc#1215292).
- pcmcia: cs: fix possible hung task and memory leak pccardd() (git-fixes).
- pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() (git-fixes).
- pcmcia: ds: fix refcount leak in pcmcia_device_add() (git-fixes).
- pinctrl: avoid reload of p state in list iteration (git-fixes).
- platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e (git-fixes).
- platform/x86: wmi: Fix opening of char device (git-fixes).
- platform/x86: wmi: Fix probe failure when failing to register WMI devices (git-fixes).
- platform/x86: wmi: remove unnecessary initializations (git-fixes).
- powerpc: Do not clobber f0/vs0 during fp|altivec register save (bsc#1217780).
- pwm: Fix double shift bug (git-fixes).
- pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume (git-fixes).
- pwm: sti: Reduce number of allocations and drop usage of chip_data (git-fixes).
- r8152: Cancel hw_phy_work if we have an error in probe (git-fixes).
- r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() (git-fixes).
- r8152: Check for unplug in rtl_phy_patch_request() (git-fixes).
- r8152: Increase USB control msg timeout to 5000ms as per spec (git-fixes).
- r8152: Release firmware if we have an error in probe (git-fixes).
- r8152: Run the unload routine if we have errors during probe (git-fixes).
- regmap: Ensure range selector registers are updated after cache sync (git-fixes).
- regmap: debugfs: Fix a erroneous check after snprintf() (git-fixes).
- regmap: prevent noinc writes from clobbering cache (git-fixes).
- s390/ap: fix AP bus crash on early config change callback invocation (git-fixes bsc#1217687).
- s390/cio: unregister device when the only path is gone (git-fixes bsc#1217609).
- s390/cmma: fix detection of DAT pages (LTC#203997 bsc#1217086).
- s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir (LTC#203997 bsc#1217086).
- s390/cmma: fix initial kernel address space page table walk (LTC#203997 bsc#1217086).
- s390/crashdump: fix TOD programmable field size (git-fixes bsc#1217205).
- s390/dasd: fix hanging device after request requeue (git-fixes LTC#203629 bsc#1215124).
- s390/dasd: protect device queue against concurrent access (git-fixes bsc#1217515).
- s390/dasd: use correct number of retries for ERP requests (git-fixes bsc#1217598).
- s390/ipl: add missing secure/has_secure file to ipl type 'unknown' (bsc#1214976 git-fixes).
- s390/mm: add missing arch_set_page_dat() call to gmap allocations (LTC#203997 bsc#1217086).
- s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc() (LTC#203997 bsc#1217086).
- s390/pkey: fix/harmonize internal keyblob headers (git-fixes bsc#1217200).
- s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling (git-fixes bsc#1217599).
- sbsa_gwdt: Calculate timeout with 64-bit math (git-fixes).
- scsi: lpfc: Copyright updates for 14.2.0.16 patches (bsc#1217731).
- scsi: lpfc: Correct maximum PCI function value for RAS fw logging (bsc#1217731).
- scsi: lpfc: Eliminate unnecessary relocking in lpfc_check_nlp_post_devloss() (bsc#1217731).
- scsi: lpfc: Enhance driver logging for selected discovery events (bsc#1217731).
- scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (bsc#1217731).
- scsi: lpfc: Fix possible file string name overflow when updating firmware (bsc#1217731).
- scsi: lpfc: Introduce LOG_NODE_VERBOSE messaging flag (bsc#1217124).
- scsi: lpfc: Refactor and clean up mailbox command memory free (bsc#1217731).
- scsi: lpfc: Reject received PRLIs with only initiator fcn role for NPIV ports (bsc#1217124).
- scsi: lpfc: Remove unnecessary zero return code assignment in lpfc_sli4_hba_setup (bsc#1217124).
- scsi: lpfc: Return early in lpfc_poll_eratt() when the driver is unloading (bsc#1217731).
- scsi: lpfc: Treat IOERR_SLI_DOWN I/O completion status the same as pci offline (bsc#1217124).
- scsi: lpfc: Update lpfc version to 14.2.0.15 (bsc#1217124).
- scsi: lpfc: Update lpfc version to 14.2.0.16 (bsc#1217731).
- scsi: lpfc: Validate ELS LS_ACC completion payload (bsc#1217124).
- scsi: qla2xxx: Fix double free of dsd_list during driver load (git-fixes).
- scsi: qla2xxx: Use FIELD_GET() to extract PCIe capability fields (git-fixes).
- selftests/efivarfs: create-read: fix a resource leak (git-fixes).
- selftests/pidfd: Fix ksft print formats (git-fixes).
- selftests/resctrl: Ensure the benchmark commands fits to its array (git-fixes).
- selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests (git-fixes).
- selftests/resctrl: Remove duplicate feature check from CMT test (git-fixes).
- seq_buf: fix a misleading comment (git-fixes).
- serial: exar: Revert 'serial: exar: Add support for Sealevel 7xxxC serial cards' (git-fixes).
- serial: meson: Use platform_get_irq() to get the interrupt (git-fixes).
- soc: qcom: llcc: Handle a second device without data corruption (git-fixes).
- spi: nxp-fspi: use the correct ioremap function (git-fixes).
- spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies (git-fixes).
- spi: tegra: Fix missing IRQ check in tegra_slink_probe() (git-fixes).
- staging: media: ipu3: remove ftrace-like logging (git-fixes).
- string.h: add array-wrappers for (v)memdup_user() (git-fixes).
- supported.conf: marked idpf supported
- thermal: core: prevent potential string overflow (git-fixes).
- treewide: Spelling fix in comment (git-fixes).
- tty/sysrq: replace smp_processor_id() with get_cpu() (git-fixes).
- tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks (git-fixes).
- tty: 8250: Add support for Brainboxes UP cards (git-fixes).
- tty: 8250: Add support for Intashield IS-100 (git-fixes).
- tty: 8250: Add support for Intashield IX cards (git-fixes).
- tty: 8250: Add support for additional Brainboxes PX cards (git-fixes).
- tty: 8250: Add support for additional Brainboxes UC cards (git-fixes).
- tty: 8250: Fix port count of PX-257 (git-fixes).
- tty: 8250: Fix up PX-803/PX-857 (git-fixes).
- tty: 8250: Remove UC-257 and UC-431 (git-fixes).
- tty: Fix uninit-value access in ppp_sync_receive() (git-fixes).
- tty: n_gsm: fix race condition in status line change on dead connections (git-fixes).
- tty: serial: meson: fix hard LOCKUP on crtscts mode (git-fixes).
- tty: tty_jobctrl: fix pid memleak in disassociate_ctty() (git-fixes).
- tty: vcc: Add check for kstrdup() in vcc_probe() (git-fixes).
- usb: cdnsp: Fix deadlock issue during using NCM gadget (git-fixes).
- usb: chipidea: Fix DMA overwrite for Tegra (git-fixes).
- usb: chipidea: Simplify Tegra DMA alignment code (git-fixes).
- usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency (git-fixes).
- usb: dwc3: Fix default mode initialization (git-fixes).
- usb: dwc3: set the dma max_seg_size (git-fixes).
- usb: gadget: f_ncm: Always set current gadget in ncm_bind() (git-fixes).
- usb: raw-gadget: properly handle interrupted requests (git-fixes).
- usb: storage: set 1.50 as the lower bcdDevice for older 'Super Top' compatibility (git-fixes).
- usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() (git-fixes).
- usb: typec: tcpm: Skip hard reset when in error recovery (git-fixes).
- virtchnl: add virtchnl version 2 ops (bsc#1215458).
- wifi: ath10k: Do not touch the CE interrupt registers after power up (git-fixes).
- wifi: ath10k: fix clang-specific fortify warning (git-fixes).
- wifi: ath11k: debugfs: fix to work with multiple PCI devices (git-fixes).
- wifi: ath11k: fix dfs radar event locking (git-fixes).
- wifi: ath11k: fix htt pktlog locking (git-fixes).
- wifi: ath11k: fix temperature event locking (git-fixes).
- wifi: ath9k: fix clang-specific fortify warnings (git-fixes).
- wifi: iwlwifi: Use FW rate for non-data frames (git-fixes).
- wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues (git-fixes).
- wifi: iwlwifi: empty overflow queue during flush (git-fixes).
- wifi: iwlwifi: honor the enable_ini value (git-fixes).
- wifi: iwlwifi: pcie: synchronize IRQs before NAPI (git-fixes).
- wifi: mac80211: do not return unset power in ieee80211_get_tx_power() (git-fixes).
- wifi: mac80211: fix # of MSDU in A-MSDU calculation (git-fixes).
- wifi: mt76: mt7603: rework/fix rx pse hang check (git-fixes).
- wifi: rtlwifi: fix EDCA limit set by BT coexistence (git-fixes).
- wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git-fixes).
- x86/alternative: Add a __alt_reloc_selftest() prototype (git-fixes).
- x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs (git-fixes).
- x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 (git-fixes).
- x86/hyperv: Add HV_EXPOSE_INVARIANT_TSC define (git-fixes).
- x86/hyperv: Improve code for referencing hyperv_pcpu_input_arg (git-fixes).
- x86/hyperv: Make hv_get_nmi_reason public (git-fixes).
- x86/hyperv: fix a warning in mshyperv.h (git-fixes).
- x86/sev: Do not try to parse for the CC blob on non-AMD hardware (git-fixes).
- x86/sev: Fix calculation of end address based on number of pages (git-fixes).
- x86/sev: Use the GHCB protocol when available for SNP CPUID requests (git-fixes).
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- xfs: add attr state machine tracepoints (git-fixes).
- xfs: can't use kmem_zalloc() for attribute buffers (bsc#1216909).
- xfs: constify btree function parameters that are not modified (git-fixes).
- xfs: convert AGF log flags to unsigned (git-fixes).
- xfs: convert AGI log flags to unsigned (git-fixes).
- xfs: convert attr type flags to unsigned (git-fixes).
- xfs: convert bmap extent type flags to unsigned (git-fixes).
- xfs: convert bmapi flags to unsigned (git-fixes).
- xfs: convert btree buffer log flags to unsigned (git-fixes).
- xfs: convert buffer flags to unsigned (git-fixes).
- xfs: convert buffer log item flags to unsigned (git-fixes).
- xfs: convert da btree operations flags to unsigned (git-fixes).
- xfs: convert dquot flags to unsigned (git-fixes).
- xfs: convert inode lock flags to unsigned (git-fixes).
- xfs: convert log item tracepoint flags to unsigned (git-fixes).
- xfs: convert log ticket and iclog flags to unsigned (git-fixes).
- xfs: convert quota options flags to unsigned (git-fixes).
- xfs: convert scrub type flags to unsigned (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'blkno', 'block', or 'bno' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'count' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'len' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'offset' (git-fixes).
- xfs: make the key parameters to all btree key comparison functions const (git-fixes).
- xfs: make the key parameters to all btree query range functions const (git-fixes).
- xfs: make the keys and records passed to btree inorder functions const (git-fixes).
- xfs: make the pointer passed to btree set_root functions const (git-fixes).
- xfs: make the start pointer passed to btree alloc_block functions const (git-fixes).
- xfs: make the start pointer passed to btree update_lastrec functions const (git-fixes).
- xfs: mark the record passed into btree init_key functions as const (git-fixes).
- xfs: mark the record passed into xchk_btree functions as const (git-fixes).
- xfs: remove xfs_btree_cur_t typedef (git-fixes).
- xfs: rename i_disk_size fields in ftrace output (git-fixes).
- xfs: resolve fork names in trace output (git-fixes).
- xfs: standardize AG block number formatting in ftrace output (git-fixes).
- xfs: standardize AG number formatting in ftrace output (git-fixes).
- xfs: standardize daddr formatting in ftrace output (git-fixes).
- xfs: standardize inode generation formatting in ftrace output (git-fixes).
- xfs: standardize inode number formatting in ftrace output (git-fixes).
- xfs: standardize remaining xfs_buf length tracepoints (git-fixes).
- xfs: standardize rmap owner number formatting in ftrace output (git-fixes).
- xhci: Enable RPM on controllers that support low-power states (git-fixes).
- xhci: Loosen RPM as default policy to cover for AMD xHC 1.1 (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4897-1
Released:    Tue Dec 19 08:22:36 2023
Summary:     Optional update for openslp
Type:        recommended
Severity:    low
References:  
This update for openslp bumps the version number to ensure a clean upgrade path from SLE-12 to SLE-15.

This is a no-change rebuild of the packages already available in SLE-15.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:10-1
Released:    Tue Jan  2 13:21:05 2024
Summary:     Security update for polkit
Type:        security
Severity:    moderate
References:  1209282
This update for polkit fixes the following issues:

- Change permissions for rules folders (bsc#1209282)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released:    Thu Jan  4 11:15:24 2024
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1214980
This update for mozilla-nss fixes the following issues:

Mozilla NSS was updated to NSS 3.90.1

* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:129-1
Released:    Tue Jan 16 15:48:55 2024
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1179610,1183045,1193285,1211162,1211226,1212584,1214747,1214823,1215237,1215696,1215885,1216057,1216559,1216776,1217036,1217217,1217250,1217602,1217692,1217790,1217801,1217933,1217938,1217946,1217947,1217980,1217981,1217982,1218056,1218139,1218184,1218234,1218253,1218258,1218335,1218357,1218447,1218515,1218559,1218569,1218659,CVE-2020-26555,CVE-2023-51779,CVE-2023-6121,CVE-2023-6531,CVE-2023-6546,CVE-2023-6606,CVE-2023-6610,CVE-2023-6622,CVE-2023-6931,CVE-2023-6932
The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes.


The following security bugs were fixed:

- CVE-2023-6531: Fixed a use-after-free flaw due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on (bsc#1218447).
- CVE-2023-6610: Fixed an out of bounds read in the SMB client when printing debug information (bsc#1217946).
- CVE-2023-51779: Fixed a use-after-free because of a bt_sock_ioctl race condition in bt_sock_recvmsg (bsc#1218559).
- CVE-2020-26555: Fixed an issue during BR/EDR PIN code pairing in the Bluetooth subsystem that would allow replay attacks (bsc#1179610 bsc#1215237).
- CVE-2023-6606: Fixed an out of bounds read in the SMB client when receiving a malformed length from a server (bsc#1217947).
- CVE-2023-6546: Fixed a race condition in the GSM 0710 tty multiplexor via the GSMIOC_SETCONF ioctl that could lead to local privilege escalation (bsc#1218335).
- CVE-2023-6931: Fixed a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component that could lead to local privilege escalation. (bsc#1218258).
- CVE-2023-6932: Fixed a use-after-free vulnerability in the Linux kernel's ipv4: igmp component that could lead to local privilege escalation (bsc#1218253).
- CVE-2023-6622: Fixed a null pointer dereference vulnerability in nft_dynset_init() that could allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service (bsc#1217938).
- CVE-2023-6121: Fixed an information leak via dmesg when receiving a crafted packet in the NVMe-oF/TCP subsystem (bsc#1217250).

The following non-security bugs were fixed:

- Reviewed and added more information to README.SUSE (jsc#PED-5021).
- Build in the correct KOTD repository with multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184) With multibuild setting repository flags is no longer supported for individual spec files - see https://github.com/openSUSE/open-build-service/issues/3574 Add ExclusiveArch conditional that depends on a macro set up by bs-upload-kernel instead. With that each package should build only in one repository - either standard or QA. Note: bs-upload-kernel does not interpret rpm conditionals, and only uses the first ExclusiveArch line to determine the architectures to enable.
- KVM: s390/mm: Properly reset no-dat (bsc#1218056).
- KVM: s390: vsie: fix wrong VIR 37 when MSO is used (bsc#1217933).
- KVM: x86: Mask LVTPC when handling a PMI (jsc#PED-7322).
- NFS: Fix O_DIRECT locking issues (bsc#1211162).
- NFS: Fix a few more clear_bit() instances that need release semantics (bsc#1211162).
- NFS: Fix a potential data corruption (bsc#1211162).
- NFS: Fix a use after free in nfs_direct_join_group() (bsc#1211162).
- NFS: Fix error handling for O_DIRECT write scheduling (bsc#1211162).
- NFS: More O_DIRECT accounting fixes for error paths (bsc#1211162).
- NFS: More fixes for nfs_direct_write_reschedule_io() (bsc#1211162).
- NFS: Use the correct commit info in nfs_join_page_group() (bsc#1211162).
- NLM: Defend against file_lock changes after vfs_test_lock() (bsc#1217692).
- Updated SPI patches for NVIDIA Grace enablement (bsc#1212584, jsc#PED-3459).
- block: fix revalidate performance regression (bsc#1216057).
- bpf: Adjust insufficient default bpf_jit_limit (bsc#1218234).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1217980).
- ceph: fix type promotion bug on 32bit systems (bsc#1217982).
- clocksource: Add a Kconfig option for WATCHDOG_MAX_SKEW (bsc#1215885 bsc#1217217).
- clocksource: Enable TSC watchdog checking of HPET and PMTMR only when requested (bsc#1215885 bsc#1217217).
- clocksource: Handle negative skews in 'skew is too large' messages (bsc#1215885 bsc#1217217).
- clocksource: Improve 'skew is too large' messages (bsc#1215885 bsc#1217217).
- clocksource: Improve read-back-delay message (bsc#1215885 bsc#1217217).
- clocksource: Loosen clocksource watchdog constraints (bsc#1215885 bsc#1217217).
- clocksource: Print clocksource name when clocksource is tested unstable (bsc#1215885 bsc#1217217).
- clocksource: Verify HPET and PMTMR when TSC unverified (bsc#1215885 bsc#1217217).
- dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776).
- fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() (bsc#1218659).
- kabi/severities: ignore kABI for asus-wmi drivers Tolerate the kABI changes, as used only locally for asus-wmi stuff
- libceph: use kernel_connect() (bsc#1217981).
- mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184) When MULTIBUILD option in config.sh is enabled generate a _multibuild file listing all spec files.
- mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors (bsc#1218515).
- net/smc: Fix pos miscalculation in statistics (bsc#1218139).
- net/tg3: fix race condition in tg3_reset_task() (bsc#1217801).
- nfs: only issue commit in DIO codepath if we have uncommitted data (bsc#1211162).
- remove unnecessary WARN_ON_ONCE() (bsc#1214823 bsc#1218569).
- s390/vx: fix save/restore of fpu kernel context (bsc#1218357).
- scsi: lpfc: use unsigned type for num_sge (bsc#1214747).
- swiotlb: fix a braino in the alignment check fix (bsc#1216559).
- swiotlb: fix slot alignment checks (bsc#1216559).
- tracing: Disable preemption when using the filter buffer (bsc#1217036).
- tracing: Fix a possible race when disabling buffered events (bsc#1217036).
- tracing: Fix a warning when allocating buffered events fails (bsc#1217036).
- tracing: Fix incomplete locking when disabling buffered events (bsc#1217036).
- tracing: Fix warning in trace_buffered_event_disable() (bsc#1217036).
- tracing: Use __this_cpu_read() in trace_event_buffer_lock_reserver() (bsc#1217036).
- uapi: propagate __struct_group() attributes to the container union (jsc#SLE-18978).
- vsprintf/kallsyms: Prevent invalid data when printing symbol (bsc#1217602).
- x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285).
- x86/platform/uv: Use alternate source for socket to node data (bsc#1215696 bsc#1217790).
- x86/tsc: Add option to force frequency recalibration with HW timer (bsc#1215885 bsc#1217217).
- x86/tsc: Be consistent about use_tsc_delay() (bsc#1215885 bsc#1217217).
- x86/tsc: Extend watchdog check exemption to 4-Sockets platform (bsc#1215885 bsc#1217217).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:233-1
Released:    Thu Jan 25 11:58:47 2024
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1217775
This update for suse-module-tools fixes the following issues:

- Update to version 15.4.19
- Add symlink /boot/.vmlinuz.hmac (bsc#1217775)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:261-1
Released:    Tue Jan 30 08:20:36 2024
Summary:     Recommended update for conmon
Type:        recommended
Severity:    moderate
References:  1215806,1217773
This update for conmon fixes the following issues:

- New upstream release 2.1.10
  Bug fixes:
  * Fix incorrect free in conn_sock
  * logging: Respect log-size-max immediately after open

- Add patch for fixing regression in v2.1.9
  (https://github.com/containers/conmon/issues/475 and
  https://github.com/containers/conmon/issues/477)

- New upstream release 2.1.9
  ### Bug fixes
  * fix some issues flagged by SAST scan
  * src: fix write after end of buffer
  * src: open all files with O_CLOEXEC
  * oom-score: restore oom score before running exit command
  ### Features
  * Forward more messages on the sd-notify socket
  * logging: -l passthrough accepts TTYs

   * [bsc#1215806]

- Update to version 2.1.8:
  * stdio: ignore EIO for terminals (bsc#1217773)
  * ensure console socket buffers are properly sized
  * conmon: drop return after pexit()
  * ctrl: make accept4 failures fatal
  * logging: avoid opening /dev/null for each write
  * oom: restore old OOM score
  * Use default umask 0022
  * cli: log parsing errors to stderr
  * Changes to build conmon for riscv64
  * Changes to build conmon for ppc64le
  * Fix close_other_fds on FreeBSD
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released:    Wed Jan 31 17:42:15 2024
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    important
References:  
This update for elemental-operator contains the following fix:

- Bump Go to 1.20. (jsc#SURE-7083)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- kernel-firmware-amdgpu-20220509-150400.4.25.1 updated
- kernel-firmware-ath10k-20220509-150400.4.25.1 updated
- conmon-2.1.10-150400.3.17.1 updated
- libsemanage2-3.4-150400.1.8 added
- mozilla-nss-certs-3.90.1-150400.3.35.2 updated
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libfreebl3-3.90.1-150400.3.35.2 updated
- libmount1-2.37.2-150400.8.23.1 updated
- liblvm2cmd2_03-2.03.05-150400.191.1 updated
- libsoftokn3-3.90.1-150400.3.35.2 updated
- mozilla-nss-3.90.1-150400.3.35.2 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libqrtr-glib0-1.2.2-150400.1.3 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- libdevmapper-event1_03-2.03.05_1.02.163-150400.191.1 updated
- device-mapper-2.03.05_1.02.163-150400.191.1 updated
- grub2-2.06-150400.11.43.2 updated
- grub2-i386-pc-2.06-150400.11.43.2 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- openslp-2.0.0-150000.6.17.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-kvm-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.2-150400.8.23.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- suse-module-tools-15.4.19-150400.3.17.1 updated
- dracut-055+suse.351.g30f0cda6-150400.3.31.1 updated
- lvm2-2.03.05-150400.191.1 updated
- kernel-firmware-usb-network-20220509-150400.4.25.1 updated
- kernel-firmware-realtek-20220509-150400.4.25.1 updated
- kernel-firmware-qlogic-20220509-150400.4.25.1 updated
- kernel-firmware-platform-20220509-150400.4.25.1 updated
- kernel-firmware-network-20220509-150400.4.25.1 updated
- kernel-firmware-mellanox-20220509-150400.4.25.1 updated
- kernel-firmware-mediatek-20220509-150400.4.25.1 updated
- kernel-firmware-marvell-20220509-150400.4.25.1 updated
- kernel-firmware-liquidio-20220509-150400.4.25.1 updated
- kernel-firmware-iwlwifi-20220509-150400.4.25.1 updated
- kernel-firmware-intel-20220509-150400.4.25.1 updated
- kernel-firmware-i915-20220509-150400.4.25.1 updated
- kernel-firmware-chelsio-20220509-150400.4.25.1 updated
- kernel-firmware-bnx2-20220509-150400.4.25.1 updated
- kernel-firmware-ath11k-20220509-150400.4.25.1 updated
- kernel-firmware-atheros-20220509-150400.4.25.1 updated
- kernel-firmware-bluetooth-20220509-150400.4.25.1 updated
- kernel-firmware-brcm-20220509-150400.4.25.1 updated
- kernel-firmware-dpaa2-20220509-150400.4.25.1 updated
- kernel-firmware-media-20220509-150400.4.25.1 updated
- kernel-firmware-mwifiex-20220509-150400.4.25.1 updated
- kernel-firmware-nfp-20220509-150400.4.25.1 updated
- kernel-firmware-nvidia-20220509-150400.4.25.1 updated
- kernel-firmware-prestera-20220509-150400.4.25.1 updated
- kernel-firmware-qcom-20220509-150400.4.25.1 updated
- kernel-firmware-radeon-20220509-150400.4.25.1 updated
- kernel-firmware-serial-20220509-150400.4.25.1 updated
- kernel-firmware-sound-20220509-150400.4.25.1 updated
- kernel-firmware-ti-20220509-150400.4.25.1 updated
- kernel-firmware-ueagle-20220509-150400.4.25.1 updated
- kernel-firmware-all-20220509-150400.4.25.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- elemental-support-1.3.5-150400.4.6.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libmbim-glib4-1.26.4-150400.1.2 updated
- libmm-glib0-1.18.10-150400.1.2 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- cni-plugins-0.8.6-150100.3.20.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- cryptsetup-2.4.3-150400.3.3.1 updated
- libqmi-glib5-1.30.8-150400.1.2 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- podman-4.4.4-150400.4.19.1 updated
- libpolkit0-0.116-150200.3.12.1 updated
- polkit-0.116-150200.3.12.1 updated
- ModemManager-1.18.10-150400.1.2 updated
- NetworkManager-wwan-1.38.2-150400.3.3.1 updated
- kernel-rt-5.14.21-150400.15.65.1 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:35 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:35 +0100 (CET)
Subject: SUSE-CU-2024:454-1: Security update of rancher/elemental-teal/5.4
Message-ID: <20240206080135.B08FCFBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-teal/5.4
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:454-1
Container Tags        : rancher/elemental-teal/5.4:1.2.3 , rancher/elemental-teal/5.4:1.2.3-3.2.78 , rancher/elemental-teal/5.4:latest
Container Release     : 3.2.78
Severity              : important
Type                  : security
References            : 1103893 1107342 1112183 1168481 1182142 1187364 1187364 1187365
                        1187366 1187366 1187367 1187367 1192986 1193412 1195391 1196647
                        1197093 1198773 1198773 1200441 1200441 1200441 1200441 1200528
                        1201300 1201384 1201519 1201551 1201551 1204844 1205161 1206346
                        1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
                        1208074 1208364 1208510 1208737 1208962 1209282 1209307 1209495
                        1209884 1209888 1210004 1210298 1210299 1210557 1210557 1210660
                        1211079 1211124 1211188 1211190 1211418 1211419 1211427 1211427
                        1211578 1212101 1212101 1212475 1212475 1212475 1212475 1212475
                        1213240 1213915 1213915 1214025 1214052 1214052 1214140 1214460
                        1214460 1214668 1214806 1214980 1215229 1215241 1215291 1215313
                        1215323 1215427 1215434 1215496 1215806 1215806 1215823 1215831
                        1215935 1215936 1216006 1216006 1216010 1216075 1216123 1216129
                        1216174 1216253 1216378 1216664 1216862 1216922 1216987 1217000
                        1217031 1217212 1217237 1217460 1217472 1217573 1217574 1217773
                        1217775 1217969 1218014 1218126 1218186 1218209 1218475 1218571
                        1218894 CVE-2021-26345 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593
                        CVE-2021-3594 CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2021-46766
                        CVE-2021-46774 CVE-2022-1996 CVE-2022-23820 CVE-2022-23830 CVE-2023-0778
                        CVE-2023-1667 CVE-2023-20519 CVE-2023-20521 CVE-2023-20526 CVE-2023-20533
                        CVE-2023-20566 CVE-2023-20592 CVE-2023-2137 CVE-2023-2283 CVE-2023-25809
                        CVE-2023-2602 CVE-2023-2603 CVE-2023-27561 CVE-2023-28642 CVE-2023-39804
                        CVE-2023-4039 CVE-2023-4039 CVE-2023-4156 CVE-2023-44487 CVE-2023-45322
                        CVE-2023-45853 CVE-2023-46218 CVE-2023-46219 CVE-2023-4641 CVE-2023-4692
                        CVE-2023-4693 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678 CVE-2023-6004
                        CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365 
-----------------------------------------------------------------

The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1814-1
Released:    Tue Apr 11 14:40:34 2023
Summary:     Security update for podman
Type:        security
Severity:    important
References:  1197093,1208364,1208510,1209495,CVE-2023-0778
This update for podman fixes the following issues:

Update to version 4.4.4:

  * libpod: always use direct mapping
  * macos pkginstaller: do not fail when podman-mac-helper fails
  * podman-mac-helper: install: do not error if already installed

- podman.spec: Bump required version for libcontainers-common (bsc#1209495)

Update to version 4.4.3:

  * compat: /auth: parse server address correctly
  * vendor github.com/containers/common at v0.51.1
  * pkginstaller: bump Qemu to version 7.2.0
  * podman machine: Adjust Chrony makestep config
  * [v4.4] fix --health-on-failure=restart in transient unit
  * podman logs passthrough driver support --cgroups=split
  * journald logs: simplify entry parsing
  * podman logs: read journald with passthrough
  * journald: remove initializeJournal()
  * netavark: only use aardvark ip as nameserver
  * compat API: network create return 409 for duplicate
  * fix 'podman logs --since --follow' flake
  * system service --log-level=trace: support hijack
  * podman-mac-helper: exit 1 on error
  * bump golang.org/x/net to v0.8.0
  * Fix package restore
  * Quadlet - use the default runtime

Update to version 4.4.2:

  * Revert 'CI: Temporarily disable all AWS EC2-based tasks'
  * kube play: only enforce passthrough in Quadlet
  * Emergency fix for man pages: check for broken includes
  * CI: Temporarily disable all AWS EC2-based tasks
  * quadlet system tests: add useful defaults, logging
  * volume,container: chroot to source before exporting content
  * install sigproxy before start/attach
  * Update to c/image 5.24.1
  * events + container inspect test: RHEL fixes

- podman.spec: add `crun` requirement for quadlet
- podman.spec: set PREFIX at build stage (bsc#1208510)

- CVE-2023-0778: Fixed symlink exchange attack in podman export volume  (bsc#1208364)

Update to version 4.4.1:

  * kube play: do not teardown unconditionally on error
  * Resolve symlink path for qemu directory if possible
  * events: document journald identifiers
  * Quadlet: exit 0 when there are no files to process
  * Cleanup podman-systemd.unit file
  * Install podman-systemd.unit  man page, make quadlet discoverable
  * Add missing return after errors
  * oci: bind mount /sys with --userns=(auto|pod:)
  * docs: specify order preference for FROM
  * Cirrus: Fix & remove GraphQL API tests
  * test: adapt test to work on cgroupv1
  * make hack/markdown-preprocess parallel-safe
  * Fix default handling of pids-limit
  * system tests: fix volume exec/noexec test

Update to version 4.4.0:

  * Emergency fix for RHEL8 gating tests
  * Do not mount /dev/tty into rootless containers
  * Fixes port collision issue on use of --publish-all
  * Fix usage of absolute windows paths with --image-path
  * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux
  * podman-events: document verbose create events
  * Making gvproxy.exe optional for building Windows installer
  * Add gvproxy to Windows packages
  * Match VT device paths to be blocked from mounting exactly
  * Clean up more language for inclusiveness
  * Set runAsNonRoot=true in gen kube
  * quadlet: Add device support for .volume files
  * fix: running check error when podman is default in wsl
  * fix: don't output 'ago' when container is currently up and running
  * journald: podman logs only show logs for current user
  * journald: podman events only show events for current user
  * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
  * DB: make loading container states optional
  * ps: do not sync container
  * Allow --device-cgroup-rule to be passed in by docker API
  * Create release notes for v4.4.0
  * Cirrus: Update operating branch
  * fix APIv2 python attach test flake
  * ps: query health check in batch mode
  * make example volume import, not import volume
  * Correct output when inspecting containers created with --ipc
  * Vendor containers/(storage, image, common, buildah)
  * Get correct username in pod when using --userns=keep-id
  * ps: get network data in batch mode
  * build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0
  * add hack/perf for comparing two container engines
  * systems: retrofit dns options test to honor other search domains
  * ps: do not create copy of container config
  * libpod: set search domain independently of nameservers
  * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server
  * podman: relay custom DNS servers to network stack
  * (fix) mount_program is in storage.options.overlay
  * Change example target to default in doc
  * network create: do not allow `default` as name
  * kube-play: add support for HostPID in podSpec
  * build(deps): bump github.com/docker/docker
  * Let's see if #14653 is fixed or not
  * Add support for podman build --group-add
  * vendor in latests containers/(storage, common, build, image)
  * unskip network update test
  * do not install swagger by default
  * pasta: skip 'Local forwarder, IPv4' test
  * add testbindings Makefile target
  * update CI images to include pasta
  * [CI:DOCS] Add CNI deprecation notices to documentation
  * Cirrus: preserve podman-server logs
  * waitPidStop: reduce sleep time to 10ms
  * StopContainer: return if cleanup process changed state
  * StopSignal: add a comment
  * StopContainer: small refactor
  * waitPidStop: simplify code
  * e2e tests: reenable long-skipped build test
  * Add openssh-clients to podmanimage
  * Reworks Windows smoke test to tunnel through interactive session.
  * fix bud-multiple-platform-with-base-as-default-arg flake
  * Remove ReservedAnnotations from kube generate specification
  * e2e: update test/README.md
  * e2e: use isRootless() instead of rootless.IsRootless()
  * Cleanup documentation on --userns=auto
  * Vendor in latest c/common
  * sig-proxy system test: bump timeout
  * build(deps): bump github.com/containernetworking/plugins
  * rootless: rename auth-scripts to preexec-hooks
  * Docs: version-check updates
  * commit: use libimage code to parse changes
  * [CI:DOCS] Remove experimental mac tutorial
  * man: Document the interaction between --systemd and --privileged
  * Make rootless privileged containers share the same tty devices as rootfull ones
  * container kill: handle stopped/exited container
  * Vendor in latest containers/(image,ocicrypt)
  * add a comment to container removal
  * Vendor in latest containers/storage
  * Cirrus: Run machine tests on PR merge
  * fix flake in kube system test
  * kube play: complete container spec
  * E2E Tests: Use inspect instead of actual data to avoid UDP flake
  * Use containers/storage/pkg/regexp in place of regexp
  * Vendor in latest containers/storage
  * Cirrus: Support using updated/latest NV/AV in PRs
  * Limit replica count to 1 when deploying from kubernetes YAML
  * Set StoppedByUser earlier in the process of stopping
  * podman-play system test: refactor
  * network: add support for podman network update and --network-dns-server
  * service container: less verbose error logs
  * Quadlet Kube - add support for PublishPort key
  * e2e: fix systemd_activate_test
  * Compile regex on demand not in init
  * [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns.
  * E2E Test: Play Kube set deadline to connection to avoid hangs
  * Only prevent VTs to be mounted inside privileged systemd containers
  * e2e: fix play_kube_test
  * Updated error message for supported VolumeSource types
  * Introduce pkg retry logic in win installer task
  * logformatter: include base SHA, with history link
  * Network tests: ping redhat.com, not podman.io
  * cobra: move engine shutdown to Execute
  * Updated options for QEMU on Windows hosts
  * Update Mac installer to use gvproxy v0.5.0
  * podman: podman rm -f doesn't leave processes
  * oci: check for valid PID before kill(pid, 0)
  * linux: add /sys/fs/cgroup if /sys is a bind mount
  * Quadlet: Add support for ConfigMap key in Kube section
  * remove service container _after_ pods
  * Kube Play - allow setting and overriding published host ports
  * oci: terminate all container processes on cleanup
  * Update win-sshproxy to 0.5.0 gvisor tag
  * Vendor in latest containers/common
  * Fix a potential defer logic error around locking
  * logformatter: nicer formatting for bats failures
  * logformatter: refactor verbose line-print
  * e2e tests: stop using UBI images
  * k8s-file: podman logs --until --follow exit after time
  * journald: podman logs --until --follow exit after time
  * journald: seek to time when --since is used
  * podman logs: journald fix --since and --follow
  * Preprocess files in UTF-8 mode
  * Vendor in latest containers/(common, image, storage)
  * Switch to C based msi hooks for win installer
  * hack/bats: improve usage message
  * hack/bats: add --remote option
  * hack/bats: fix root/rootless logic
  * Describe copy volume options
  * Support sig-proxy for podman-remote attach and start
  * libpod: fix race condition rm'ing stopping containers
  * e2e: fix run_volume_test
  * Add support for Windows ARM64
  * Add shared --compress to man pages
  * Add container error message to ContainerState
  * Man page checker: require canonical name in SEE ALSO
  * system df: improve json output code
  * kube play: fix the error logic with --quiet
  * System tests: quadlet network test
  * Fix: List container with volume filter
  * adding -dryrun flag
  * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost
  * Kube Play: use passthrough as the default log-driver if service-container is set
  * System tests: add missing cleanup
  * System tests: fix unquoted question marks
  * Build and use a newer systemd image
  * Quadlet Network - Fix the name of the required network service
  * System Test Quadlet - Volume dependency test did not test the dependency
  * fix `podman system connection - tcp` flake
  * vendor: bump c/storage to a747b27
  * Fix instructions about setting storage driver on command-line
  * Test README - point users to hack/bats
  * System test: quadlet kube basic test
  * Fixed `podman update --pids-limit`
  * podman-remote,bindings: trim context path correctly when its emptydir
  * Quadlet Doc: Add section for .kube files
  * e2e: fix containers_conf_test
  * Allow '/' to prefix container names to match Docker
  * Remove references to qcow2
  * Fix typos in man page regarding transient storage mode.
  * make: Use PYTHON var for .install.pre-commit
  * Add containers.conf read-only flag support
  * Explain that relabeling/chowning of volumes can take along time
  * events: support 'die' filter
  * infra/abi: refactor ContainerRm
  * When in transient store mode, use rundir for bundlepath
  * quadlet: Support Type=oneshot container files
  * hacks/bats: keep QUADLET env var in test env
  * New system tests for conflicting options
  * Vendor in latest containers/(buildah, image, common)
  * Output Size and Reclaimable in human form for json output
  * podman service: close duplicated /dev/null fd
  * ginkgo tests: apply ginkgolinter fixes
  * Add support for hostPath and configMap subpath usage
  * export: use io.Writer instead of file
  * rootless: always create userns with euid != 0
  * rootless: inhibit copy mapping for euid != 0
  * pkg/domain/infra/abi: introduce `type containerWrapper`
  * vendor: bump to buildah ca578b290144 and use new cache API
  * quadlet: Handle booleans that have defaults better
  * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault
  * Add podman-clean-transient.service service
  * Stop recording annotations set to false
  * Unify --noheading and -n to be consistent on all commands
  * pkg/domain/infra/abi: add `getContainers`
  * Update vendor of containters/(common, image)
  * specfile: Drop user-add depedency from quadlet subpackage.
  * quadlet: Default BINDIR to /usr/bin if tag not specified
  * Quadlet: add network support
  * Add comment for jsonMarshal command
  * Always allow pushing from containers-storage
  * libpod: move NetNS into state db instead of extra bucket
  * Add initial system tests for quadlets
  * quadlet: Add --user option
  * libpod: remove CNI word were no longer applicable
  * libpod: fix header length in http attach with logs
  * podman-kube@ template: use `podman kube`
  * build(deps): bump github.com/docker/docker
  * wait: add --ignore option
  * qudlet: Respect $PODMAN env var for podman binary
  * e2e: Add assert-key-is-regex check to quadlet e2e testsuite
  * e2e: Add some assert to quadlet test to make sure testcases are sane
  * remove unmapped ports from inspect port bindings
  * update podman-network-create for clarity
  * Vendor in latest containers/common with default capabilities
  * pkg/rootless: Change error text ...
  * rootless: add cli validator
  * rootless: define LIBEXECPODMAN
  * doc: fix documentation for idmapped mounts
  * bump golangci-lint to v1.50.1
  * build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2
  * [CI:DOCS] podman-mount: s/umount/unmount/
  * create/pull --help: list pull policies
  * Network Create: Add --ignore flag to support idempotent script
  * Make qemu security model none
  * libpod: use OCI idmappings for mounts
  * stop reporting errors removing containers that don't exist
  * test: added test from wait endpoint with to long label
  * quadlet: Default VolatileTmp to off
  * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11
  * docs/options/ipc: fix list syntax
  * Docs: Add dedicated DOWNLOAD doc w/ links to bins
  * Make a consistently-named windows installer
  * checkpoint restore: fix --ignore-static-ip/mac
  * add support for subpath in play kube for named volumes
  * build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0
  * golangci-lint: remove three deprecated linters
  * parse-localbenchmarks: separate standard deviation
  * build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0
  * podman play kube support container startup probe
  * Add podman buildx version support
  * Cirrus: Collect benchmarks on machine instances
  * Cirrus: Remove escape codes from log files
  * [CI:DOCS] Clarify secret target behavior
  * Fix typo on network docs
  * podman-remote build add --volume support
  * remote: allow --http-proxy for remote clients
  * Cleanup kube play workloads if error happens
  * health check: ignore dependencies of transient systemd units/timers
  * fix: event read from syslog
  * Fixes secret (un)marshaling for kube play.
  * Remove 'you' from man pages
  * build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools
  * [CI:DOCS] test/README.md: run tests with podman-remote
  * e2e: keeps the http_proxy value
  * Makefile: Add podman-mac-helper to darwin client zip
  * test/e2e: enable 'podman run with ipam none driver' for nv
  * [skip-ci] GHA/Cirrus-cron: Fix execution order
  * kube sdnotify: run proxies for the lifespan of the service
  * Update containers common package
  * podman manpage: Use man-page links instead of file names
  * e2e: fix e2e tests in proxy environment
  * Fix test
  * disable healthchecks automatically on non systemd systems
  * Quadlet Kube: Add support for userns flag
  * [CI:DOCS] Add warning about --opts,o with mount's -o
  * Add podman system prune --external
  * Add some tests for transient store
  * runtime: In transient_store mode, move bolt_state.db to rundir
  * runtime: Handle the transient store options
  * libpod: Move the creation of TmpDir to an earlier time
  * network create: support '-o parent=XXX' for ipvlan
  * compat API: allow MacAddress on container config
  * Quadlet Kube: Add support for relative path for YAML file
  * notify k8s system test: move sending message into exec
  * runtime: do not chown idmapped volumes
  * quadlet: Drop ExecStartPre=rm %t/%N.cid
  * Quadlet Kube: Set SyslogIdentifier if was not set
  * Add a FreeBSD cross build to the cirrus alt build task
  * Add completion for --init-ctr
  * Fix handling of readonly containers when defined in kube.yaml
  * Build cross-compilation fixes
  * libpod: Track healthcheck API changes in healthcheck_unsupported.go
  * quadlet: Use same default capability set as podman run
  * quadlet: Drop --pull=never
  * quadlet: Change default of ReadOnly to no
  * quadlet: Change RunInit default to no
  * quadlet: Change NoNewPrivileges default to false
  * test: podman run with checkpoint image
  * Enable 'podman run' for checkpoint images
  * test: Add tests for checkpoint images
  * CI setup: simplify environment passthrough code
  * Init containers should not be restarted
  * Update c/storage after https://github.com/containers/storage/pull/1436
  * Set the latest release explicitly
  * add friendly comment
  * fix an overriding logic and load config problem
  * Update the issue templates
  * Update vendor of containers/(image, buildah)
  * [CI:DOCS] Skip windows-smoke when not useful
  * [CI:DOCS] Remove broken gate-container docs
  * OWNERS: add Jason T. Greene
  * hack/podmansnoop: print arguments
  * Improve atomicity of VM state persistence on Windows
  * [CI:BUILD] copr: enable podman-restart.service on rpm installation
  * macos: pkg: Use -arm64 suffix instead of -aarch64
  * linux: Add -linux suffix to podman-remote-static binaries
  * linux: Build amd64 and arm64 podman-remote-static binaries
  * container create: add inspect data to event
  * Allow manual override of install location
  * Run codespell on code
  * Add missing parameters for checkpoint/restore endpoint
  * Add support for startup healthchecks
  * Add information on metrics to the `network create` docs
  * Introduce podman machine os commands
  * Document that ignoreRootFS depends on export/import
  * Document ignoreVolumes in checkpoint/restore endpoint
  * Remove leaveRunning from swagger restore endpoint
  * libpod: Add checks to avoid nil pointer dereference if network setup fails
  * Address golangci-lint issues
  * Documenting Hyper-V QEMU acceleration settings
  * Kube Play: fix the handling of the optional field of SecretVolumeSource
  * Update Vendor of containers/(common, image, buildah)
  * Fix swapped NetInput/-Output stats
  * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory
  * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template
  * test/tools: rebuild when files are changed
  * ginkgo tests: apply ginkgolinter fixes
  * ginkgo: restructure install work flow
  * Fix manpage emphasis
  * specgen: support CDI devices from containers.conf
  * vendor: update containers/common
  * pkg/trust: Take the default policy path from c/common/pkg/config
  * Add validate-in-container target
  * Adding encryption decryption feature
  * container restart: clean up healthcheck state
  * Add support for podman-remote manifest annotate
  * Quadlet: Add support for .kube files
  * Update vendor of containers/(buildah, common, storage, image)
  * specgen: honor user namespace value
  * [CI:DOCS] Migrate OSX Cross to M1
  * quadlet: Rework uid/gid remapping
  * GHA: Fix cirrus re-run workflow for other repos.
  * ssh system test: skip until it becomes a test
  * shell completion: fix hard coded network drivers
  * libpod: Report network setup errors properly on FreeBSD
  * E2E Tests: change the registry for the search test to avoid authentication
  * pkginstaller: install podman-mac-helper by default
  * Fix language. Mostly spelling a -> an
  * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment.
  * [CI:DOCS] Fix spelling and typos
  * Modify man page of '--pids-limit' option to correct a default value.
  * Update docs/source/markdown/podman-remote.1.md
  * Update pkg/bindings/connection.go
  * Add more documentation on UID/GID Mappings with --userns=keep-id
  * support podman-remote to connect tcpURL with proxy
  * Removing the RawInput from the API output
  * fix port issues for CONTAINER_HOST
  * CI: Package versions: run in the 'main' step
  * build(deps): bump github.com/rootless-containers/rootlesskit
  * pkg/domain: Make checkExecPreserveFDs platform-specific
  * e2e tests: fix restart race
  * Fix podman --noout to suppress all output
  * remove pod if creation has failed
  * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD
  * Fix more podman-logs flakes
  * healthcheck system tests: try to fix flake
  * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT
  * GHA: Configure workflows for reuse
  * compat,build: handle docker's preconfigured cacheTo,cacheFrom
  * docs: deprecate pasta network name
  * utils: Enable cgroup utils for FreeBSD
  * pkg/specgen: Disable kube play tests on FreeBSD
  * libpod/lock: Fix build and tests for SHM locks on FreeBSD
  * podman cp: fix copying with '.' suffix
  * pkginstaller: bump Qemu to version 7.1.0
  * specgen,wasm: switch to crun-wasm wherever applicable
  * vendor: bump c/common to v0.50.2-0.20221111184705-791b83e1cdf1
  * libpod: Make unit test for statToPercent Linux only
  * Update vendor of containers/storage
  * fix connection usage with containers.conf
  * Add --quiet and --no-info flags to podman machine start
  * Add hidden podman manifest inspect -v option
  * Add podman volume create -d short option for driver
  * Vendor in latest containers/(common,image,storage)
  * Add podman system events alias to podman events
  * Fix search_test to return correct version of alpine
  * GHA: Fix undefined secret env. var.
  * Release notes for 4.3.1
  * GHA: Fix make_email-body script reference
  * Add release keys to README
  * GHA: Fix typo setting output parameter
  * GHA: Fix typo.
  * New tool, docs/version-check
  * Formalize our compare-against-docker mechanism
  * Add restart-sec for container service files
  * test/tools: bump module to go 1.17
  * contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor
  * build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools
  * libpod: Add FreeBSD support in packageVersion
  * Allow podman manigest push --purge|-p as alias for --rm
  * [CI:DOCS] Add performance tutorial
  * [CI:DOCS] Fix build targets in build_osx.md.
  * fix --format {{json .}} output to match docker
  * remote: fix manifest add --annotation
  * Skip test if `--events-backend` is necessary with podman-remote
  * kube play: update the handling of PersistentVolumeClaim
  * system tests: fix a system test in proxy environment
  * Use single unqualified search registry on Windows
  * test/system: Add, use tcp_port_probe() to check for listeners rather than binds
  * test/system: Add tests for pasta(1) connectivity
  * test/system: Move network-related helpers to helpers.network.bash
  * test/system: Use procfs to find bound ports, with optional address and protocol
  * test/system: Use port_is_free() from wait_for_port()
  * libpod: Add pasta networking mode
  * More log-flake work
  * Fix test flakes caused by improper podman-logs
  * fix incorrect systemd booted check
  * Cirrus: Add tests for GHA scripts
  * GHA: Update scripts to pass shellcheck
  * Cirrus: Shellcheck github-action scripts
  * Cirrus: shellcheck support for github-action scripts
  * GHA: Fix cirrus-cron scripts
  * Makefile: don't install to tmpfiles.d on FreeBSD
  * Make sure we can build and read each line of docker py's api client
  * Docker compat build api - make sure only one line appears per flush
  * Run codespell on code
  * Update vendor of containers/(image, storage, common)
  * Allow namespace path network option for pods.
  * Cirrus: Never skip running Windows Cross task
  * GHA: Auto. re-run failed cirrus-cron builds once
  * GHA: Migrate inline script to file
  * GHA: Simplify script reference
  * test/e2e: do not use apk in builds
  * remove container/pod id file along with container/pod
  * Cirrus: Synchronize windows image
  * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect
  * runtime: add check for valid pod systemd cgroup
  * CI: set and verify DESIRED_NETWORK (netavark, cni)
  * [CI:DOCS] troubleshooting: document keep-id options
  * Man pages: refactor common options: --security-opt
  * Cirrus: Guarantee CNI testing w/o nv/av present
  * Cirrus: temp. disable all Ubuntu testing
  * Cirrus: Update to F37beta
  * buildah bud tests: better handling of remote
  * quadlet: Warn in generator if using short names
  * Add Windows Smoke Testing
  * Add podman kube apply command
  * docs: offer advice on installing test dependencies
  * Fix documentation on read-only-tmpfs
  * version bump to 4.4.0-dev
  * deps: bump go-criu to v6
  * Makefile: Add cross build targets for freebsd
  * pkg/machine: Make this build on FreeBSD/arm64
  * pkg/rctl: Remove unused cgo dependency
  * man pages: assorted underscore fixes
  * Upgrade GitHub actions packages from v2 to v3
  * vendor github.com/godbus/dbus/v5 at 4b691ce
  * [CI:DOCS] fix --tmpdir typos
  * Do not report that /usr/share/containers/storage.conf has been edited.
  * Eval symlinks on XDG_RUNTIME_DIR
  * hack/podmansnoop
  * rootless: support keep-id with one mapping
  * rootless: add argument to GetConfiguredMappings
  * Update vendor containers/(common,storage,buildah,image)
  * Fix deadlock between 'podman ps' and 'container inspect' commands
  * Add information about where the libpod/boltdb database lives
  * Consolidate the dependencies for the IsTerminal() API
  * Ensure that StartAndAttach locks while sending signals
  * ginkgo testing: fix podman usernamespace join
  * Test runners: nuke podman from $PATH before tests
  * volumes: Fix idmap not working for volumes
  * FIXME: Temporary workaround for ubi8 CI breakage
  * System tests: teardown: clean up volumes
  * update api versions on docs.podman.io
  * system tests: runlabel: use podman-under-test
  * system tests: podman network create: use random port
  * sig-proxy test: bump timeout
  * play kube: Allow the user to import the contents of a tar file into a volume
  * Clarify the docs on DropCapability
  * quadlet tests: Disable kmsg logging while testing
  * quadlet: Support multiple Network=
  * quadlet: Add support for Network=...
  * Fix manpage for podman run --network option
  * quadlet: Add support for AddDevice=
  * quadlet: Add support for setting seccomp profile
  * quadlet: Allow multiple elements on each Add/DropCaps line
  * quadlet: Embed the correct binary name in the generated comment
  * quadlet: Drop the SocketActivated key
  * quadlet: Switch log-driver to passthrough
  * quadlet: Change ReadOnly to default to enabled
  * quadlet tests: Run the tests even for (exected) failed tests
  * quadlet tests: Fix handling of stderr checks
  * Remove unused script file
  * notifyproxy: fix container watcher
  * container/pod id file: truncate instead of throwing an error
  * quadlet: Use the new podman create volume --ignore
  * Add podman volume create --ignore
  * logcollector: include aardvark-dns
  * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1
  * build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1
  * docs: generate systemd: point to kube template
  * docs: kube play: mention restart policy
  * Fixes: 15858 (podman system reset --force destroy machine)
  * fix search flake
  * use cached containers.conf
  * adding regex support to the ancestor ps filter function
  * Fix `system df` issues with `-f` and `-v`
  * markdown-preprocess: cross-reference where opts are used
  * Default qemu flags for Windows amd64
  * build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0
  * Update main to reflect v4.3.0 release
  * build(deps): bump github.com/docker/docker
  * move quadlet packages into pkg/systemd
  * system df: fix image-size calculations
  * Add man page for quadlet
  * Fix small typo
  * testimage: add iproute2 & socat, for pasta networking
  * Set up minikube for k8s testing
  * Makefile: don't install systemd generator binaries on FreeBSD
  * [CI:BUILD] copr: podman rpm should depend on containers-common-extra
  * Podman image: Set default_sysctls to empty for rootless containers
  * Don't use  github.com/docker/distribution
  * libpod: Add support for 'podman top' on FreeBSD
  * libpod: Factor out jail name construction from stats_freebsd.go
  * pkg/util: Add pid information descriptors for FreeBSD
  * Initial quadlet version integrated in golang
  * bump golangci-lint to v1.49.0
  * Update vendor containers/(common,image,storage)
  * Allow volume mount dups, iff source and dest dirs
  * rootless: fix return value handling
  * Change to correct break statements
  * vendor containers/psgo at v1.8.0
  * Clarify that MacOSX docs are client specific
  * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit
  * Add swagger install + allow version updates in CI
  * Cirrus: Fix windows clone race
  * build(deps): bump github.com/docker/docker
  * kill: wait for the container
  * generate systemd: set --stop-timeout for stopping containers
  * hack/tree_status.sh: print diff at the end
  * Fix markdown header typo
  * markdown-preprocess: add generic include mechanism
  * markdown-preprocess: almost complete OO rewrite
  * Update tests for changed error messages
  * Update c/image after https://github.com/containers/image/pull/1299
  * Man pages: refactor common options (misc)
  * Man pages: Refactor common options: --detach-keys
  * vendor containers/storage at main
  * Man pages: refactor common options: --attach
  * build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0
  * KillContainer: improve error message
  * docs: add missing options
  * Man pages: refactor common options: --annotation (manifest)
  * build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0
  * system tests: health-on-failure: fix broken logic
  * build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8
  * build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1
  * ContainerEngine.SetupRootless(): Avoid calling container.Config()
  * Container filters: Avoid use of ctr.Config()
  * Avoid unnecessary calls to Container.Spec()
  * Add and use Container.LinuxResource() helper
  * play kube: notifyproxy: listen before starting the pod
  * play kube: add support for configmap binaryData
  * Add and use libpod/Container.Terminal() helper
  * Revert 'Add checkpoint image tests'
  * Revert 'cmd/podman: add support for checkpoint images'
  * healthcheck: fix --on-failure=stop
  * Man pages: Add mention of behavior due to XDG_CONFIG_HOME
  * build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6
  * Avoid unnecessary timeout of 250msec when waiting on container shutdown
  * health checks: make on-failure action retry aware
  * libpod: Remove 100msec delay during shutdown
  * libpod: Add support for 'podman pod' on FreeBSD
  * libpod: Factor out cgroup validation from (*Runtime).NewPod
  * libpod: Move runtime_pod_linux.go to runtime_pod_common.go
  * specgen/generate: Avoid a nil dereference in MakePod
  * libpod: Factor out cgroups handling from (*Pod).refresh
  * Adds a link to OSX docs in CONTRIBUTING.md
  * Man pages: refactor common options: --os-version
  * Create full path to a directory when DirectoryOrCreate is used with play kube
  * Return error in podman system service if URI scheme is not unix/tcp
  * Man pages: refactor common options: --time
  * man pages: document some --format options: images
  * Clean up when stopping pods
  * Update vendor of containers/buildah v1.28.0
  * Proof of concept: nightly dependency treadmill

- Make the priority for picking the storage driver configurable (bsc#1197093)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:


* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2157-1
Released:    Wed May 10 13:21:20 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1200441

This update of conmon fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2324-1
Released:    Tue May 30 15:52:17 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1200441

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2527-1
Released:    Fri Jun 16 19:04:57 2023
Summary:     Recommended update for NetworkManager
Type:        recommended
Severity:    moderate
References:  
This update for NetworkManager fixes the following issues:

- Create /etc/NetworkManager/conf.d by default, allowing easy override for NetworkManager.conf file with drop-in
- Move default config file to /usr/lib/NetworkManager/NetworkManager.conf, as part of main package
- Ensure /usr/lib/NetworkManager/conf.d is part of the package

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2869-1
Released:    Tue Jul 18 11:39:26 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1206346

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2989-1
Released:    Wed Jul 26 16:33:56 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1208737,1209307
This update for conmon fixes the following issues:

  conmon was updated to version 2.1.7:

  - Bumped go version to 1.19 (bsc#1209307).

  Bugfixes:

  - Fixed leaking symbolic links in the opt_socket_path directory.
  - Fixed cgroup oom issues (bsc#1208737).
  - Fixed OOM watcher for cgroupv2 `oom_kill` events.



-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released:    Tue Aug 29 07:33:16 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1103893,1112183
This update for icu fixes the following issues:

- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3470-1
Released:    Tue Aug 29 10:49:33 2023
Summary:     Recommended update for parted
Type:        recommended
Severity:    low
References:  1182142,1193412
This update for parted fixes the following issues:

- fix null pointer dereference (bsc#1193412)
- update mkpart options in manpage (bsc#1182142)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released:    Fri Sep 22 20:30:59 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
  and not just SUSE Linux Enterprise Server. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3816-1
Released:    Wed Sep 27 18:25:44 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released:    Tue Oct  3 20:06:23 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1212475

This update of runc fixes the following issues:

- Update to runc v1.1.8.

  Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4042-1
Released:    Tue Oct 10 19:11:00 2023
Summary:     Security update for conmon
Type:        security
Severity:    important
References:  1215806
This update for conmon fixes the following issues:

conmon was rebuilt using go1.21 (bsc#1215806)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4127-1
Released:    Thu Oct 19 09:43:23 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released:    Fri Oct 20 10:06:58 2023
Summary:     Recommended update for containerd, runc
Type:        recommended
Severity:    moderate
References:  1215323
This update for containerd, runc fixes the following issues:

runc was updated to v1.1.9. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.1.9

containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4140-1
Released:    Fri Oct 20 11:34:03 2023
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693
This update for grub2 fixes the following issues:

Security fixes:
- CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935)
- CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936)

Other fixes:
- Fix a boot delay issue in PowerPC PXE boot (bsc#1201300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4477-1
Released:    Fri Nov 17 10:21:21 2023
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1216010,1216075,1216253
This update for grub2 fixes the following issues:

- Fix failure to identify recent ext4 filesystem (bsc#1216010)
- Fix reading files from btrfs with 'implicit' holes
- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) 
- Fix detection of encrypted disk's uuid in powerpc (bsc#1216075)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released:    Wed Nov 29 20:33:38 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1217472

This update of icu fixes the following issue:

- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4664-1
Released:    Wed Dec  6 13:33:47 2023
Summary:     Security update for kernel-firmware
Type:        security
Severity:    important
References:  1215823,1215831,CVE-2021-26345,CVE-2021-46766,CVE-2021-46774,CVE-2022-23820,CVE-2022-23830,CVE-2023-20519,CVE-2023-20521,CVE-2023-20526,CVE-2023-20533,CVE-2023-20566,CVE-2023-20592
This update for kernel-firmware fixes the following issues:

Update AMD ucode to 20231030 (bsc#1215831):

- CVE-2022-23820: Failure to validate the AMD SMM communication buffer may allow an attacker to corrupt the SMRAM potentially leading to arbitrary code execution.
- CVE-2021-46774: Insufficient input validation in ABL may enable a privileged attacker to perform arbitrary DRAM writes, potentially resulting in code execution and privilege escalation.
- CVE-2023-20533: Insufficient DRAM address validation in System Management Unit (SMU) may allow an attacker using DMA to read/write from/to invalid DRAM address potentially resulting in denial-of-service.
0 CVE-2023-20519: A Use-After-Free vulnerability in the management of an SNP guest context page may allow a malicious hypervisor to masquerade as the guest's migration agent resulting in a potential loss of guest integrity.
- CVE-2023-20566: Improper address validation in ASP with SNP enabled may potentially allow an attacker to compromise guest memory integrity.
- CVE-2023-20521: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.
- CVE-2021-46766: Improper clearing of sensitive data in the ASP Bootloader may expose secret keys to a privileged attacker accessing ASP SRAM, potentially leading to a loss of confidentiality.
- CVE-2022-23830: SMM configuration may not be immutable, as intended, when SNP is enabled resulting in a potential limited loss of guest memory integrity.
- CVE-2023-20526: Insufficient input validation in the ASP Bootloader may enable a privileged attacker with physical access to expose the contents of ASP memory potentially leading to a loss of confidentiality.
- CVE-2021-26345: Failure to validate the value in APCB may allow an attacker with physical access to tamper with the APCB token to force an out-of-bounds memory read potentially resulting in a denial of service.
- CVE-2023-20592: Issue with INVD instruction aka CacheWarpAttack (bsc#1215823).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4705-1
Released:    Mon Dec 11 07:21:46 2023
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1192986,1217031
This update for dracut fixes the following issues:

- Update to version 055+suse.351.g30f0cda6
- Fix network device naming in udev-rules (bsc#1192986)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4726-1
Released:    Tue Dec 12 12:11:02 2023
Summary:     Recommended update for podman
Type:        recommended
Severity:    low
References:  1210299
This update for podman fixes the following issues:

- Build against latest stable Go version (bsc#1210299)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released:    Tue Dec 12 12:27:39 2023
Summary:     Security update for catatonit, containerd, runc
Type:        security
Severity:    important
References:  1200528,CVE-2022-1996

This update of runc and containerd fixes the following issues:

containerd:

- Update to containerd v1.7.8. Upstream release notes:
  https://github.com/containerd/containerd/releases/tag/v1.7.8

    * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)

catatonit:

- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.

- Update to catatont v0.1.7
  * This release adds the ability for catatonit to be used as the only
    process in a pause container, by passing the -P flag (in this mode no
    subprocess is spawned and thus no signal forwarding is done).

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).

runc:

- Update to runc v1.1.10. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.10


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4897-1
Released:    Tue Dec 19 08:22:36 2023
Summary:     Optional update for openslp
Type:        recommended
Severity:    low
References:  
This update for openslp bumps the version number to ensure a clean upgrade path from SLE-12 to SLE-15.

This is a no-change rebuild of the packages already available in SLE-15.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:10-1
Released:    Tue Jan  2 13:21:05 2024
Summary:     Security update for polkit
Type:        security
Severity:    moderate
References:  1209282
This update for polkit fixes the following issues:

- Change permissions for rules folders (bsc#1209282)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released:    Thu Jan  4 11:15:24 2024
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1214980
This update for mozilla-nss fixes the following issues:

Mozilla NSS was updated to NSS 3.90.1

* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:233-1
Released:    Thu Jan 25 11:58:47 2024
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1217775
This update for suse-module-tools fixes the following issues:

- Update to version 15.4.19
- Add symlink /boot/.vmlinuz.hmac (bsc#1217775)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:261-1
Released:    Tue Jan 30 08:20:36 2024
Summary:     Recommended update for conmon
Type:        recommended
Severity:    moderate
References:  1215806,1217773
This update for conmon fixes the following issues:

- New upstream release 2.1.10
  Bug fixes:
  * Fix incorrect free in conn_sock
  * logging: Respect log-size-max immediately after open

- Add patch for fixing regression in v2.1.9
  (https://github.com/containers/conmon/issues/475 and
  https://github.com/containers/conmon/issues/477)

- New upstream release 2.1.9
  ### Bug fixes
  * fix some issues flagged by SAST scan
  * src: fix write after end of buffer
  * src: open all files with O_CLOEXEC
  * oom-score: restore oom score before running exit command
  ### Features
  * Forward more messages on the sd-notify socket
  * logging: -l passthrough accepts TTYs

   * [bsc#1215806]

- Update to version 2.1.8:
  * stdio: ignore EIO for terminals (bsc#1217773)
  * ensure console socket buffers are properly sized
  * conmon: drop return after pexit()
  * ctrl: make accept4 failures fatal
  * logging: avoid opening /dev/null for each write
  * oom: restore old OOM score
  * Use default umask 0022
  * cli: log parsing errors to stderr
  * Changes to build conmon for riscv64
  * Changes to build conmon for ppc64le
  * Fix close_other_fds on FreeBSD
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released:    Wed Jan 31 17:42:15 2024
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    important
References:  
This update for elemental-operator contains the following fix:

- Bump Go to 1.20. (jsc#SURE-7083)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- conmon-2.1.10-150400.3.17.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- elemental-support-1.3.5-150400.4.6.1 updated
- kernel-firmware-ath10k-20220509-150400.4.25.1 updated
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libsemanage2-3.4-150400.1.8 added
- mozilla-nss-certs-3.90.1-150400.3.35.2 updated
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libfreebl3-3.90.1-150400.3.35.2 updated
- libmount1-2.37.2-150400.8.23.1 updated
- liblvm2cmd2_03-2.03.05-150400.191.1 updated
- libsoftokn3-3.90.1-150400.3.35.2 updated
- mozilla-nss-3.90.1-150400.3.35.2 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libqrtr-glib0-1.2.2-150400.1.3 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- libdevmapper-event1_03-2.03.05_1.02.163-150400.191.1 updated
- device-mapper-2.03.05_1.02.163-150400.191.1 updated
- grub2-2.06-150400.11.43.2 updated
- grub2-i386-pc-2.06-150400.11.43.2 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- openslp-2.0.0-150000.6.17.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-kvm-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.2-150400.8.23.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- suse-module-tools-15.4.19-150400.3.17.1 updated
- dracut-055+suse.351.g30f0cda6-150400.3.31.1 updated
- lvm2-2.03.05-150400.191.1 updated
- kernel-firmware-usb-network-20220509-150400.4.25.1 updated
- kernel-firmware-realtek-20220509-150400.4.25.1 updated
- kernel-firmware-qlogic-20220509-150400.4.25.1 updated
- kernel-firmware-platform-20220509-150400.4.25.1 updated
- kernel-firmware-network-20220509-150400.4.25.1 updated
- kernel-firmware-mellanox-20220509-150400.4.25.1 updated
- kernel-firmware-mediatek-20220509-150400.4.25.1 updated
- kernel-firmware-marvell-20220509-150400.4.25.1 updated
- kernel-firmware-liquidio-20220509-150400.4.25.1 updated
- kernel-firmware-iwlwifi-20220509-150400.4.25.1 updated
- kernel-firmware-intel-20220509-150400.4.25.1 updated
- kernel-firmware-i915-20220509-150400.4.25.1 updated
- kernel-firmware-chelsio-20220509-150400.4.25.1 updated
- kernel-firmware-bnx2-20220509-150400.4.25.1 updated
- kernel-firmware-amdgpu-20220509-150400.4.25.1 updated
- kernel-firmware-ath11k-20220509-150400.4.25.1 updated
- kernel-firmware-atheros-20220509-150400.4.25.1 updated
- kernel-firmware-bluetooth-20220509-150400.4.25.1 updated
- kernel-firmware-brcm-20220509-150400.4.25.1 updated
- kernel-firmware-dpaa2-20220509-150400.4.25.1 updated
- kernel-firmware-media-20220509-150400.4.25.1 updated
- kernel-firmware-mwifiex-20220509-150400.4.25.1 updated
- kernel-firmware-nfp-20220509-150400.4.25.1 updated
- kernel-firmware-nvidia-20220509-150400.4.25.1 updated
- kernel-firmware-prestera-20220509-150400.4.25.1 updated
- kernel-firmware-qcom-20220509-150400.4.25.1 updated
- kernel-firmware-radeon-20220509-150400.4.25.1 updated
- kernel-firmware-serial-20220509-150400.4.25.1 updated
- kernel-firmware-sound-20220509-150400.4.25.1 updated
- kernel-firmware-ti-20220509-150400.4.25.1 updated
- kernel-firmware-ueagle-20220509-150400.4.25.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libmbim-glib4-1.26.4-150400.1.2 updated
- libmm-glib0-1.18.10-150400.1.2 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- cni-plugins-0.8.6-150100.3.20.1 updated
- kernel-firmware-all-20220509-150400.4.25.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- cryptsetup-2.4.3-150400.3.3.1 updated
- libqmi-glib5-1.30.8-150400.1.2 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- podman-4.4.4-150400.4.19.1 updated
- libpolkit0-0.116-150200.3.12.1 updated
- polkit-0.116-150200.3.12.1 updated
- ModemManager-1.18.10-150400.1.2 updated
- NetworkManager-wwan-1.38.2-150400.3.3.1 updated

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:39 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:39 +0100 (CET)
Subject: SUSE-CU-2024:457-1: Security update of rancher/elemental-teal-channel
Message-ID: <20240206080139.628C3FBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-teal-channel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:457-1
Container Tags        : rancher/elemental-teal-channel:1.3.5 , rancher/elemental-teal-channel:1.3.5-4.5.109 , rancher/elemental-teal-channel:latest
Container Release     : 4.5.109
Severity              : important
Type                  : security
References            : 1103893 1107342 1112183 1168481 1187364 1187364 1187365 1187366
                        1187366 1187367 1187367 1195391 1196647 1198773 1198773 1200441
                        1200441 1200528 1201384 1201519 1201551 1201551 1204844 1205161
                        1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
                        1208074 1208962 1209884 1209888 1210004 1210298 1210557 1210557
                        1210660 1211079 1211124 1211188 1211190 1211418 1211419 1211427
                        1211427 1211578 1212101 1212101 1212475 1212475 1212475 1213240
                        1213915 1213915 1214025 1214052 1214052 1214140 1214460 1214460
                        1214668 1214806 1215229 1215241 1215291 1215313 1215323 1215427
                        1215434 1215496 1216006 1216123 1216129 1216174 1216378 1216664
                        1216862 1216922 1216987 1217000 1217212 1217460 1217472 1217573
                        1217574 1217969 1218014 1218126 1218186 1218209 1218475 1218571
                        1218894 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594
                        CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2022-1996 CVE-2023-1667
                        CVE-2023-2137 CVE-2023-2283 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-27561 CVE-2023-28642 CVE-2023-39804 CVE-2023-4039 CVE-2023-4039
                        CVE-2023-4156 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-46218
                        CVE-2023-46219 CVE-2023-4641 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678
                        CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365
-----------------------------------------------------------------

The container rancher/elemental-teal-channel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:


* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released:    Tue Aug 29 07:33:16 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1103893,1112183
This update for icu fixes the following issues:

- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released:    Fri Sep 22 20:30:59 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
  and not just SUSE Linux Enterprise Server. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released:    Tue Oct  3 20:06:23 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1212475

This update of runc fixes the following issues:

- Update to runc v1.1.8.

  Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released:    Fri Oct 20 10:06:58 2023
Summary:     Recommended update for containerd, runc
Type:        recommended
Severity:    moderate
References:  1215323
This update for containerd, runc fixes the following issues:

runc was updated to v1.1.9. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.1.9

containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released:    Wed Nov 29 20:33:38 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1217472

This update of icu fixes the following issue:

- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released:    Tue Dec 12 12:27:39 2023
Summary:     Security update for catatonit, containerd, runc
Type:        security
Severity:    important
References:  1200528,CVE-2022-1996

This update of runc and containerd fixes the following issues:

containerd:

- Update to containerd v1.7.8. Upstream release notes:
  https://github.com/containerd/containerd/releases/tag/v1.7.8

    * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)

catatonit:

- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.

- Update to catatont v0.1.7
  * This release adds the ability for catatonit to be used as the only
    process in a pause container, by passing the -P flag (in this mode no
    subprocess is spawned and thus no signal forwarding is done).

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).

runc:

- Update to runc v1.1.10. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.10


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released:    Wed Jan 31 17:42:15 2024
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    important
References:  
This update for elemental-operator contains the following fix:

- Bump Go to 1.20. (jsc#SURE-7083)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libsemanage2-3.4-150400.1.8 added
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libmount1-2.37.2-150400.8.23.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- util-linux-systemd-2.37.2-150400.8.20.1 removed

From sle-container-updates at lists.suse.com  Tue Feb  6 08:01:40 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue,  6 Feb 2024 09:01:40 +0100 (CET)
Subject: SUSE-CU-2024:458-1: Security update of
 rancher/elemental-teal-rt-channel
Message-ID: <20240206080140.3F255FBA4@maintenance.suse.de>

SUSE Container Update Advisory: rancher/elemental-teal-rt-channel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:458-1
Container Tags        : rancher/elemental-teal-rt-channel:1.3.5 , rancher/elemental-teal-rt-channel:1.3.5-4.5.54 , rancher/elemental-teal-rt-channel:latest
Container Release     : 4.5.54
Severity              : important
Type                  : security
References            : 1103893 1107342 1112183 1168481 1187364 1187364 1187365 1187366
                        1187366 1187367 1187367 1195391 1196647 1198773 1198773 1200441
                        1200441 1200528 1201384 1201519 1201551 1201551 1204844 1205161
                        1206346 1206480 1206480 1206684 1206684 1207004 1207778 1207987
                        1208074 1208962 1209884 1209888 1210004 1210298 1210557 1210557
                        1210660 1211079 1211124 1211188 1211190 1211418 1211419 1211427
                        1211427 1211578 1212101 1212101 1212475 1212475 1212475 1213240
                        1213915 1213915 1214025 1214052 1214052 1214140 1214460 1214460
                        1214668 1214806 1215229 1215241 1215291 1215313 1215323 1215427
                        1215434 1215496 1216006 1216123 1216129 1216174 1216378 1216664
                        1216862 1216922 1216987 1217000 1217212 1217460 1217472 1217573
                        1217574 1217969 1218014 1218126 1218186 1218209 1218475 1218571
                        1218894 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594
                        CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2022-1996 CVE-2023-1667
                        CVE-2023-2137 CVE-2023-2283 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603
                        CVE-2023-27561 CVE-2023-28642 CVE-2023-39804 CVE-2023-4039 CVE-2023-4039
                        CVE-2023-4156 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-46218
                        CVE-2023-46219 CVE-2023-4641 CVE-2023-48795 CVE-2023-50495 CVE-2023-5678
                        CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2024-21626 CVE-2024-22365
-----------------------------------------------------------------

The container rancher/elemental-teal-rt-channel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1465-1
Released:    Fri Apr 29 11:36:02 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1730-1
Released:    Wed May 18 16:56:21 2022
Summary:     Security update for libslirp
Type:        security
Severity:    important
References:  1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
This update for libslirp fixes the following issues:

- CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364).
- CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367).
- CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366).
- Fix a dhcp regression [bsc#1198773]
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2941-1
Released:    Tue Aug 30 10:51:09 2022
Summary:     Security update for libslirp
Type:        security
Severity:    moderate
References:  1187365,1201551,CVE-2021-3593
This update for libslirp fixes the following issues:

- CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365).

Non-security fixes:

- Fix the version header (bsc#1201551)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1913-1
Released:    Wed Apr 19 14:23:14 2023
Summary:     Recommended update for libslirp, slirp4netns
Type:        recommended
Severity:    moderate
References:  1201551
This update for libslirp and slirp4netns fixes the following issues:

libslirp was updated to version 4.7.0+44 (current git master):

* Fix vmstate regression
* Align outgoing packets
* Bump incoming packet alignment to 8 bytes
* vmstate: only enable when building under GNU C
* ncsitest: Fix build with msvc
* Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END
* ncsi: Add Mellanox Get Mac Address handler
* slirp: Add out-of-band ethernet address
* ncsi: Add OEM command handler
* ncsi: Add basic test for Get Version ID response
* ncsi: Use response header for payload length
* ncsi: Pass command header to response handlers
* ncsi: Add Get Version ID command
* ncsi: Pass Slirp structure to response handlers
* slirp: Add manufacturer's ID

Release v4.7.0

* slirp: invoke client callback before creating timers
* pingtest: port to timer_new_opaque
* introduce timer_new_opaque callback
* introduce slirp_timer_new wrapper
* icmp6: make ndp_send_ra static
* socket: Handle ECONNABORTED from recv
* bootp: fix g_str_has_prefix warning/critical
* slirp: Don't duplicate packet in tcp_reass
* Rename insque/remque -> slirp_[ins|rem]que
* mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG
* Replace inet_ntoa() with safer inet_ntop()
* Add VMS_END marker
* bootp: add support for UEFI HTTP boot
* IPv6 DNS proxying support
* Add missing scope_id in caching
* socket: Move closesocket(so->s_aux) to sofree
* socket: Check so_type instead of so_tcpcb for Unix-to-inet translation
* socket: Add s_aux field to struct socket for storing auxilliary socket
* socket: Initialize so_type in socreate
* socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0
* Allow to disable internal DHCP server
* slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two
* CI: run integration tests with slirp4netns
* socket: Check address family for Unix-to-inet accept translation
* socket: Add debug args for tcpx_listen (inet and Unix sockets)
* socket: Restore original definition of fhost
* socket: Move <sys/un.h> include to socket.h
* Support Unix sockets in hostfwd
* resolv: fix IPv6 resolution on Darwin
* Use the exact sockaddr size in getnameinfo call
* Initialize sin6_scope_id to zero
* slirp_socketpair_with_oob: Connect pair through 127.0.0.1
* resolv: fix memory leak when using libresolv
* pingtest: Add a trivial ping test
* icmp: Support falling back on trying a SOCK_RAW socket

Update to version 4.6.1+7:

* Haiku: proper path to resolv.conf for DNS server
* Fix for Haiku
* dhcp: Always send DHCP_OPT_LEN bytes in options

Update to version 4.6.1:

* Fix 'DHCP broken in libslirp v4.6.0'

Update to version 4.6.0:

* udp: check upd_input buffer size
* tftp: introduce a header structure
* tftp: check tftp_input buffer size
* upd6: check udp6_input buffer size
* bootp: check bootp_input buffer size
* bootp: limit vendor-specific area to input packet memory buffer

Update to version 4.4.0:

* socket: consume empty packets
* slirp: check pkt_len before reading protocol header
* Add DNS resolving for iOS
* sosendoob: better document what urgc is used for
* TCPIPHDR_DELTA: Fix potential negative value
* udp, udp6, icmp, icmp6: Enable forwarding errors on Linux
* icmp, icmp6: Add icmp_forward_error and icmp6_forward_error
* udp, udp6, icmp: handle TTL value
* ip_stripoptions use memmove

slirp4netns was updated to 1.2.0:


* Add slirp4netns --target-type=bess /path/to/bess.sock for supporting UML (#281)
* Explicitly support DHCP (#270)
* Update parson to v1.1.3 (#273) kgabis/parson at 70dc239...2d7b3dd

Update to version 1.1.11:

* Add --macaddress option to specify the MAC address of the tap interface.
* Updated the man page.

Update to version 1.1.8:

Update to 1.0.0:

* --enable-sandbox is now out of experimental

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2003-1
Released:    Tue Apr 25 18:05:42 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642
This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

- CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
- CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
- CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

 - Fix the inability to use `/dev/null` when inside a container.
 - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481).
 - Fix rare runc exec/enter unshare error on older kernels.
 - nsexec: Check for errors in `write_log()`.
 - Drop version-specific Go requirement.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2256-1
Released:    Fri May 19 15:26:43 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1200441

This update of runc fixes the following issues:

- rebuild the package with the go 19.9 secure release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2657-1
Released:    Tue Jun 27 14:43:57 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    moderate
References:  1211124
This update for libcontainers-common fixes the following issues:

- New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
- Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
- Remove container-storage-driver.sh to default to the overlay driver instead of btrfs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2658-1
Released:    Tue Jun 27 14:46:15 2023
Summary:     Recommended update for containerd, docker, runc
Type:        recommended
Severity:    moderate
References:  1207004,1208074,1210298,1211578
This update for containerd, docker, runc fixes the following issues:

- Update to containerd v1.6.21 (bsc#1211578)
- Update to Docker 23.0.6-ce (bsc#1211578)
- Update to runc v1.1.7
- Require a minimum Go version explicitly (bsc#1210298)
- Re-unify packaging for SLE-12 and SLE-15
- Fix build on SLE-12 by switching back to libbtrfs-devel headers
- Allow man pages to be built without internet access in OBS
- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed   
  even if they are primarily running SELinux
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser
- Change to using systemd-sysusers
- Update runc.keyring to upstream version
- Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2765-1
Released:    Mon Jul  3 20:28:14 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211418,1211419,CVE-2023-2602,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2847-1
Released:    Mon Jul 17 08:40:42 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1210004
This update for audit fixes the following issues:

- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3466-1
Released:    Tue Aug 29 07:33:16 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1103893,1112183
This update for icu fixes the following issues:

- Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3591-1
Released:    Wed Sep 13 08:33:55 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3611-1
Released:    Fri Sep 15 09:28:36 2023
Summary:     Recommended update for sysuser-tools
Type:        recommended
Severity:    moderate
References:  1195391,1205161,1207778,1213240,1214140
This update for sysuser-tools fixes the following issues:

- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391) 
- Remove all systemd requires not supported on SLE15 (bsc#1214140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3736-1
Released:    Fri Sep 22 20:30:59 2023
Summary:     Recommended update for libcontainers-common
Type:        recommended
Severity:    important
References:  1215291
This update for libcontainers-common fixes the following issues:

- Require libcontainers-sles-mounts for *all* SUSE Linux Enterprise products,
  and not just SUSE Linux Enterprise Server. (bsc#1215291)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3952-1
Released:    Tue Oct  3 20:06:23 2023
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1212475

This update of runc fixes the following issues:

- Update to runc v1.1.8.

  Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4139-1
Released:    Fri Oct 20 10:06:58 2023
Summary:     Recommended update for containerd, runc
Type:        recommended
Severity:    moderate
References:  1215323
This update for containerd, runc fixes the following issues:

runc was updated to v1.1.9. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.1.9

containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

- https://github.com/containerd/containerd/releases/tag/v1.7.7
- https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4154-1
Released:    Fri Oct 20 19:33:25 2023
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4200-1
Released:    Wed Oct 25 12:04:29 2023
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216123,1216174,CVE-2023-44487
This update for nghttp2 fixes the following issues:

- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4310-1
Released:    Tue Oct 31 14:10:47 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1196647
This Update for libtirpc to 1.3.4, fixing the following issues:
    
Update to 1.3.4 (bsc#1199467)

 * binddynport.c honor ip_local_reserved_ports
   - replaces: binddynport-honor-ip_local_reserved_ports.patch
 * gss-api: expose gss major/minor error in authgss_refresh()
 * rpcb_clnt.c: Eliminate double frees in delete_cache()
 * rpcb_clnt.c: memory leak in destroy_addr
 * portmapper: allow TCP-only portmapper
 * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
 * clnt_raw.c: fix a possible null pointer dereference
 * bindresvport.c: fix a potential resource leakage

Update to 1.3.3:

* Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

Update to 1.3.2:

* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

Update to 1.3.1:

* Remove AUTH_DES interfaces from auth_des.h
  The unsupported  AUTH_DES authentication has be
  compiled out since commit d918e41d889 (Wed Oct 9 2019)
  replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4524-1
Released:    Tue Nov 21 17:51:28 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4537-1
Released:    Thu Nov 23 09:34:08 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4615-1
Released:    Wed Nov 29 20:33:38 2023
Summary:     Recommended update for icu
Type:        recommended
Severity:    moderate
References:  1217472

This update of icu fixes the following issue:

- missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4619-1
Released:    Thu Nov 30 10:13:52 2023
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1210660,CVE-2023-2137
This update for sqlite3 fixes the following issues:

- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4659-1
Released:    Wed Dec  6 13:04:57 2023
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1217573,1217574,CVE-2023-46218,CVE-2023-46219
This update for curl fixes the following issues:

- CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
- CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4671-1
Released:    Wed Dec  6 14:33:41 2023
Summary:     Recommended update for man
Type:        recommended
Severity:    moderate
References:  

This update of man fixes the following problem:

- The 'man' commands is delivered to SUSE Linux Enterprise Micro
  to allow browsing man pages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4699-1
Released:    Mon Dec 11 07:02:10 2023
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1217212
This update for gpg2 fixes the following issues:

- `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4723-1
Released:    Tue Dec 12 09:57:51 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1216862
This update for libtirpc fixes the following issue:

- fix sed parsing in specfile (bsc#1216862)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4727-1
Released:    Tue Dec 12 12:27:39 2023
Summary:     Security update for catatonit, containerd, runc
Type:        security
Severity:    important
References:  1200528,CVE-2022-1996

This update of runc and containerd fixes the following issues:

containerd:

- Update to containerd v1.7.8. Upstream release notes:
  https://github.com/containerd/containerd/releases/tag/v1.7.8

    * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528)

catatonit:

- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.

- Update to catatont v0.1.7
  * This release adds the ability for catatonit to be used as the only
    process in a pause container, by passing the -P flag (in this mode no
    subprocess is spawned and thus no signal forwarding is done).

- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
  socket activation or features somewhat adjacent to socket activation (such as
  passing file descriptors).

runc:

- Update to runc v1.1.10. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.10


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:293-1
Released:    Wed Jan 31 17:42:15 2024
Summary:     Recommended update for elemental-operator
Type:        recommended
Severity:    important
References:  
This update for elemental-operator contains the following fix:

- Bump Go to 1.20. (jsc#SURE-7083)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)


The following package changes have been done:

- libssh-config-0.9.8-150400.3.3.1 updated
- libsemanage-conf-3.4-150400.1.8 added
- libtirpc-netconfig-1.3.4-150300.3.23.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libsepol2-3.4-150400.1.11 added
- libnghttp2-14-1.40.0-150200.12.1 updated
- libuuid1-2.37.2-150400.8.23.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libsmartcols1-2.37.2-150400.8.23.1 updated
- libblkid1-2.37.2-150400.8.23.1 updated
- libfdisk1-2.37.2-150400.8.23.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libsqlite3-0-3.44.0-150000.3.23.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- libsemanage2-3.4-150400.1.8 added
- libxml2-2-2.9.14-150400.5.25.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libmount1-2.37.2-150400.8.23.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- tar-1.34-150000.3.34.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- cpio-2.13-150400.3.3.1 updated
- gpg2-2.2.27-150300.3.8.1 updated
- libopenssl1_1-1.1.1l-150400.7.60.2 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libtirpc3-1.3.4-150300.3.23.1 updated
- pam-1.3.0-150000.6.66.1 updated
- system-user-nobody-20170617-150400.24.2.1 updated
- system-group-hardware-20170617-150400.24.2.1 updated
- util-linux-2.37.2-150400.8.23.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated
- systemd-249.17-150400.8.40.1 updated
- elemental-register-1.3.5-150400.4.6.1 updated
- libcontainers-sles-mounts-20230214-150400.3.11.1 added
- libicu65_1-ledata-65.1-150200.4.10.1 updated
- libslirp0-4.7.0+44-150300.15.2 added
- runc-1.1.11-150000.58.1 updated
- cni-0.7.1-150100.3.16.1 updated
- libcontainers-common-20230214-150400.3.11.1 updated
- libicu-suse65_1-65.1-150200.4.10.1 updated
- slirp4netns-1.2.0-150300.8.5.2 updated
- util-linux-systemd-2.37.2-150400.8.20.1 removed

From sle-container-updates at lists.suse.com  Fri Feb  9 08:02:42 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri,  9 Feb 2024 09:02:42 +0100 (CET)
Subject: SUSE-CU-2024:485-1: Recommended update of suse/389-ds
Message-ID: <20240209080242.7CA02FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:485-1
Container Tags        : suse/389-ds:2.2 , suse/389-ds:2.2-20.2 , suse/389-ds:latest
Container Release     : 20.2
Severity              : moderate
Type                  : recommended
References            : 1219305 
-----------------------------------------------------------------

The container suse/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:425-1
Released:    Thu Feb  8 12:39:27 2024
Summary:     Recommended update for python-argcomplete
Type:        recommended
Severity:    moderate
References:  1219305
This update for python-argcomplete fixes the following issues:

- Use update-alternatives for package binaries to avoid conflict with python311 stack (bsc#1219305)


The following package changes have been done:

- python3-argcomplete-1.9.2-150000.3.5.1 updated

From sle-container-updates at lists.suse.com  Sat Feb 10 08:02:08 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 10 Feb 2024 09:02:08 +0100 (CET)
Subject: SUSE-CU-2024:508-1: Recommended update of suse/sle-micro/5.3/toolbox
Message-ID: <20240210080208.E414AFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:508-1
Container Tags        : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.302 , suse/sle-micro/5.3/toolbox:latest
Container Release     : 5.2.302
Severity              : moderate
Type                  : recommended
References            : 1183663 1193173 1196293 1211547 1216049 1216388 1216390 1216522
                        1216827 1217287 1218201 1218282 
-----------------------------------------------------------------

The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:433-1
Released:    Thu Feb  8 17:03:18 2024
Summary:     Recommended update for source-highlight
Type:        recommended
Severity:    moderate
References:  

This update for source-highlight fixes the following issues:

Version update to 3.1.9:

* changed esc.style to work better with dark theme terminals
* updated C and C++ to more recent standards
* fixed zsh.lang
* added new Python keywords
* added Rust
* added ixpe
* added vim

- ships it to missing service packs like SUSE Linux Enterprise 15 SP3.


The following package changes have been done:

- libsource-highlight4-3.1.9-150000.3.7.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- ctags-5.8-150000.3.3.1 removed
- dbus-1-1.12.2-150400.18.8.1 removed
- gzip-1.10-150200.10.1 removed
- kbd-2.4.0-150400.5.6.1 removed
- kbd-legacy-2.4.0-150400.5.6.1 removed
- kmod-29-4.15.1 removed
- libapparmor1-3.0.4-150400.5.9.1 removed
- libargon2-1-0.0+git20171227.670229c-2.14 removed
- libcryptsetup12-2.4.3-150400.3.3.1 removed
- libcryptsetup12-hmac-2.4.3-150400.3.3.1 removed
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 removed
- libip4tc2-1.8.7-1.1 removed
- libjson-c3-0.13-3.3.1 removed
- libkmod2-29-4.15.1 removed
- libp11-kit0-0.23.22-150400.1.10 removed
- libseccomp2-2.5.3-150400.2.4 removed
- netcfg-11.6-3.3.1 removed
- pam-config-1.1-3.3.1 removed
- pkg-config-0.29.2-1.436 removed
- suse-module-tools-15.4.19-150400.3.17.1 removed
- systemd-249.17-150400.8.40.1 removed
- systemd-default-settings-0.7-3.2.1 removed
- systemd-default-settings-branding-SLE-0.7-3.2.1 removed
- systemd-presets-branding-SMO-20220103-150400.2.1 removed
- systemd-presets-common-SUSE-15-150400.1.1 removed
- systemd-rpm-macros-14-150000.7.36.1 removed
- util-linux-systemd-2.37.2-150400.8.23.1 removed

From sle-container-updates at lists.suse.com  Sat Feb 10 08:02:39 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 10 Feb 2024 09:02:39 +0100 (CET)
Subject: SUSE-CU-2024:509-1: Recommended update of suse/sle-micro/5.4/toolbox
Message-ID: <20240210080239.CFC57FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:509-1
Container Tags        : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.200 , suse/sle-micro/5.4/toolbox:latest
Container Release     : 4.2.200
Severity              : moderate
Type                  : recommended
References            : 1183663 1193173 1196293 1211547 1216049 1216388 1216390 1216522
                        1216827 1217287 1218201 1218282 
-----------------------------------------------------------------

The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:433-1
Released:    Thu Feb  8 17:03:18 2024
Summary:     Recommended update for source-highlight
Type:        recommended
Severity:    moderate
References:  

This update for source-highlight fixes the following issues:

Version update to 3.1.9:

* changed esc.style to work better with dark theme terminals
* updated C and C++ to more recent standards
* fixed zsh.lang
* added new Python keywords
* added Rust
* added ixpe
* added vim

- ships it to missing service packs like SUSE Linux Enterprise 15 SP3.


The following package changes have been done:

- libsource-highlight4-3.1.9-150000.3.7.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- ctags-5.8-150000.3.3.1 removed
- dbus-1-1.12.2-150400.18.8.1 removed
- gzip-1.10-150200.10.1 removed
- kbd-2.4.0-150400.5.6.1 removed
- kbd-legacy-2.4.0-150400.5.6.1 removed
- kmod-29-4.15.1 removed
- libapparmor1-3.0.4-150400.5.9.1 removed
- libargon2-1-0.0+git20171227.670229c-2.14 removed
- libcryptsetup12-2.4.3-150400.3.3.1 removed
- libcryptsetup12-hmac-2.4.3-150400.3.3.1 removed
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 removed
- libip4tc2-1.8.7-1.1 removed
- libjson-c3-0.13-3.3.1 removed
- libkmod2-29-4.15.1 removed
- libp11-kit0-0.23.22-150400.1.10 removed
- libseccomp2-2.5.3-150400.2.4 removed
- netcfg-11.6-3.3.1 removed
- pam-config-1.1-3.3.1 removed
- pkg-config-0.29.2-1.436 removed
- suse-module-tools-15.4.19-150400.3.17.1 removed
- systemd-249.17-150400.8.40.1 removed
- systemd-default-settings-0.7-3.2.1 removed
- systemd-default-settings-branding-SLE-0.7-3.2.1 removed
- systemd-presets-branding-SMO-20220103-150400.1.1 removed
- systemd-presets-common-SUSE-15-150400.1.1 removed
- systemd-rpm-macros-14-150000.7.36.1 removed
- util-linux-systemd-2.37.2-150400.8.23.1 removed

From sle-container-updates at lists.suse.com  Sat Feb 10 08:02:58 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 10 Feb 2024 09:02:58 +0100 (CET)
Subject: SUSE-CU-2024:510-1: Recommended update of suse/sle-micro/5.5/toolbox
Message-ID: <20240210080258.76408FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:510-1
Container Tags        : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.152 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 2.2.152
Severity              : moderate
Type                  : recommended
References            : 1183663 1193173 1196293 1211547 1216049 1216388 1216390 1216522
                        1216827 1217287 1218201 1218282 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:433-1
Released:    Thu Feb  8 17:03:18 2024
Summary:     Recommended update for source-highlight
Type:        recommended
Severity:    moderate
References:  

This update for source-highlight fixes the following issues:

Version update to 3.1.9:

* changed esc.style to work better with dark theme terminals
* updated C and C++ to more recent standards
* fixed zsh.lang
* added new Python keywords
* added Rust
* added ixpe
* added vim

- ships it to missing service packs like SUSE Linux Enterprise 15 SP3.


The following package changes have been done:

- libsource-highlight4-3.1.9-150000.3.7.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- ctags-5.8-150000.3.3.1 removed
- dbus-1-1.12.2-150400.18.8.1 removed
- kbd-2.4.0-150400.5.6.1 removed
- kbd-legacy-2.4.0-150400.5.6.1 removed
- kmod-29-4.15.1 removed
- libapparmor1-3.0.4-150500.11.9.1 removed
- libargon2-1-0.0+git20171227.670229c-2.14 removed
- libcryptsetup12-2.4.3-150400.3.3.1 removed
- libcryptsetup12-hmac-2.4.3-150400.3.3.1 removed
- libdevmapper1_03-2.03.22_1.02.196-150500.7.9.1 removed
- libip4tc2-1.8.7-1.1 removed
- libjson-c3-0.13-3.3.1 removed
- libkmod2-29-4.15.1 removed
- libp11-kit0-0.23.22-150500.8.3.1 removed
- libseccomp2-2.5.3-150400.2.4 removed
- netcfg-11.6-3.3.1 removed
- pam-config-1.1-3.3.1 removed
- pkg-config-0.29.2-1.436 removed
- suse-module-tools-15.5.4-150500.3.9.1 removed
- systemd-249.17-150400.8.40.1 removed
- systemd-default-settings-0.7-3.2.1 removed
- systemd-default-settings-branding-SLE-0.7-3.2.1 removed
- systemd-presets-branding-SMO-20220103-150500.1.1 removed
- systemd-presets-common-SUSE-15-150500.20.3.1 removed
- systemd-rpm-macros-14-150000.7.36.1 removed
- util-linux-systemd-2.37.4-150500.9.3.1 removed

From sle-container-updates at lists.suse.com  Sat Feb 10 08:04:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 10 Feb 2024 09:04:01 +0100 (CET)
Subject: SUSE-CU-2024:512-1: Recommended update of suse/sle-micro/5.1/toolbox
Message-ID: <20240210080401.01047FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:512-1
Container Tags        : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.538 , suse/sle-micro/5.1/toolbox:latest
Container Release     : 2.2.538
Severity              : moderate
Type                  : recommended
References            : 1183663 1193173 1196293 1211547 1216049 1216388 1216390 1216522
                        1216827 1217287 1218201 1218282 
-----------------------------------------------------------------

The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:433-1
Released:    Thu Feb  8 17:03:18 2024
Summary:     Recommended update for source-highlight
Type:        recommended
Severity:    moderate
References:  

This update for source-highlight fixes the following issues:

Version update to 3.1.9:

* changed esc.style to work better with dark theme terminals
* updated C and C++ to more recent standards
* fixed zsh.lang
* added new Python keywords
* added Rust
* added ixpe
* added vim

- ships it to missing service packs like SUSE Linux Enterprise 15 SP3.


The following package changes have been done:

- libsource-highlight4-3.1.9-150000.3.7.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- ctags-5.8-150000.3.3.1 removed
- dbus-1-1.12.2-150100.8.17.1 removed
- gzip-1.10-150200.10.1 removed
- kbd-2.0.4-14.38 removed
- kbd-legacy-2.0.4-14.38 removed
- kmod-29-4.15.1 removed
- libapparmor1-2.13.6-150300.3.15.1 removed
- libargon2-1-0.0+git20171227.670229c-2.14 removed
- libcryptsetup12-2.3.7-150300.3.8.1 removed
- libcryptsetup12-hmac-2.3.7-150300.3.8.1 removed
- libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 removed
- libjson-c3-0.13-3.3.1 removed
- libkmod2-29-4.15.1 removed
- libpcre2-8-0-10.31-150000.3.15.1 removed
- libqrencode4-4.0.0-1.17 removed
- libseccomp2-2.5.3-150300.10.8.1 removed
- netcfg-11.6-3.3.1 removed
- pam-config-1.1-3.3.1 removed
- pkg-config-0.29.2-1.436 removed
- suse-module-tools-15.3.18-150300.3.25.1 removed
- system-group-kvm-20170617-17.3.1 removed
- systemd-246.16-150300.7.57.1 removed
- systemd-default-settings-0.7-3.2.1 removed
- systemd-default-settings-branding-SLE-0.7-3.2.1 removed
- systemd-presets-branding-SLE-15.1-150100.20.11.1 removed
- systemd-presets-common-SUSE-15-150100.8.20.1 removed
- udev-246.16-150300.7.57.1 removed
- util-linux-systemd-2.36.2-150300.4.38.1 removed

From sle-container-updates at lists.suse.com  Sat Feb 10 08:04:30 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 10 Feb 2024 09:04:30 +0100 (CET)
Subject: SUSE-CU-2024:513-1: Recommended update of suse/sle-micro/5.2/toolbox
Message-ID: <20240210080430.51D56FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:513-1
Container Tags        : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.360 , suse/sle-micro/5.2/toolbox:latest
Container Release     : 6.2.360
Severity              : moderate
Type                  : recommended
References            : 1183663 1193173 1196293 1211547 1216049 1216388 1216390 1216522
                        1216827 1217287 1218201 1218282 
-----------------------------------------------------------------

The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:433-1
Released:    Thu Feb  8 17:03:18 2024
Summary:     Recommended update for source-highlight
Type:        recommended
Severity:    moderate
References:  

This update for source-highlight fixes the following issues:

Version update to 3.1.9:

* changed esc.style to work better with dark theme terminals
* updated C and C++ to more recent standards
* fixed zsh.lang
* added new Python keywords
* added Rust
* added ixpe
* added vim

- ships it to missing service packs like SUSE Linux Enterprise 15 SP3.


The following package changes have been done:

- libsource-highlight4-3.1.9-150000.3.7.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- ctags-5.8-150000.3.3.1 removed
- dbus-1-1.12.2-150100.8.17.1 removed
- gzip-1.10-150200.10.1 removed
- kbd-2.0.4-14.38 removed
- kbd-legacy-2.0.4-14.38 removed
- kmod-29-4.15.1 removed
- libapparmor1-2.13.6-150300.3.15.1 removed
- libargon2-1-0.0+git20171227.670229c-2.14 removed
- libcryptsetup12-2.3.7-150300.3.8.1 removed
- libcryptsetup12-hmac-2.3.7-150300.3.8.1 removed
- libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 removed
- libjson-c3-0.13-3.3.1 removed
- libkmod2-29-4.15.1 removed
- libpcre2-8-0-10.31-150000.3.15.1 removed
- libqrencode4-4.0.0-1.17 removed
- libseccomp2-2.5.3-150300.10.8.1 removed
- netcfg-11.6-3.3.1 removed
- pam-config-1.1-3.3.1 removed
- pkg-config-0.29.2-1.436 removed
- suse-module-tools-15.3.18-150300.3.25.1 removed
- system-group-kvm-20170617-17.3.1 removed
- systemd-246.16-150300.7.57.1 removed
- systemd-default-settings-0.7-3.2.1 removed
- systemd-default-settings-branding-SLE-0.7-3.2.1 removed
- systemd-presets-branding-SMO-20220103-150300.3.1 removed
- systemd-presets-common-SUSE-15-150100.8.20.1 removed
- udev-246.16-150300.7.57.1 removed
- util-linux-systemd-2.36.2-150300.4.38.1 removed

From sle-container-updates at lists.suse.com  Sun Feb 11 08:04:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun, 11 Feb 2024 09:04:34 +0100 (CET)
Subject: SUSE-CU-2024:515-1: Security update of suse/sle15
Message-ID: <20240211080434.7A032FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:515-1
Container Tags        : suse/sle15:15.1 , suse/sle15:15.1.6.2.871
Container Release     : 6.2.871
Severity              : important
Type                  : security
References            : 1219123 1219189 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- suse-build-key-12.0-150000.8.40.1 updated

From sle-container-updates at lists.suse.com  Sun Feb 11 08:06:16 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun, 11 Feb 2024 09:06:16 +0100 (CET)
Subject: SUSE-CU-2024:516-1: Security update of suse/sle15
Message-ID: <20240211080616.7DC6BFBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:516-1
Container Tags        : suse/sle15:15.2 , suse/sle15:15.2.9.5.400
Container Release     : 9.5.400
Severity              : important
Type                  : security
References            : 1219123 1219189 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- suse-build-key-12.0-150000.8.40.1 updated

From sle-container-updates at lists.suse.com  Sun Feb 11 08:06:21 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun, 11 Feb 2024 09:06:21 +0100 (CET)
Subject: SUSE-CU-2024:517-1: Security update of suse/ltss/sle15.3/sle15
Message-ID: <20240211080621.2FD67FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.3/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:517-1
Container Tags        : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.4.2 , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.4.2
Container Release     : 4.2
Severity              : important
Type                  : security
References            : 1219123 1219189 
-----------------------------------------------------------------

The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- suse-build-key-12.0-150000.8.40.1 updated

From sle-container-updates at lists.suse.com  Sun Feb 11 08:06:28 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun, 11 Feb 2024 09:06:28 +0100 (CET)
Subject: SUSE-CU-2024:518-1: Security update of suse/ltss/sle15.4/sle15
Message-ID: <20240211080628.336ACFBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.4/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:518-1
Container Tags        : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.3.2 , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.3.2
Container Release     : 3.2
Severity              : important
Type                  : security
References            : 1219123 1219189 
-----------------------------------------------------------------

The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- suse-build-key-12.0-150000.8.40.1 updated

From sle-container-updates at lists.suse.com  Sun Feb 11 08:12:58 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sun, 11 Feb 2024 09:12:58 +0100 (CET)
Subject: SUSE-CU-2024:537-1: Security update of suse/sle15
Message-ID: <20240211081258.E7D4FFBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:537-1
Container Tags        : bci/bci-base:15.5 , bci/bci-base:15.5.36.11.3 , suse/sle15:15.5 , suse/sle15:15.5.36.11.3
Container Release     : 36.11.3
Severity              : important
Type                  : security
References            : 1219123 1219189 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- suse-build-key-12.0-150000.8.40.1 updated

From sle-container-updates at lists.suse.com  Mon Feb 12 16:15:17 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 12 Feb 2024 17:15:17 +0100 (CET)
Subject: SUSE-IU-2024:225-1: Security update of
 sles-15-sp5-chost-byos-v20240209-arm64
Message-ID: <20240212161517.B7D9DFBA3@maintenance.suse.de>

SUSE Image Update Advisory: sles-15-sp5-chost-byos-v20240209-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:225-1
Image Tags        : sles-15-sp5-chost-byos-v20240209-arm64:20240209
Image Release     : 
Severity          : important
Type              : security
References        : 1107342 1183663 1193173 1196293 1211188 1211190 1211547 1214668
                        1215241 1215434 1216049 1216388 1216390 1216522 1216827 1217000
                        1217237 1217287 1217460 1217952 1218126 1218186 1218201 1218209
                        1218282 1218475 1218561 1218571 1218571 1218739 1218765 1218799
                        1218894 1219123 1219189 1219238 CVE-2023-1667 CVE-2023-2283 CVE-2023-48795
                        CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2023-7207 CVE-2024-21626
                        CVE-2024-22365 
-----------------------------------------------------------------

The container sles-15-sp5-chost-byos-v20240209-arm64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:161-1
Released:    Thu Jan 18 18:40:46 2024
Summary:     Recommended update for dpdk22
Type:        recommended
Severity:    moderate
References:  

This update of dpdk22 fixes the following issue:

- DPDK 22.11.1 is shipped to SLE Micro 5.5. (jsc#PED-7147)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:187-1
Released:    Tue Jan 23 13:38:00 2024
Summary:     Recommended update for python-chardet
Type:        recommended
Severity:    moderate
References:  1218765
This update for python-chardet fixes the following issues:

- Fix update-alternative in %postun (bsc#1218765)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:219-1
Released:    Wed Jan 24 19:43:28 2024
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1218799
This update for rsyslog fixes the following issues:

- suppress installation errors when systemd is not running (bsc#1218799)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:254-1
Released:    Fri Jan 26 17:19:30 2024
Summary:     Recommended update for containerd
Type:        recommended
Severity:    moderate
References:  1217952
This update for containerd fixes the following issues:

- Fix permissions of address file (bsc#1217952)
- Update to version 1.7.10

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:306-1
Released:    Thu Feb  1 17:58:09 2024
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        recommended
Severity:    moderate
References:  1218561,1218739
This update for python-instance-billing-flavor-check fixes the following issues:

- Support proxy setup on the client to access the update infrastructure API (bsc#1218561) 
- Add IPv6 support (bsc#1218739) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- containerd-ctr-1.7.10-150000.106.1 updated
- containerd-1.7.10-150000.106.1 updated
- cpio-2.13-150400.3.6.1 updated
- efibootmgr-17-150400.3.2.2 updated
- kernel-default-5.14.21-150500.55.44.1 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libfstrm0-0.6.1-150300.9.5.1 updated
- libmount1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libssh-config-0.9.8-150400.3.3.1 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- pam-1.3.0-150000.6.66.1 updated
- python-instance-billing-flavor-check-0.0.6-150000.1.9.1 updated
- python3-chardet-3.0.4-150000.5.3.1 updated
- rsyslog-module-relp-8.2306.0-150400.5.27.1 updated
- rsyslog-8.2306.0-150400.5.27.1 updated
- runc-1.1.11-150000.58.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- suse-build-key-12.0-150000.8.40.1 updated
- suse-module-tools-15.5.4-150500.3.9.1 updated
- suseconnect-ng-1.6.0~git0.31371c8-150500.3.12.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.4-150500.9.3.1 updated
- util-linux-2.37.4-150500.9.3.1 updated
- xen-libs-4.17.3_04-150500.3.21.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 13 08:01:05 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 13 Feb 2024 09:01:05 +0100 (CET)
Subject: SUSE-IU-2024:227-1: Security update of
 suse-sles-15-sp5-chost-byos-v20240209-x86_64-gen2
Message-ID: <20240213080105.094D1FBA3@maintenance.suse.de>

SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20240209-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:227-1
Image Tags        : suse-sles-15-sp5-chost-byos-v20240209-x86_64-gen2:20240209
Image Release     : 
Severity          : important
Type              : security
References        : 1107342 1183663 1193173 1196293 1198269 1201010 1211188 1211190
                        1211547 1214169 1214668 1215241 1215434 1215740 1215794 1216007
                        1216011 1216049 1216388 1216390 1216522 1216827 1217000 1217237
                        1217287 1217460 1217952 1218126 1218186 1218201 1218209 1218282
                        1218475 1218561 1218571 1218571 1218739 1218765 1218799 1218894
                        1219123 1219189 1219238 CVE-2023-1667 CVE-2023-1786 CVE-2023-2283
                        CVE-2023-48795 CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2023-7207
                        CVE-2024-21626 CVE-2024-22365 
-----------------------------------------------------------------

The container suse-sles-15-sp5-chost-byos-v20240209-x86_64-gen2 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:128-1
Released:    Tue Jan 16 13:50:37 2024
Summary:     Security update for cloud-init
Type:        security
Severity:    moderate
References:  1198269,1201010,1214169,1215740,1215794,1216007,1216011,CVE-2023-1786
This update for cloud-init contains the following fixes:

- Move fdupes call back to %install.(bsc#1214169)

- Update to version 23.3. (bsc#1216011)
  * (bsc#1215794)
  * (bsc#1215740)
  * (bsc#1216007)
  + Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390)
  + Fix cc_keyboard in mantic (LP: #2030788)
  + ec2: initialize get_instance_userdata return value to bytes (#4387)
    [Noah Meyerhans]
  + cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley]
  + Fix pip-managed ansible
  + status: treat SubState=running and MainPID=0 as service exited
  + azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson]
  + collect-logs fix memory usage (SC-1590) (#4289)
    [Alec Warren] (LP: #1980150)
  + cc_mounts: Use fallocate to create swapfile on btrfs (#4369)
  + Undocument nocloud-net (#4318)
  + feat(akamai): add akamai to settings.py and apport.py (#4370)
  + read-version: fallback to get_version when git describe fails (#4366)
  + apt: fix cloud-init status --wait blocking on systemd v 253 (#4364)
  + integration tests: Pass username to pycloudlib (#4324)
  + Bump pycloudlib to 1!5.1.0 (#4353)
  + cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272)
    [dermotbradley]
  + analyze: fix (unexpected) timestamp parsing (#4347) [Mina Gali??]
  + cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Gali??]
  + subp: Fix spurious test failure on FreeBSD (#4355) [Mina Gali??]
  + cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Gali??]
  + util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Gali??]
  + cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Gali??]
  + unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource
    (#4328) [Ani Sinha]
  + Fix test_tools.py collection (#4315)
  + cc_keyboard: add Alpine support (#4278) [dermotbradley]
  + Flake8 fixes (#4340) [Robert Schweikert]
  + cc_mounts: Fix swapfile not working on btrfs (#4319) [?????????] (LP: #1884127)
  + ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281)
    [Wei Zhou]
  + ec2: Support double encoded userdata (#4275) [Noah Meyerhans]
  + cc_mounts: xfs is a Linux only FS (#4334) [Mina Gali??]
  + tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336)
    [Chris Patterson]
  + change openEuler to openeuler and fix some bugs in openEuler (#4317)
    [sxt1001]
  + Replace flake8 with ruff (#4314)
  + NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64
    (#4291) [Ani Sinha]
  + cc_ssh_import_id: add Alpine support and add doas support (#4277)
    [dermotbradley]
  + sudoers not idempotent (SC-1589)  (#4296) [Alec Warren] (LP: #1998539)
  + Added support for Akamai Connected Cloud (formerly Linode) (#4167)
    [Will Smith]
  + Fix reference before assignment (#4292)
  + Overhaul module reference page (#4237) [Sally]
  + replaced spaces with commas for setting passenv (#4269) [Alec Warren]
  + DS VMware: modify a few log level (#4284) [PengpengSun]
  + tools/read-version refactors and unit tests (#4268)
  + Ensure get_features() grabs all features (#4285)
  + Don't always require passlib dependency (#4274)
  + tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275)
  + Fix NoCloud kernel commandline key parsing (#4273)
  + testing: Clear all LRU caches after each test (#4249)
  + Remove the crypt dependency (#2139) [Gon??ri Le Bouder]
  + logging: keep current file mode of log file if its stricter than the
    new mode (#4250) [Ani Sinha]
  + Remove default membership in redundant groups (#4258)
    [Dave Jones] (LP: #1923363)
  + doc: improve datasource_creation.rst (#4262)
  + Remove duplicate Integration testing button (#4261) [Rishita Shaw]
  + tools/read-version: fix the tool so that it can handle version parsing
    errors (#4234) [Ani Sinha]
  + net/dhcp: add udhcpc support (#4190) [Jean-Fran??ois Roche]
  + DS VMware: add i386 arch dir to deployPkg plugin search path
    [PengpengSun]
  + LXD moved from linuxcontainers.org to Canonical [Simon Deziel]
  + cc_mounts.py: Add note about issue with creating mounts inside mounts
    (#4232) [dermotbradley]
  + lxd: install lxd from snap, not deb if absent in image
  + landscape: use landscape-config to write configuration
  + Add deprecation log during init of DataSourceDigitalOcean (#4194)
    [tyb-truth]
  + doc: fix typo on apt.primary.arches (#4238) [Dan Bungert]
  + Inspect systemd state for cloud-init status (#4230)
  + instance-data: add system-info and features to combined-cloud-config
    (#4224)
  + systemd: Block login until config stage completes (#2111) (LP: #2013403)
  + tests: proposed should invoke apt-get install -t=<release>-proposed
    (#4235)
  + cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley]
  + Remove feature flag override ability (#4228)
  + tests: drop stray unrelated file presence test (#4227)
  + Update LXD URL (#4223) [Sally]
  + schema: add network v1 schema definition and validation functions
  + tests: daily PPA for devel series is version 99.daily update tests to
    match (#4225)
  + instance-data: write /run/cloud-init/combined-cloud-config.json
  + mount parse: Fix matching non-existent directories (#4222) [Mina Gali??]
  + Specify build-system for pep517 (#4218)
  + Fix network v2 metric rendering (#4220)
  + Migrate content out of FAQ page (SD-1187) (#4205) [Sally]
  + setup: fix generation of init templates (#4209) [Mina Gali??]
  + docs: Correct some bootcmd example wording
  + fix changelog
  + tests: reboot client to assert x-shellscript-per-boot is triggered
  + nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204)
    (LP: 4203, #2025180)
  + Add docstring and typing to mergemanydict (#4200)
  + BSD: add dsidentify to early startup scripts (#4182) [Mina Gali??]
  + handler: report errors on skipped merged cloud-config.txt parts
    (LP: #1999952)
  + Add cloud-init summit writeups (#4179) [Sally]
  + tests: Update test_clean_log for oci (#4187)
  + gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163)
  + tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184)
  + Ephemeral Networking for FreeBSD (#2165) [Mina Gali??]
  + Clarify directory syntax for nocloud local filesystem. (#4178)
  + Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha]
  + Test static routes and netplan 0.106
  + FreeBSD fix parsing of mount and mount options (#2146) [Mina Gali??]
  + test: add tracking bug id (#4164)
  + tests: can't match MAC for LXD container veth due to netplan 0.106
    (#4162)
  + Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar]
  + BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Gali??]
  + launching salt-minion in masterless mode (#4110) [Denis Halturin]
  + tools: fix run-container builds for rockylinux/8 git hash mismatch
    (#4161)
  + fix doc lint: spellchecker tripped up (#4160) [Mina Gali??]
  + Support Ephemeral Networking for BSD (#2127)
  + Added / fixed support for static routes on OpenBSD and FreeBSD (#2157)
    [Kadir Mueller]
  + cc_rsyslog: Refactor for better multi-platform support (#4119)
    [Mina Gali??] (LP: #1798055)
  + tests: fix test_lp1835584 (#4154)
  + cloud.cfg mod names: docs and rename salt_minion and set_password (#4153)
  + vultr: remove check_route check (#2151) [Jonas Chevalier]
  + Update SECURITY.md (#4150) [Indrranil Pawar]
  + Update CONTRIBUTING.rst (#4149) [Indrranil Pawar]
  + Update .github-cla-signers (#4151) [Indrranil Pawar]
  + Standardise module names in cloud.cfg.tmpl to only use underscore
    (#4128) [dermotbradley]
  + Modify PR template so autoclose works
>From 23.2.2
  + Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271)
    (LP: #2028562)
  + Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784)
>From 23.2.1
  + nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204)
    (Fixes: 4203) (LP: #2025180)
>From 23.2
  + BSD: simplify finding MBR partitions by removing duplicate code
   [Mina Gali??]
  + tests: bump pycloudlib version for mantic builds
  + network-manager: Set higher autoconnect priority for nm keyfiles (#3671)
    [Ani Sinha]
  + alpine.py: change the locale file used (#4139) [dermotbradley]
  + cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Gali??]
  + config: drop refresh_rmc_and_interface as RHEL 7 no longer supported
    [Robert Schweikert]
  + docs: Add feedback button to docs
  + net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh
    plugin (#4132) [Ani Sinha]
  + For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley]
  + network_manager: add a method for ipv6 static IP configuration (#4127)
    [Ani Sinha]
  + correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley]
  + nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115)
    [Ani Sinha]
  + Add templates for GitHub Issues
  + Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela]
  + FreeBSD: Fix user account locking (#4114) [Mina Gali??] (GH: #1854594)
  + FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Gali??]
  + Update tests in Azure TestCanDevBeReformatted class (#2771)
    [Ksenija Stanojevic]
  + Replace Launchpad references with GitHub Issues
  + Fix KeyError in iproute pformat (#3287) [Dmitry Zykov]
  + schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance
  + azure/errors: introduce reportable errors for imds (#3647)
    [Chris Patterson]
  + FreeBSD (and friends): better identify MBR slices (#2168)
    [Mina Gali??] (LP: #2016350)
  + azure/errors: add host reporting for dhcp errors (#2167)
    [Chris Patterson]
  + net: purge blacklist_drivers across net and azure (#2160)
    [Chris Patterson]
  + net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153)
    [Chris Patterson]
  + tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d
    (#2251)
  + net: refactor find_candidate_nics_on_linux() to use get_interfaces()
    (#2159) [Chris Patterson]
  + resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden]
  + Remove mount NTFS error message (#2134) [Ksenija Stanojevic]
  + integration tests: fix image specification parsing (#2166)
  + ci: add hypothesis scheduled GH check (#2149)
  + Move supported distros list to docs (#2162)
  + Fix logger, use instance rather than module function (#2163)
  + README: Point to Github Actions build status (#2158)
  + Revert 'fix linux-specific code on bsd (#2143)' (#2161)
  + Do not generate dsa and ed25519 key types when crypto FIPS mode is
    enabled (#2142) [Ani Sinha] (LP: 2017761)
  + Add documentation label automatically (#2156)
  + sources/azure: report success to host and introduce kvp module (#2141)
    [Chris Patterson]
  + setup.py: use pkg-config for udev/rules path (#2137) [dankm]
  + openstack/static: honor the DNS servers associated with a network
    (#2138) [Gon??ri Le Bouder]
  + fix linux-specific code on bsd (#2143)
  + cli: schema validation of jinja template user-data (SC-1385) (#2132)
    (LP: #1881925)
  + gce: activate network discovery on every boot (#2128)
  + tests: update integration test to assert 640 across reboots (#2145)
  + Make user/vendor data sensitive and remove log permissions (#2144)
    (LP: #2013967)
  + Update kernel command line docs (SC-1457) (#2133)
  + docs: update network configuration path links (#2140) [d1r3ct0r]
  + sources/azure: report failures to host via kvp (#2136) [Chris Patterson]
  + net: Document use of `ip route append` to add routes (#2130)
  + dhcp: Add missing mocks (#2135)
  + azure/imds: retry fetching metadata up to 300 seconds (#2121)
    [Chris Patterson]
  + [1/2] DHCP: Refactor dhcp client code  (#2122)
  + azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson]
  + azure/errors: introduce reportable errors (#2129) [Chris Patterson]
  + users: schema permit empty list to indicate create no users
  + azure: introduce identity module (#2116) [Chris Patterson]
  + Standardize disabling cloud-init on non-systemd (#2112)
  + Update .github-cla-signers (#2126) [Rob Tongue]
  + NoCloud: Use seedfrom protocol to determine mode (#2107)
  + rhel: Remove sysvinit files. (#2114)
  + tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson]
  + Fix NoCloud kernel commandline semi-colon args
  + run-container: make the container/VM timeout configurable (#2118)
    [Paride Legovini]
  + suse: Remove sysvinit files. (#2115)
  + test: Backport assert_call_count for old requests (#2119)
  + Add 'licebmi' as contributor (#2113) [Mark Martinez]
  + Adapt DataSourceScaleway to upcoming IPv6 support (#2033)
    [Louis Bouchard]
  + rhel: make sure previous-hostname file ends with a new line (#2108)
    [Ani Sinha]
  + Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai]
  + Cleanup ephemeral IP routes on exception (#2100) [sxt1001]
  + commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291)
  + Standardize kernel commandline user interface (#2093)
  + config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson]
  + Fix test_dhclient_exits_with_error (#2105)
  + net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083)
    [Chris Patterson]
  + sources/azure: move pps handling out of _poll_imds() (#2075)
    [Chris Patterson]
  + tests: bump pycloudlib version (#2102)
  + schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)
  + sources/azure/imds: don't count timeout errors as connection errors
    (#2074) [Chris Patterson]
  + Fix Python 3.12 unit test failures (#2099)
  + integration tests: Refactor instance checking (#1989)
  + ci: migrate remaining jobs from travis to gh (#2085)
  + missing ending quote in instancedata docs(#2094) [Hong L]
  + refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r]
  + tests/vmware: fix test_no_data_access_method failure (#2092)
    [Chris Patterson]
  + Don't change permissions of netrules target (#2076) (LP: #2011783)
  + tests/sources: patch util.get_cmdline() for datasource tests (#2091)
    [Chris Patterson]
  + macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090)
    (LP: #2008888)
  + Fedora: Enable CA handling (#2086) [Franti??ek Zatloukal]
  + Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa]
  + cc_ansible: complete the examples and doc (#2082) [Yves]
  + bddeb: for dev package, derive debhelper-compat from host system
  + apport: only prompt for cloud_name when instance-data.json is absent
  + datasource: Optimize datasource detection, fix bugs (#2060)
  + Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi]
  + sources/azure: add networking check for all source PPS (#2061)
    [Chris Patterson]
  + do not attempt dns resolution on ip addresses (#2040)
  + chore: fix style tip (#2071)
  + Fix metadata IP in instancedata.rst (#2063) [Brian Haley]
  + util: Pass deprecation schedule in deprecate_call() (#2064)
  + config: Update grub-dpkg docs (#2058)
  + docs: Cosmetic improvements and styling (#2057) [s-makin]
  + cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner]
  + tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059)
  + oracle-ds: prefer system_cfg over ds network config source (#1998)
    (LP: #1956788)
  + Remove dead code (#2038)
  + source: Force OpenStack when it is only option (#2045) (LP: #2008727)
  + cc_ubuntu_advantage: improve UA logs discovery
  + sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson]
  + tests: fix test_schema (#2042)
  + dhcp: Cleanup unused kwarg (#2037)
  + sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027)
    [PengpengSun]
  + dhclient_hook: remove vestigal dhclient_hook command (#2015)
  + log: Add standardized deprecation tooling (SC-1312) (#2026)
  + Enable SUSE based distros for ca handling (#2036) [Robert Schweikert]
>From 23.1.2
  + Make user/vendor data sensitive and remove log permissions
    (LP: #2013967) (CVE-2023-1786)

- Remove six dependency (bsc#1198269)
- Update to version 22.4 (bsc#1201010)

  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:161-1
Released:    Thu Jan 18 18:41:08 2024
Summary:     Recommended update for dpdk22
Type:        recommended
Severity:    moderate
References:  

This update of dpdk22 fixes the following issue:

- DPDK 22.11.1 is shipped to SLE Micro 5.5. (jsc#PED-7147)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:187-1
Released:    Tue Jan 23 13:38:00 2024
Summary:     Recommended update for python-chardet
Type:        recommended
Severity:    moderate
References:  1218765
This update for python-chardet fixes the following issues:

- Fix update-alternative in %postun (bsc#1218765)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:219-1
Released:    Wed Jan 24 19:43:28 2024
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1218799
This update for rsyslog fixes the following issues:

- suppress installation errors when systemd is not running (bsc#1218799)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:254-1
Released:    Fri Jan 26 17:19:30 2024
Summary:     Recommended update for containerd
Type:        recommended
Severity:    moderate
References:  1217952
This update for containerd fixes the following issues:

- Fix permissions of address file (bsc#1217952)
- Update to version 1.7.10

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:306-1
Released:    Thu Feb  1 17:58:09 2024
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        recommended
Severity:    moderate
References:  1218561,1218739
This update for python-instance-billing-flavor-check fixes the following issues:

- Support proxy setup on the client to access the update infrastructure API (bsc#1218561) 
- Add IPv6 support (bsc#1218739) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cloud-init-config-suse-23.3-150100.8.71.1 updated
- cloud-init-23.3-150100.8.71.1 updated
- containerd-ctr-1.7.10-150000.106.1 updated
- containerd-1.7.10-150000.106.1 updated
- cpio-2.13-150400.3.6.1 updated
- efibootmgr-17-150400.3.2.2 updated
- kernel-default-5.14.21-150500.55.44.1 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libfstrm0-0.6.1-150300.9.5.1 updated
- libmount1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libssh-config-0.9.8-150400.3.3.1 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- pam-1.3.0-150000.6.66.1 updated
- python-instance-billing-flavor-check-0.0.6-150000.1.9.1 updated
- python3-chardet-3.0.4-150000.5.3.1 updated
- python3-passlib-1.7.4-1.10 added
- rsyslog-module-relp-8.2306.0-150400.5.27.1 updated
- rsyslog-8.2306.0-150400.5.27.1 updated
- runc-1.1.11-150000.58.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- suse-build-key-12.0-150000.8.40.1 updated
- suse-module-tools-15.5.4-150500.3.9.1 updated
- suseconnect-ng-1.6.0~git0.31371c8-150500.3.12.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.4-150500.9.3.1 updated
- util-linux-2.37.4-150500.9.3.1 updated
- xen-libs-4.17.3_04-150500.3.21.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 13 08:01:08 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 13 Feb 2024 09:01:08 +0100 (CET)
Subject: SUSE-IU-2024:228-1: Security update of
 suse-sles-15-sp5-chost-byos-v20240209-hvm-ssd-x86_64
Message-ID: <20240213080108.6DC35FBA3@maintenance.suse.de>

SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20240209-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:228-1
Image Tags        : suse-sles-15-sp5-chost-byos-v20240209-hvm-ssd-x86_64:20240209
Image Release     : 
Severity          : important
Type              : security
References        : 1107342 1183663 1193173 1196293 1198269 1201010 1211188 1211190
                        1211547 1214169 1214668 1215241 1215434 1215740 1215794 1216007
                        1216011 1216049 1216388 1216390 1216522 1216827 1217000 1217237
                        1217287 1217460 1217952 1218126 1218186 1218201 1218209 1218282
                        1218475 1218561 1218571 1218571 1218739 1218765 1218799 1218894
                        1219123 1219189 1219238 CVE-2023-1667 CVE-2023-1786 CVE-2023-2283
                        CVE-2023-48795 CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2023-7207
                        CVE-2024-21626 CVE-2024-22365 
-----------------------------------------------------------------

The container suse-sles-15-sp5-chost-byos-v20240209-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:128-1
Released:    Tue Jan 16 13:50:37 2024
Summary:     Security update for cloud-init
Type:        security
Severity:    moderate
References:  1198269,1201010,1214169,1215740,1215794,1216007,1216011,CVE-2023-1786
This update for cloud-init contains the following fixes:

- Move fdupes call back to %install.(bsc#1214169)

- Update to version 23.3. (bsc#1216011)
  * (bsc#1215794)
  * (bsc#1215740)
  * (bsc#1216007)
  + Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390)
  + Fix cc_keyboard in mantic (LP: #2030788)
  + ec2: initialize get_instance_userdata return value to bytes (#4387)
    [Noah Meyerhans]
  + cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley]
  + Fix pip-managed ansible
  + status: treat SubState=running and MainPID=0 as service exited
  + azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson]
  + collect-logs fix memory usage (SC-1590) (#4289)
    [Alec Warren] (LP: #1980150)
  + cc_mounts: Use fallocate to create swapfile on btrfs (#4369)
  + Undocument nocloud-net (#4318)
  + feat(akamai): add akamai to settings.py and apport.py (#4370)
  + read-version: fallback to get_version when git describe fails (#4366)
  + apt: fix cloud-init status --wait blocking on systemd v 253 (#4364)
  + integration tests: Pass username to pycloudlib (#4324)
  + Bump pycloudlib to 1!5.1.0 (#4353)
  + cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272)
    [dermotbradley]
  + analyze: fix (unexpected) timestamp parsing (#4347) [Mina Gali??]
  + cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Gali??]
  + subp: Fix spurious test failure on FreeBSD (#4355) [Mina Gali??]
  + cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Gali??]
  + util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Gali??]
  + cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Gali??]
  + unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource
    (#4328) [Ani Sinha]
  + Fix test_tools.py collection (#4315)
  + cc_keyboard: add Alpine support (#4278) [dermotbradley]
  + Flake8 fixes (#4340) [Robert Schweikert]
  + cc_mounts: Fix swapfile not working on btrfs (#4319) [?????????] (LP: #1884127)
  + ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281)
    [Wei Zhou]
  + ec2: Support double encoded userdata (#4275) [Noah Meyerhans]
  + cc_mounts: xfs is a Linux only FS (#4334) [Mina Gali??]
  + tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336)
    [Chris Patterson]
  + change openEuler to openeuler and fix some bugs in openEuler (#4317)
    [sxt1001]
  + Replace flake8 with ruff (#4314)
  + NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64
    (#4291) [Ani Sinha]
  + cc_ssh_import_id: add Alpine support and add doas support (#4277)
    [dermotbradley]
  + sudoers not idempotent (SC-1589)  (#4296) [Alec Warren] (LP: #1998539)
  + Added support for Akamai Connected Cloud (formerly Linode) (#4167)
    [Will Smith]
  + Fix reference before assignment (#4292)
  + Overhaul module reference page (#4237) [Sally]
  + replaced spaces with commas for setting passenv (#4269) [Alec Warren]
  + DS VMware: modify a few log level (#4284) [PengpengSun]
  + tools/read-version refactors and unit tests (#4268)
  + Ensure get_features() grabs all features (#4285)
  + Don't always require passlib dependency (#4274)
  + tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275)
  + Fix NoCloud kernel commandline key parsing (#4273)
  + testing: Clear all LRU caches after each test (#4249)
  + Remove the crypt dependency (#2139) [Gon??ri Le Bouder]
  + logging: keep current file mode of log file if its stricter than the
    new mode (#4250) [Ani Sinha]
  + Remove default membership in redundant groups (#4258)
    [Dave Jones] (LP: #1923363)
  + doc: improve datasource_creation.rst (#4262)
  + Remove duplicate Integration testing button (#4261) [Rishita Shaw]
  + tools/read-version: fix the tool so that it can handle version parsing
    errors (#4234) [Ani Sinha]
  + net/dhcp: add udhcpc support (#4190) [Jean-Fran??ois Roche]
  + DS VMware: add i386 arch dir to deployPkg plugin search path
    [PengpengSun]
  + LXD moved from linuxcontainers.org to Canonical [Simon Deziel]
  + cc_mounts.py: Add note about issue with creating mounts inside mounts
    (#4232) [dermotbradley]
  + lxd: install lxd from snap, not deb if absent in image
  + landscape: use landscape-config to write configuration
  + Add deprecation log during init of DataSourceDigitalOcean (#4194)
    [tyb-truth]
  + doc: fix typo on apt.primary.arches (#4238) [Dan Bungert]
  + Inspect systemd state for cloud-init status (#4230)
  + instance-data: add system-info and features to combined-cloud-config
    (#4224)
  + systemd: Block login until config stage completes (#2111) (LP: #2013403)
  + tests: proposed should invoke apt-get install -t=<release>-proposed
    (#4235)
  + cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley]
  + Remove feature flag override ability (#4228)
  + tests: drop stray unrelated file presence test (#4227)
  + Update LXD URL (#4223) [Sally]
  + schema: add network v1 schema definition and validation functions
  + tests: daily PPA for devel series is version 99.daily update tests to
    match (#4225)
  + instance-data: write /run/cloud-init/combined-cloud-config.json
  + mount parse: Fix matching non-existent directories (#4222) [Mina Gali??]
  + Specify build-system for pep517 (#4218)
  + Fix network v2 metric rendering (#4220)
  + Migrate content out of FAQ page (SD-1187) (#4205) [Sally]
  + setup: fix generation of init templates (#4209) [Mina Gali??]
  + docs: Correct some bootcmd example wording
  + fix changelog
  + tests: reboot client to assert x-shellscript-per-boot is triggered
  + nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204)
    (LP: 4203, #2025180)
  + Add docstring and typing to mergemanydict (#4200)
  + BSD: add dsidentify to early startup scripts (#4182) [Mina Gali??]
  + handler: report errors on skipped merged cloud-config.txt parts
    (LP: #1999952)
  + Add cloud-init summit writeups (#4179) [Sally]
  + tests: Update test_clean_log for oci (#4187)
  + gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163)
  + tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184)
  + Ephemeral Networking for FreeBSD (#2165) [Mina Gali??]
  + Clarify directory syntax for nocloud local filesystem. (#4178)
  + Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha]
  + Test static routes and netplan 0.106
  + FreeBSD fix parsing of mount and mount options (#2146) [Mina Gali??]
  + test: add tracking bug id (#4164)
  + tests: can't match MAC for LXD container veth due to netplan 0.106
    (#4162)
  + Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar]
  + BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Gali??]
  + launching salt-minion in masterless mode (#4110) [Denis Halturin]
  + tools: fix run-container builds for rockylinux/8 git hash mismatch
    (#4161)
  + fix doc lint: spellchecker tripped up (#4160) [Mina Gali??]
  + Support Ephemeral Networking for BSD (#2127)
  + Added / fixed support for static routes on OpenBSD and FreeBSD (#2157)
    [Kadir Mueller]
  + cc_rsyslog: Refactor for better multi-platform support (#4119)
    [Mina Gali??] (LP: #1798055)
  + tests: fix test_lp1835584 (#4154)
  + cloud.cfg mod names: docs and rename salt_minion and set_password (#4153)
  + vultr: remove check_route check (#2151) [Jonas Chevalier]
  + Update SECURITY.md (#4150) [Indrranil Pawar]
  + Update CONTRIBUTING.rst (#4149) [Indrranil Pawar]
  + Update .github-cla-signers (#4151) [Indrranil Pawar]
  + Standardise module names in cloud.cfg.tmpl to only use underscore
    (#4128) [dermotbradley]
  + Modify PR template so autoclose works
>From 23.2.2
  + Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271)
    (LP: #2028562)
  + Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784)
>From 23.2.1
  + nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204)
    (Fixes: 4203) (LP: #2025180)
>From 23.2
  + BSD: simplify finding MBR partitions by removing duplicate code
   [Mina Gali??]
  + tests: bump pycloudlib version for mantic builds
  + network-manager: Set higher autoconnect priority for nm keyfiles (#3671)
    [Ani Sinha]
  + alpine.py: change the locale file used (#4139) [dermotbradley]
  + cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Gali??]
  + config: drop refresh_rmc_and_interface as RHEL 7 no longer supported
    [Robert Schweikert]
  + docs: Add feedback button to docs
  + net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh
    plugin (#4132) [Ani Sinha]
  + For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley]
  + network_manager: add a method for ipv6 static IP configuration (#4127)
    [Ani Sinha]
  + correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley]
  + nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115)
    [Ani Sinha]
  + Add templates for GitHub Issues
  + Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela]
  + FreeBSD: Fix user account locking (#4114) [Mina Gali??] (GH: #1854594)
  + FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Gali??]
  + Update tests in Azure TestCanDevBeReformatted class (#2771)
    [Ksenija Stanojevic]
  + Replace Launchpad references with GitHub Issues
  + Fix KeyError in iproute pformat (#3287) [Dmitry Zykov]
  + schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance
  + azure/errors: introduce reportable errors for imds (#3647)
    [Chris Patterson]
  + FreeBSD (and friends): better identify MBR slices (#2168)
    [Mina Gali??] (LP: #2016350)
  + azure/errors: add host reporting for dhcp errors (#2167)
    [Chris Patterson]
  + net: purge blacklist_drivers across net and azure (#2160)
    [Chris Patterson]
  + net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153)
    [Chris Patterson]
  + tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d
    (#2251)
  + net: refactor find_candidate_nics_on_linux() to use get_interfaces()
    (#2159) [Chris Patterson]
  + resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden]
  + Remove mount NTFS error message (#2134) [Ksenija Stanojevic]
  + integration tests: fix image specification parsing (#2166)
  + ci: add hypothesis scheduled GH check (#2149)
  + Move supported distros list to docs (#2162)
  + Fix logger, use instance rather than module function (#2163)
  + README: Point to Github Actions build status (#2158)
  + Revert 'fix linux-specific code on bsd (#2143)' (#2161)
  + Do not generate dsa and ed25519 key types when crypto FIPS mode is
    enabled (#2142) [Ani Sinha] (LP: 2017761)
  + Add documentation label automatically (#2156)
  + sources/azure: report success to host and introduce kvp module (#2141)
    [Chris Patterson]
  + setup.py: use pkg-config for udev/rules path (#2137) [dankm]
  + openstack/static: honor the DNS servers associated with a network
    (#2138) [Gon??ri Le Bouder]
  + fix linux-specific code on bsd (#2143)
  + cli: schema validation of jinja template user-data (SC-1385) (#2132)
    (LP: #1881925)
  + gce: activate network discovery on every boot (#2128)
  + tests: update integration test to assert 640 across reboots (#2145)
  + Make user/vendor data sensitive and remove log permissions (#2144)
    (LP: #2013967)
  + Update kernel command line docs (SC-1457) (#2133)
  + docs: update network configuration path links (#2140) [d1r3ct0r]
  + sources/azure: report failures to host via kvp (#2136) [Chris Patterson]
  + net: Document use of `ip route append` to add routes (#2130)
  + dhcp: Add missing mocks (#2135)
  + azure/imds: retry fetching metadata up to 300 seconds (#2121)
    [Chris Patterson]
  + [1/2] DHCP: Refactor dhcp client code  (#2122)
  + azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson]
  + azure/errors: introduce reportable errors (#2129) [Chris Patterson]
  + users: schema permit empty list to indicate create no users
  + azure: introduce identity module (#2116) [Chris Patterson]
  + Standardize disabling cloud-init on non-systemd (#2112)
  + Update .github-cla-signers (#2126) [Rob Tongue]
  + NoCloud: Use seedfrom protocol to determine mode (#2107)
  + rhel: Remove sysvinit files. (#2114)
  + tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson]
  + Fix NoCloud kernel commandline semi-colon args
  + run-container: make the container/VM timeout configurable (#2118)
    [Paride Legovini]
  + suse: Remove sysvinit files. (#2115)
  + test: Backport assert_call_count for old requests (#2119)
  + Add 'licebmi' as contributor (#2113) [Mark Martinez]
  + Adapt DataSourceScaleway to upcoming IPv6 support (#2033)
    [Louis Bouchard]
  + rhel: make sure previous-hostname file ends with a new line (#2108)
    [Ani Sinha]
  + Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai]
  + Cleanup ephemeral IP routes on exception (#2100) [sxt1001]
  + commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291)
  + Standardize kernel commandline user interface (#2093)
  + config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson]
  + Fix test_dhclient_exits_with_error (#2105)
  + net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083)
    [Chris Patterson]
  + sources/azure: move pps handling out of _poll_imds() (#2075)
    [Chris Patterson]
  + tests: bump pycloudlib version (#2102)
  + schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)
  + sources/azure/imds: don't count timeout errors as connection errors
    (#2074) [Chris Patterson]
  + Fix Python 3.12 unit test failures (#2099)
  + integration tests: Refactor instance checking (#1989)
  + ci: migrate remaining jobs from travis to gh (#2085)
  + missing ending quote in instancedata docs(#2094) [Hong L]
  + refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r]
  + tests/vmware: fix test_no_data_access_method failure (#2092)
    [Chris Patterson]
  + Don't change permissions of netrules target (#2076) (LP: #2011783)
  + tests/sources: patch util.get_cmdline() for datasource tests (#2091)
    [Chris Patterson]
  + macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090)
    (LP: #2008888)
  + Fedora: Enable CA handling (#2086) [Franti??ek Zatloukal]
  + Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa]
  + cc_ansible: complete the examples and doc (#2082) [Yves]
  + bddeb: for dev package, derive debhelper-compat from host system
  + apport: only prompt for cloud_name when instance-data.json is absent
  + datasource: Optimize datasource detection, fix bugs (#2060)
  + Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi]
  + sources/azure: add networking check for all source PPS (#2061)
    [Chris Patterson]
  + do not attempt dns resolution on ip addresses (#2040)
  + chore: fix style tip (#2071)
  + Fix metadata IP in instancedata.rst (#2063) [Brian Haley]
  + util: Pass deprecation schedule in deprecate_call() (#2064)
  + config: Update grub-dpkg docs (#2058)
  + docs: Cosmetic improvements and styling (#2057) [s-makin]
  + cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner]
  + tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059)
  + oracle-ds: prefer system_cfg over ds network config source (#1998)
    (LP: #1956788)
  + Remove dead code (#2038)
  + source: Force OpenStack when it is only option (#2045) (LP: #2008727)
  + cc_ubuntu_advantage: improve UA logs discovery
  + sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson]
  + tests: fix test_schema (#2042)
  + dhcp: Cleanup unused kwarg (#2037)
  + sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027)
    [PengpengSun]
  + dhclient_hook: remove vestigal dhclient_hook command (#2015)
  + log: Add standardized deprecation tooling (SC-1312) (#2026)
  + Enable SUSE based distros for ca handling (#2036) [Robert Schweikert]
>From 23.1.2
  + Make user/vendor data sensitive and remove log permissions
    (LP: #2013967) (CVE-2023-1786)

- Remove six dependency (bsc#1198269)
- Update to version 22.4 (bsc#1201010)

  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:161-1
Released:    Thu Jan 18 18:41:08 2024
Summary:     Recommended update for dpdk22
Type:        recommended
Severity:    moderate
References:  

This update of dpdk22 fixes the following issue:

- DPDK 22.11.1 is shipped to SLE Micro 5.5. (jsc#PED-7147)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:187-1
Released:    Tue Jan 23 13:38:00 2024
Summary:     Recommended update for python-chardet
Type:        recommended
Severity:    moderate
References:  1218765
This update for python-chardet fixes the following issues:

- Fix update-alternative in %postun (bsc#1218765)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:219-1
Released:    Wed Jan 24 19:43:28 2024
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1218799
This update for rsyslog fixes the following issues:

- suppress installation errors when systemd is not running (bsc#1218799)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:254-1
Released:    Fri Jan 26 17:19:30 2024
Summary:     Recommended update for containerd
Type:        recommended
Severity:    moderate
References:  1217952
This update for containerd fixes the following issues:

- Fix permissions of address file (bsc#1217952)
- Update to version 1.7.10

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:306-1
Released:    Thu Feb  1 17:58:09 2024
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        recommended
Severity:    moderate
References:  1218561,1218739
This update for python-instance-billing-flavor-check fixes the following issues:

- Support proxy setup on the client to access the update infrastructure API (bsc#1218561) 
- Add IPv6 support (bsc#1218739) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- cloud-init-config-suse-23.3-150100.8.71.1 updated
- cloud-init-23.3-150100.8.71.1 updated
- containerd-ctr-1.7.10-150000.106.1 updated
- containerd-1.7.10-150000.106.1 updated
- cpio-2.13-150400.3.6.1 updated
- efibootmgr-17-150400.3.2.2 updated
- kernel-default-5.14.21-150500.55.44.1 updated
- libblkid1-2.37.4-150500.9.3.1 updated
- libfdisk1-2.37.4-150500.9.3.1 updated
- libfstrm0-0.6.1-150300.9.5.1 updated
- libmount1-2.37.4-150500.9.3.1 updated
- libsmartcols1-2.37.4-150500.9.3.1 updated
- libssh-config-0.9.8-150400.3.3.1 updated
- libssh4-0.9.8-150400.3.3.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libuuid1-2.37.4-150500.9.3.1 updated
- pam-1.3.0-150000.6.66.1 updated
- python-instance-billing-flavor-check-0.0.6-150000.1.9.1 updated
- python3-chardet-3.0.4-150000.5.3.1 updated
- python3-passlib-1.7.4-1.10 added
- rsyslog-module-relp-8.2306.0-150400.5.27.1 updated
- rsyslog-8.2306.0-150400.5.27.1 updated
- runc-1.1.11-150000.58.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- suse-build-key-12.0-150000.8.40.1 updated
- suse-module-tools-15.5.4-150500.3.9.1 updated
- suseconnect-ng-1.6.0~git0.31371c8-150500.3.12.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- systemd-249.17-150400.8.40.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.4-150500.9.3.1 updated
- util-linux-2.37.4-150500.9.3.1 updated
- xen-libs-4.17.3_04-150500.3.21.1 updated
- xen-tools-domU-4.17.3_04-150500.3.21.1 updated

From sle-container-updates at lists.suse.com  Wed Feb 14 08:01:57 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 14 Feb 2024 09:01:57 +0100 (CET)
Subject: SUSE-CU-2024:551-1: Security update of suse/ltss/sle15.3/sle15
Message-ID: <20240214080157.D1E92FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.3/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:551-1
Container Tags        : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.4.5 , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.4.5
Container Release     : 4.5
Severity              : moderate
Type                  : security
References            : 1219576 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:461-1
Released:    Tue Feb 13 15:30:06 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.9.7-150000.3.66.1 updated

From sle-container-updates at lists.suse.com  Wed Feb 14 08:03:39 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 14 Feb 2024 09:03:39 +0100 (CET)
Subject: SUSE-CU-2024:558-1: Recommended update of suse/manager/4.3/proxy-httpd
Message-ID: <20240214080339.996C4FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:558-1
Container Tags        : suse/manager/4.3/proxy-httpd:4.3.10 , suse/manager/4.3/proxy-httpd:4.3.10.9.43.27 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.10 , suse/manager/4.3/proxy-httpd:susemanager-4.3.10.9.43.27
Container Release     : 9.43.27
Severity              : moderate
Type                  : recommended
References            : 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:458-1
Released:    Tue Feb 13 14:34:14 2024
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  
This update for hwdata fixes the following issues:

- Update to version 0.378
- Update pci, usb and vendor ids


The following package changes have been done:

- hwdata-0.378-150000.3.65.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 15 08:05:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 15 Feb 2024 09:05:20 +0100 (CET)
Subject: SUSE-CU-2024:562-1: Security update of suse/sle15
Message-ID: <20240215080520.39CA1FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:562-1
Container Tags        : suse/sle15:15.1 , suse/sle15:15.1.6.2.874
Container Release     : 6.2.874
Severity              : moderate
Type                  : security
References            : 1219576 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:461-1
Released:    Tue Feb 13 15:30:06 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.9.7-150000.3.66.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 15 08:06:36 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 15 Feb 2024 09:06:36 +0100 (CET)
Subject: SUSE-CU-2024:563-1: Security update of suse/sle15
Message-ID: <20240215080636.BDD29FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:563-1
Container Tags        : suse/sle15:15.2 , suse/sle15:15.2.9.5.403
Container Release     : 9.5.403
Severity              : moderate
Type                  : security
References            : 1219576 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:461-1
Released:    Tue Feb 13 15:30:06 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.9.7-150000.3.66.1 updated

From sle-container-updates at lists.suse.com  Mon Feb 19 09:18:58 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:18:58 +0100 (CET)
Subject: SUSE-CU-2024:571-1: Recommended update of suse/sle-micro/5.5/toolbox
Message-ID: <20240219091858.7DD50FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:571-1
Container Tags        : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.157 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 2.2.157
Severity              : important
Type                  : recommended
References            : 1215698 1218782 1218831 1219442 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:480-1
Released:    Thu Feb 15 12:35:51 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:

- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) 


The following package changes have been done:

- libsolv-tools-0.7.28-150400.3.16.2 updated
- libzypp-17.31.31-150400.3.52.2 updated
- container:sles15-image-15.0.0-36.11.4 updated

From sle-container-updates at lists.suse.com  Mon Feb 19 09:21:06 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:21:06 +0100 (CET)
Subject: SUSE-CU-2024:572-1: Recommended update of suse/sle15
Message-ID: <20240219092106.D237AFBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:572-1
Container Tags        : suse/sle15:15.1 , suse/sle15:15.1.6.2.875
Container Release     : 6.2.875
Severity              : important
Type                  : recommended
References            : 1215698 1218782 1218831 1219442 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:521-1
Released:    Fri Feb 16 10:17:53 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:
    
- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831)   


The following package changes have been done:

- libsolv-tools-0.7.28-150100.4.16.1 updated
- libzypp-17.31.31-150100.3.128.2 updated

From sle-container-updates at lists.suse.com  Mon Feb 19 09:21:15 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:21:15 +0100 (CET)
Subject: SUSE-CU-2024:573-1: Recommended update of suse/ltss/sle15.4/sle15
Message-ID: <20240219092115.403B5FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.4/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:573-1
Container Tags        : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.3.3 , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.3.3
Container Release     : 3.3
Severity              : important
Type                  : recommended
References            : 1215698 1218782 1218831 1219442 
-----------------------------------------------------------------

The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:480-1
Released:    Thu Feb 15 12:35:51 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:

- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) 


The following package changes have been done:

- libsolv-tools-0.7.28-150400.3.16.2 updated
- libzypp-17.31.31-150400.3.52.2 updated

From sle-container-updates at lists.suse.com  Mon Feb 19 09:24:18 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:24:18 +0100 (CET)
Subject: SUSE-CU-2024:584-1: Recommended update of bci/golang
Message-ID: <20240219092418.86041FBA3@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:584-1
Container Tags        : bci/golang:1.22 , bci/golang:1.22-1.2.6 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.2.6
Container Release     : 2.6
Severity              : moderate
Type                  : recommended
References            : 1218424 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:443-1
Released:    Fri Feb  9 16:34:12 2024
Summary:     Recommended update for go1.22
Type:        recommended
Severity:    moderate
References:  1218424
This update for go1.22 fixes the following issues:

This is go1.22 (released 2024-02-06), a major release of Go. (bsc#1218424 go1.22 release tracking)

go1.22.x minor releases will be provided through February 2024.

See https://github.com/golang/go/wiki/Go-Release-Cycle

go1.22 arrives six months after go1.21. Most of its changes are
in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.

* Language change: go1.22 makes two changes to for loops.
  Previously, the variables declared by a for loop were created
  once and updated by each iteration. In go1.22, each iteration
  of the loop creates new variables, to avoid accidental sharing
  bugs. The transition support tooling described in the proposal
  continues to work in the same way it did in Go 1.21.
* Language change: For loops may now range over integers
* Language change: go1.22 includes a preview of a language change
  we are considering for a future version of Go:
  range-over-function iterators. Building with
  GOEXPERIMENT=rangefunc enables this feature.
* go command: Commands in workspaces can now use a vendor
  directory containing the dependencies of the workspace. The
  directory is created by go work vendor, and used by build
  commands when the -mod flag is set to vendor, which is the
  default when a workspace vendor directory is present.  Note
  that the vendor directory's contents for a workspace are
  different from those of a single module: if the directory at
  the root of a workspace also contains one of the modules in the
  workspace, its vendor directory can contain the dependencies of
  either the workspace or of the module, but not both.
* go get is no longer supported outside of a module in the legacy
  GOPATH mode (that is, with GO111MODULE=off). Other build
  commands, such as go build and go test, will continue to work
  indefinitely for legacy GOPATH programs.
* go mod init no longer attempts to import module requirements
  from configuration files for other vendoring tools (such as
  Gopkg.lock).
* go test -cover now prints coverage summaries for covered
  packages that do not have their own test files. Prior to Go
  1.22 a go test -cover run for such a package would report: ?
  mymod/mypack [no test files] and now with go1.22, functions in
  the package are treated as uncovered: mymod/mypack coverage:
  0.0% of statements Note that if a package contains no
  executable code at all, we can't report a meaningful coverage
  percentage; for such packages the go tool will continue to
  report that there are no test files.
* trace: The trace tool's web UI has been gently refreshed as
  part of the work to support the new tracer, resolving several
  issues and improving the readability of various sub-pages. The
  web UI now supports exploring traces in a thread-oriented
  view. The trace viewer also now displays the full duration of
  all system calls.  These improvements only apply for viewing
  traces produced by programs built with go1.22 or newer. A
  future release will bring some of these improvements to traces
  produced by older version of Go.
* vet: References to loop variables The behavior of the vet tool
  has changed to match the new semantics (see above) of loop
  variables in go1.22. When analyzing a file that requires go1.22
  or newer (due to its go.mod file or a per-file build
  constraint), vetcode> no longer reports references to loop
  variables from within a function literal that might outlive the
  iteration of the loop. In Go 1.22, loop variables are created
  anew for each iteration, so such references are no longer at
  risk of using a variable after it has been updated by the loop.
* vet: New warnings for missing values after append The vet tool
  now reports calls to append that pass no values to be appended
  to the slice, such as slice = append(slice). Such a statement
  has no effect, and experience has shown that is nearly always a
  mistake.
* vet: New warnings for deferring time.Since The vet tool now
  reports a non-deferred call to time.Since(t) within a defer
  statement. This is equivalent to calling time.Now().Sub(t)
  before the defer statement, not when the deferred function is
  called. In nearly all cases, the correct code requires
  deferring the time.Since call.
* vet: New warnings for mismatched key-value pairs in log/slog
  calls The vet tool now reports invalid arguments in calls to
  functions and methods in the structured logging package,
  log/slog, that accept alternating key/value pairs. It reports
  calls where an argument in a key position is neither a string
  nor a slog.Attr, and where a final key is missing its value.
* runtime: The runtime now keeps type-based garbage collection
  metadata nearer to each heap object, improving the CPU
  performance (latency or throughput) of Go programs by
  1-3%. This change also reduces the memory overhead of the
  majority Go programs by approximately 1% by deduplicating
  redundant metadata. Some programs may see a smaller improvement
  because this change adjusts the size class boundaries of the
  memory allocator, so some objects may be moved up a size class.
  A consequence of this change is that some objects' addresses
  that were previously always aligned to a 16 byte (or higher)
  boundary will now only be aligned to an 8 byte boundary. Some
  programs that use assembly instructions that require memory
  addresses to be more than 8-byte aligned and rely on the memory
  allocator's previous alignment behavior may break, but we
  expect such programs to be rare. Such programs may be built
  with GOEXPERIMENT=noallocheaders to revert to the old metadata
  layout and restore the previous alignment behavior, but package
  owners should update their assembly code to avoid the alignment
  assumption, as this workaround will be removed in a future
  release.
* runtime: On the windows/amd64 port, programs linking or loading
  Go libraries built with -buildmode=c-archive or
  -buildmode=c-shared can now use the SetUnhandledExceptionFilter
  Win32 function to catch exceptions not handled by the Go
  runtime. Note that this was already supported on the
  windows/386 port.
* compiler: Profile-guided Optimization (PGO) builds can now
  devirtualize a higher proportion of calls than previously
  possible. Most programs from a representative set of Go
  programs now see between 2 and 14% improvement from enabling
  PGO.
* compiler: The compiler now interleaves devirtualization and
  inlining, so interface method calls are better optimized.
* compiler: go1.22 also includes a preview of an enhanced
  implementation of the compiler's inlining phase that uses
  heuristics to boost inlinability at call sites deemed
  'important' (for example, in loops) and discourage inlining at
  call sites deemed 'unimportant' (for example, on panic
  paths). Building with GOEXPERIMENT=newinliner enables the new
  call-site heuristics; see issue #61502 for more info and to
  provide feedback.
* linker: The linker's -s and -w flags are now behave more
  consistently across all platforms. The -w flag suppresses DWARF
  debug information generation. The -s flag suppresses symbol
  table generation. The -s flag also implies the -w flag, which
  can be negated with -w=0. That is, -s -w=0 will generate a
  binary with DWARF debug information generation but without the
  symbol table.
* linker: On ELF platforms, the -B linker flag now accepts a
  special form: with -B gobuildid, the linker will generate a GNU
  build ID (the ELF NT_GNU_BUILD_ID note) derived from the Go
  build ID.
* linker: On Windows, when building with -linkmode=internal, the
  linker now preserves SEH information from C object files by
  copying the .pdata and .xdata sections into the final
  binary. This helps with debugging and profiling binaries using
  native tools, such as WinDbg. Note that until now, C functions'
  SEH exception handlers were not being honored, so this change
  may cause some programs to behave differently.
  -linkmode=external is not affected by this change, as external
  linkers already preserve SEH information.
* bootstrap: As mentioned in the Go 1.20 release notes, go1.22
  now requires the final point release of Go 1.20 or later for
  bootstrap. We expect that Go 1.24 will require the final point
  release of go1.22 or later for bootstrap.
* core library: New math/rand/v2 package: go1.22 includes the
  first ???v2??? package in the standard library, math/rand/v2. The
  changes compared to math/rand are detailed in proposal
  go#61716. The most important changes are:

  - The Read method, deprecated in math/rand, was not carried
    forward for math/rand/v2. (It remains available in
    math/rand.) The vast majority of calls to Read should use
    crypto/rand???s Read instead. Otherwise a custom Read can be
    constructed using the Uint64 method.
  - The global generator accessed by top-level functions is
    unconditionally randomly seeded. Because the API guarantees
    no fixed sequence of results, optimizations like per-thread
    random generator states are now possible.
  - The Source interface now has a single Uint64 method; there is
    no Source64 interface.
  - Many methods now use faster algorithms that were not possible
    to adopt in math/rand because they changed the output
    streams.
  - The Intn, Int31, Int31n, Int63, and Int64n top-level
    functions and methods from math/rand are spelled more
    idiomatically in math/rand/v2: IntN, Int32, Int32N, Int64,
    and Int64N. There are also new top-level functions and
    methods Uint32, Uint32N, Uint64, Uint64N, Uint, and UintN.
  - The new generic function N is like Int64N or Uint64N but
    works for any integer type. For example a random duration
    from 0 up to 5 minutes is rand.N(5*time.Minute).
  - The Mitchell & Reeds LFSR generator provided by math/rand???s
    Source has been replaced by two more modern pseudo-random
    generator sources: ChaCha8 PCG. ChaCha8 is a new,
    cryptographically strong random number generator roughly
    similar to PCG in efficiency. ChaCha8 is the algorithm used
    for the top-level functions in math/rand/v2. As of go1.22,
    math/rand's top-level functions (when not explicitly seeded)
    and the Go runtime also use ChaCha8 for randomness.
  - We plan to include an API migration tool in a future release,
    likely Go 1.23.

* core library: New go/version package: The new go/version
  package implements functions for validating and comparing Go
  version strings.
* core library: Enhanced routing patterns: HTTP routing in the
  standard library is now more expressive. The patterns used by
  net/http.ServeMux have been enhanced to accept methods and
  wildcards. This change breaks backwards compatibility in small
  ways, some obvious???patterns with '{' and '}' behave
  differently??? and some less so???treatment of escaped paths has
  been improved. The change is controlled by a GODEBUG field
  named httpmuxgo121. Set httpmuxgo121=1 to restore the old
  behavior.
* Minor changes to the library As always, there are various minor
  changes and updates to the library, made with the Go 1 promise
  of compatibility in mind. There are also various performance
  improvements, not enumerated here.
* archive/tar: The new method Writer.AddFS adds all of the files
  from an fs.FS to the archive.
* archive/zip: The new method Writer.AddFS adds all of the files
  from an fs.FS to the archive.
* bufio: When a SplitFunc returns ErrFinalToken with a nil token,
  Scanner will now stop immediately. Previously, it would report
  a final empty token before stopping, which was usually not
  desired. Callers that do want to report a final empty token can
  do so by returning []byte{} rather than nil.
* cmp: The new function Or returns the first in a sequence of
  values that is not the zero value.
* crypto/tls: ConnectionState.ExportKeyingMaterial will now
  return an error unless TLS 1.3 is in use, or the
  extended_master_secret extension is supported by both the
  server and client. crypto/tls has supported this extension
  since Go 1.20. This can be disabled with the tlsunsafeekm=1
  GODEBUG setting.
* crypto/tls: By default, the minimum version offered by
  crypto/tls servers is now TLS 1.2 if not specified with
  config.MinimumVersion, matching the behavior of crypto/tls
  clients. This change can be reverted with the tls10server=1
  GODEBUG setting.
* crypto/tls: By default, cipher suites without ECDHE support are
  no longer offered by either clients or servers during pre-TLS
  1.3 handshakes. This change can be reverted with the
  tlsrsakex=1 GODEBUG setting.
* crypto/x509: The new CertPool.AddCertWithConstraint method can
  be used to add customized constraints to root certificates to
  be applied during chain building.
* crypto/x509: On Android, root certificates will now be loaded
  from /data/misc/keychain/certs-added as well as
  /system/etc/security/cacerts.
* crypto/x509: A new type, OID, supports ASN.1 Object Identifiers
  with individual components larger than 31 bits. A new field
  which uses this type, Policies, is added to the Certificate
  struct, and is now populated during parsing. Any OIDs which
  cannot be represented using a asn1.ObjectIdentifier will appear
  in Policies, but not in the old PolicyIdentifiers field. When
  calling CreateCertificate, the Policies field is ignored, and
  policies are taken from the PolicyIdentifiers field. Using the
  x509usepolicies=1 GODEBUG setting inverts this, populating
  certificate policies from the Policies field, and ignoring the
  PolicyIdentifiers field. We may change the default value of
  x509usepolicies in Go 1.23, making Policies the default field
  for marshaling.
* database/sql: The new Null[T] type provide a way to scan
  nullable columns for any column types.
* debug/elf: Constant R_MIPS_PC32 is defined for use with MIPS64
  systems. Additional R_LARCH_* constants are defined for use
  with LoongArch systems.
* encoding: The new methods AppendEncode and AppendDecode added
  to each of the Encoding types in the packages encoding/base32,
  encoding/base64, and encoding/hex simplify encoding and
  decoding from and to byte slices by taking care of byte slice
  buffer management.
* encoding: The methods base32.Encoding.WithPadding and
  base64.Encoding.WithPadding now panic if the padding argument
  is a negative value other than NoPadding.
* encoding/json: Marshaling and encoding functionality now
  escapes '\b' and '\f' characters as \b and \f instead of \u0008
  and \u000c.
* go/ast: The following declarations related to syntactic
  identifier resolution are now deprecated: Ident.Obj, Object,
  Scope, File.Scope, File.Unresolved, Importer, Package,
  NewPackage. In general, identifiers cannot be accurately
  resolved without type information. Consider, for example, the
  identifier K in T{K: ''}: it could be the name of a local
  variable if T is a map type, or the name of a field if T is a
  struct type. New programs should use the go/types package to
  resolve identifiers; see Object, Info.Uses, and Info.Defs for
  details.
* go/ast: The new ast.Unparen function removes any enclosing
  parentheses from an expression.
* go/types: The new Alias type represents type
  aliases. Previously, type aliases were not represented
  explicitly, so a reference to a type alias was equivalent to
  spelling out the aliased type, and the name of the alias was
  lost. The new representation retains the intermediate
  Alias. This enables improved error reporting (the name of a
  type alias can be reported), and allows for better handling of
  cyclic type declarations involving type aliases. In a future
  release, Alias types will also carry type parameter
  information. The new function Unalias returns the actual type
  denoted by an Alias type (or any other Type for that matter).
* go/types: Because Alias types may break existing type switches
  that do not know to check for them, this functionality is
  controlled by a GODEBUG field named gotypesalias. With
  gotypesalias=0, everything behaves as before, and Alias types
  are never created. With gotypesalias=1, Alias types are created
  and clients must expect them. The default is gotypesalias=0. In
  a future release, the default will be changed to
  gotypesalias=1. Clients of go/types are urged to adjust their
  code as soon as possible to work with gotypesalias=1 to
  eliminate problems early.
* go/types: The Info struct now exports the FileVersions map
  which provides per-file Go version information.
* go/types: The new helper method PkgNameOf returns the local
  package name for the given import declaration.
* go/types: The implementation of SizesFor has been adjusted to
  compute the same type sizes as the compiler when the compiler
  argument for SizesFor is 'gc'. The default Sizes implementation
  used by the type checker is now types.SizesFor('gc', 'amd64').
* go/types: The start position (Pos) of the lexical environment
  block (Scope) that represents a function body has changed: it
  used to start at the opening curly brace of the function body,
  but now starts at the function's func token.
* html/template: Javascript template literals may now contain Go
  template actions, and parsing a template containing one will no
  longer return ErrJSTemplate. Similarly the GODEBUG setting
  jstmpllitinterp no longer has any effect.
* io: The new SectionReader.Outer method returns the ReaderAt,
  offset, and size passed to NewSectionReader.
* log/slog: The new SetLogLoggerLevel function controls the level
  for the bridge between the `slog` and `log` packages. It sets
  the minimum level for calls to the top-level `slog` logging
  functions, and it sets the level for calls to `log.Logger` that
  go through `slog`.
* math/big: The new method Rat.FloatPrec computes the number of
  fractional decimal digits required to represent a rational
  number accurately as a floating-point number, and whether
  accurate decimal representation is possible in the first place.
* net: When io.Copy copies from a TCPConn to a UnixConn, it will
  now use Linux's splice(2) system call if possible, using the
  new method TCPConn.WriteTo.
* net: The Go DNS Resolver, used when building with
  '-tags=netgo', now searches for a matching name in the Windows
  hosts file, located at %SystemRoot%\System32\drivers\etc\hosts,
  before making a DNS query.
* net/http: The new functions ServeFileFS, FileServerFS, and
  NewFileTransportFS are versions of the existing ServeFile,
  FileServer, and NewFileTransport, operating on an fs.FS.
* net/http: The HTTP server and client now reject requests and
  responses containing an invalid empty Content-Length
  header. The previous behavior may be restored by setting
  GODEBUG field httplaxcontentlength=1.
* net/http: The new method Request.PathValue returns path
  wildcard values from a request and the new method
  Request.SetPathValue sets path wildcard values on a request.
* net/http/cgi: When executing a CGI process, the PATH_INFO
  variable is now always set to the empty string or a value
  starting with a / character, as required by RFC 3875. It was
  previously possible for some combinations of Handler.Root and
  request URL to violate this requirement.
* net/netip: The new AddrPort.Compare method compares two
  AddrPorts.
* os: On Windows, the Stat function now follows all reparse
  points that link to another named entity in the system. It was
  previously only following IO_REPARSE_TAG_SYMLINK and
  IO_REPARSE_TAG_MOUNT_POINT reparse points.
* os: On Windows, passing O_SYNC to OpenFile now causes write
  operations to go directly to disk, equivalent to O_SYNC on Unix
  platforms.
* os: On Windows, the ReadDir, File.ReadDir, File.Readdir, and
  File.Readdirnames functions now read directory entries in
  batches to reduce the number of system calls, improving
  performance up to 30%.
* os: When io.Copy copies from a File to a net.UnixConn, it will
  now use Linux's sendfile(2) system call if possible, using the
  new method File.WriteTo.
* os/exec: On Windows, LookPath now ignores empty entries
  in %PATH%, and returns ErrNotFound (instead of ErrNotExist)
  if no executable file extension is found to resolve an
  otherwise-unambiguous name.
* os/exec: On Windows, Command and Cmd.Start no longer call
  LookPath if the path to the executable is already absolute and
  has an executable file extension. In addition, Cmd.Start no
  longer writes the resolved extension back to the Path field, so
  it is now safe to call the String method concurrently with a
  call to Start.
* reflect: The Value.IsZero method will now return true for a
  floating-point or complex negative zero, and will return true
  for a struct value if a blank field (a field named _) somehow
  has a non-zero value. These changes make IsZero consistent with
  comparing a value to zero using the language == operator.
* reflect: The PtrTo function is deprecated, in favor of
  PointerTo.
* reflect: The new function TypeFor returns the Type that
  represents the type argument T. Previously, to get the
  reflect.Type value for a type, one had to use
  reflect.TypeOf((*T)(nil)).Elem(). This may now be written as
  reflect.TypeFor[T]().
* runtime/metrics: Four new histogram metrics
  /sched/pauses/stopping/gc:seconds,
  /sched/pauses/stopping/other:seconds,
  /sched/pauses/total/gc:seconds, and
  /sched/pauses/total/other:seconds provide additional details
  about stop-the-world pauses. The 'stopping' metrics report the
  time taken from deciding to stop the world until all goroutines
  are stopped. The 'total' metrics report the time taken from
  deciding to stop the world until it is started again.
* runtime/metrics: The /gc/pauses:seconds metric is deprecated,
  as it is equivalent to the new /sched/pauses/total/gc:seconds
  metric.
* runtime/metrics: /sync/mutex/wait/total:seconds now includes
  contention on runtime-internal locks in addition to sync.Mutex
  and sync.RWMutex.
* runtime/pprof: Mutex profiles now scale contention by the
  number of goroutines blocked on the mutex. This provides a more
  accurate representation of the degree to which a mutex is a
  bottleneck in a Go program. For instance, if 100 goroutines are
  blocked on a mutex for 10 milliseconds, a mutex profile will
  now record 1 second of delay instead of 10 milliseconds of
  delay.
* runtime/pprof: Mutex profiles also now include contention on
  runtime-internal locks in addition to sync.Mutex and
  sync.RWMutex. Contention on runtime-internal locks is always
  reported at runtime._LostContendedRuntimeLock. A future release
  will add complete stack traces in these cases.
* runtime/pprof: CPU profiles on Darwin platforms now contain the
  process's memory map, enabling the disassembly view in the
  pprof tool.
* runtime/trace: The execution tracer has been completely
  overhauled in this release, resolving several long-standing
  issues and paving the way for new use-cases for execution
  traces.
* runtime/trace: Execution traces now use the operating system's
  clock on most platforms (Windows excluded) so it is possible to
  correlate them with traces produced by lower-level
  components. Execution traces no longer depend on the
  reliability of the platform's clock to produce a correct
  trace. Execution traces are now partitioned regularly
  on-the-fly and as a result may be processed in a streamable
  way. Execution traces now contain complete durations for all
  system calls. Execution traces now contain information about
  the operating system threads that goroutines executed on. The
  latency impact of starting and stopping execution traces has
  been dramatically reduced. Execution traces may now begin or
  end during the garbage collection mark phase.
* runtime/trace: To allow Go developers to take advantage of
  these improvements, an experimental trace reading package is
  available at golang.org/x/exp/trace. Note that this package
  only works on traces produced by programs built with go1.22 at
  the moment. Please try out the package and provide feedback on
  the corresponding proposal issue.
* runtime/trace: If you experience any issues with the new
  execution tracer implementation, you may switch back to the old
  implementation by building your Go program with
  GOEXPERIMENT=noexectracer2. If you do, please file an issue,
  otherwise this option will be removed in a future release.
* slices: The new function Concat concatenates multiple slices.
* slices: Functions that shrink the size of a slice (Delete,
  DeleteFunc, Compact, CompactFunc, and Replace) now zero the
  elements between the new length and the old length.
* slices: Insert now always panics if the argument i is out of
  range. Previously it did not panic in this situation if there
  were no elements to be inserted.
* syscall: The syscall package has been frozen since Go 1.4 and
  was marked as deprecated in Go 1.11, causing many editors to
  warn about any use of the package. However, some non-deprecated
  functionality requires use of the syscall package, such as the
  os/exec.Cmd.SysProcAttr field. To avoid unnecessary complaints
  on such code, the syscall package is no longer marked as
  deprecated. The package remains frozen to most new
  functionality, and new code remains encouraged to use
  golang.org/x/sys/unix or golang.org/x/sys/windows where
  possible.
* syscall: On Linux, the new SysProcAttr.PidFD field allows
  obtaining a PID FD when starting a child process via
  StartProcess or os/exec.
* syscall: On Windows, passing O_SYNC to Open now causes write
  operations to go directly to disk, equivalent to O_SYNC on Unix
  platforms.
* testing/slogtest: The new Run function uses sub-tests to run
  test cases, providing finer-grained control.
* Ports: Darwin: On macOS on 64-bit x86 architecture (the
  darwin/amd64 port), the Go toolchain now generates
  position-independent executables (PIE) by default. Non-PIE
  binaries can be generated by specifying the -buildmode=exe
  build flag. On 64-bit ARM-based macOS (the darwin/arm64 port),
  the Go toolchain already generates PIE by default. go1.22 is
  the last release that will run on macOS 10.15 Catalina. Go 1.23
  will require macOS 11 Big Sur or later.
* Ports: Arm: The GOARM environment variable now allows you to
  select whether to use software or hardware floating
  point. Previously, valid GOARM values were 5, 6, or 7. Now
  those same values can be optionally followed by ,softfloat or
  ,hardfloat to select the floating-point implementation. This
  new option defaults to softfloat for version 5 and hardfloat
  for versions 6 and 7.
* Ports: Loong64: The loong64 port now supports passing function
  arguments and results using registers. The linux/loong64 port
  now supports the address sanitizer, memory sanitizer, new-style
  linker relocations, and the plugin build mode.
* OpenBSD go1.22 adds an experimental port to OpenBSD on
  big-endian 64-bit PowerPC (openbsd/ppc64).


The following package changes have been done:

- go1.22-doc-1.22.0-150000.1.6.1 added
- go1.22-1.22.0-150000.1.6.1 added
- go1.22-race-1.22.0-150000.1.6.1 added
- container:sles15-image-15.0.0-36.11.4 updated
- go1.21-1.21.6-150000.1.21.1 removed
- go1.21-doc-1.21.6-150000.1.21.1 removed
- go1.21-race-1.21.6-150000.1.21.1 removed

From sle-container-updates at lists.suse.com  Mon Feb 19 09:31:13 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:31:13 +0100 (CET)
Subject: SUSE-CU-2024:608-1: Recommended update of suse/sle15
Message-ID: <20240219093113.0BEE9FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:608-1
Container Tags        : bci/bci-base:15.5 , bci/bci-base:15.5.36.11.4 , suse/sle15:15.5 , suse/sle15:15.5.36.11.4
Container Release     : 36.11.4
Severity              : important
Type                  : recommended
References            : 1215698 1218782 1218831 1219442 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:480-1
Released:    Thu Feb 15 12:35:51 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:

- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) 


The following package changes have been done:

- libsolv-tools-0.7.28-150400.3.16.2 updated
- libzypp-17.31.31-150400.3.52.2 updated

From sle-container-updates at lists.suse.com  Mon Feb 19 09:31:30 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Mon, 19 Feb 2024 10:31:30 +0100 (CET)
Subject: SUSE-CU-2024:609-1: Security update of suse/manager/4.3/proxy-httpd
Message-ID: <20240219093130.E5628FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:609-1
Container Tags        : suse/manager/4.3/proxy-httpd:4.3.10 , suse/manager/4.3/proxy-httpd:4.3.10.9.46.2 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.11 , suse/manager/4.3/proxy-httpd:susemanager-4.3.11.9.46.2
Container Release     : 9.46.2
Severity              : important
Type                  : security
References            : 1170848 1170848 1210911 1210911 1211254 1211254 1211560 1211560
                        1211912 1211912 1213079 1213079 1213507 1213507 1213738 1213738
                        1213981 1213981 1214077 1214077 1214791 1214791 1215166 1215166
                        1215514 1215514 1215769 1215769 1215810 1215810 1215813 1215813
                        1215982 1215982 1216114 1216114 1216394 1216394 1216437 1216437
                        1216550 1216550 1216609 1216657 1216657 1216753 1216753 1216781
                        1216781 1216988 1216988 1217069 1217069 1217209 1217209 1217588
                        1217588 1217784 1217784 1217869 1217869 1218019 1218019 1218074
                        1218074 1218075 1218075 1218089 1218089 1218094 1218094 1218146
                        1218146 1218490 1218490 1218615 1218615 1218669 1218669 1218837
                        1218849 1218849 1219151 1219449 1219577 1219577 1219850 1219850
                        CVE-2023-31582 CVE-2023-32189 CVE-2023-32189 CVE-2024-22231 CVE-2024-22232
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:485-1
Released:    Thu Feb 15 14:35:10 2024
Summary:     Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
Type:        security
Severity:    important
References:  1170848,1210911,1211254,1211560,1211912,1213079,1213507,1213738,1213981,1214077,1214791,1215166,1215514,1215769,1215810,1215813,1215982,1216114,1216394,1216437,1216550,1216609,1216657,1216753,1216781,1216988,1217069,1217209,1217588,1217784,1217869,1218019,1218074,1218075,1218089,1218094,1218146,1218490,1218615,1218669,1218837,1218849,1219151,1219449,1219577,1219850,CVE-2023-31582,CVE-2023-32189
Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

This is a codestream only update

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:513-1
Released:    Thu Feb 15 14:43:18 2024
Summary:     Security update for SUSE Manager 4.3.11 Release Notes
Type:        security
Severity:    important
References:  1170848,1210911,1211254,1211560,1211912,1213079,1213507,1213738,1213981,1214077,1214791,1215166,1215514,1215769,1215810,1215813,1215982,1216114,1216394,1216437,1216550,1216657,1216753,1216781,1216988,1217069,1217209,1217588,1217784,1217869,1218019,1218074,1218075,1218089,1218094,1218146,1218490,1218615,1218669,1218849,1219577,1219850,CVE-2023-32189,CVE-2024-22231,CVE-2024-22232
Security update for SUSE Manager 4.3.11 Release Notes:

- This is a codestream only update


The following package changes have been done:

- release-notes-susemanager-proxy-4.3.11-150400.3.79.1 updated
- spacewalk-backend-4.3.27-150400.3.38.2 updated
- python3-spacewalk-client-tools-4.3.18-150400.3.24.7 updated
- spacewalk-client-tools-4.3.18-150400.3.24.7 updated

From sle-container-updates at lists.suse.com  Wed Feb 21 09:06:00 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 21 Feb 2024 10:06:00 +0100 (CET)
Subject: SUSE-CU-2024:626-1: Security update of suse/sles12sp5
Message-ID: <20240221090600.415AEFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sles12sp5
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:626-1
Container Tags        : suse/sles12sp5:6.5.566 , suse/sles12sp5:latest
Container Release     : 6.5.566
Severity              : important
Type                  : security
References            : 1158095 1168699 1174713 1189608 1211188 1211190 1218126 1218186
                        1218209 1219576 CVE-2019-14889 CVE-2020-16135 CVE-2020-1730 CVE-2021-3634
                        CVE-2023-1667 CVE-2023-2283 CVE-2023-48795 CVE-2023-6004 CVE-2023-6918
                        CVE-2024-25062 
-----------------------------------------------------------------

The container suse/sles12sp5 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:539-1
Released:    Tue Feb 20 16:03:49 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Update to version 0.9.8 (jsc#PED-7719):

* Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
* Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
* Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
* Allow @ in usernames when parsing from URI composes

Update to version 0.9.7

* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
  guessing (bsc#1211188)
* Fix CVE-2023-2283: a possible authorization bypass in
  pki_verify_data_signature under low-memory conditions (bsc#1211190)
* Fix several memory leaks in GSSAPI handling code

Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)

* https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

Update to version 0.9.5 (bsc#1174713, CVE-2020-16135):

* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite 

Update to version 0.9.4:

* https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
* Fix possible Denial of Service attack when using AES-CTR-ciphers
  CVE-2020-1730 (bsc#1168699)

Update to version 0.9.3:

* Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095)
* SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
* SSH-01-006 General: Various unchecked Null-derefs cause DOS
* SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
* SSH-01-010 SSH: Deprecated hash function in fingerprinting
* SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
* SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
* SSH-01-001 State Machine: Initial machine states should be set explicitly
* SSH-01-002 Kex: Differently bound macros used to iterate same array
* SSH-01-005 Code-Quality: Integer sign confusion during assignments
* SSH-01-008 SCP: Protocol Injection via unescaped File Names
* SSH-01-009 SSH: Update documentation which RFCs are implemented
* SSH-01-012 PKI: Information leak via uninitialized stack buffer

Update to version 0.9.2:

* Fixed libssh-config.cmake
* Fixed issues with rsa algorithm negotiation (T191)
* Fixed detection of OpenSSL ed25519 support (T197)

Update to version 0.9.1:

* Added support for Ed25519 via OpenSSL
* Added support for X25519 via OpenSSL
* Added support for localuser in Match keyword
* Fixed Match keyword to be case sensitive
* Fixed compilation with LibreSSL
* Fixed error report of channel open (T75)
* Fixed sftp documentation (T137)
* Fixed known_hosts parsing (T156)
* Fixed build issue with MinGW (T157)
* Fixed build with gcc 9 (T164)
* Fixed deprecation issues (T165)
* Fixed known_hosts directory creation (T166)

Update to verion 0.9.0:

* Added support for AES-GCM
* Added improved rekeying support
* Added performance improvements
* Disabled blowfish support by default
* Fixed several ssh config parsing issues
* Added support for DH Group Exchange KEX
* Added support for Encrypt-then-MAC mode
* Added support for parsing server side configuration file
* Added support for ECDSA/Ed25519 certificates
* Added FIPS 140-2 compatibility
* Improved known_hosts parsing
* Improved documentation
* Improved OpenSSL API usage for KEX, DH, and signatures

- Add libssh client and server config files

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:556-1
Released:    Tue Feb 20 17:22:41 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libssh-config-0.9.8-3.12.2 added
- libssh4-0.9.8-3.12.2 updated
- libxml2-2-2.9.4-46.71.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:01:49 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:01:49 +0100 (CET)
Subject: SUSE-CU-2024:658-1: Security update of suse/sle-micro/5.3/toolbox
Message-ID: <20240222080149.3841EFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:658-1
Container Tags        : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.307 , suse/sle-micro/5.3/toolbox:latest
Container Release     : 5.2.307
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:02:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:02:20 +0100 (CET)
Subject: SUSE-CU-2024:659-1: Security update of suse/sle-micro/5.4/toolbox
Message-ID: <20240222080220.BD11FFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:659-1
Container Tags        : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.205 , suse/sle-micro/5.4/toolbox:latest
Container Release     : 4.2.205
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:02:40 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:02:40 +0100 (CET)
Subject: SUSE-CU-2024:660-1: Security update of suse/sle-micro/5.5/toolbox
Message-ID: <20240222080240.7E2BDFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:660-1
Container Tags        : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.160 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 2.2.160
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:03:16 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:03:16 +0100 (CET)
Subject: SUSE-CU-2024:661-1: Security update of suse/manager/4.3/proxy-httpd
Message-ID: <20240222080316.C5182FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:661-1
Container Tags        : suse/manager/4.3/proxy-httpd:4.3.10 , suse/manager/4.3/proxy-httpd:4.3.10.9.46.5 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.11 , suse/manager/4.3/proxy-httpd:susemanager-4.3.11.9.46.5
Container Release     : 9.46.5
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- python3-base-3.6.15-150300.10.54.1 updated
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:03:26 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:03:26 +0100 (CET)
Subject: SUSE-CU-2024:662-1: Security update of
 suse/manager/4.3/proxy-salt-broker
Message-ID: <20240222080326.F3FB0FBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:662-1
Container Tags        : suse/manager/4.3/proxy-salt-broker:4.3.10 , suse/manager/4.3/proxy-salt-broker:4.3.10.9.36.5 , suse/manager/4.3/proxy-salt-broker:latest , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.11 , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.11.9.36.5
Container Release     : 9.36.5
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- python3-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:03:36 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:03:36 +0100 (CET)
Subject: SUSE-CU-2024:663-1: Security update of suse/manager/4.3/proxy-ssh
Message-ID: <20240222080336.B6ABFFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:663-1
Container Tags        : suse/manager/4.3/proxy-ssh:4.3.10 , suse/manager/4.3/proxy-ssh:4.3.10.9.36.4 , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.11 , suse/manager/4.3/proxy-ssh:susemanager-4.3.11.9.36.4
Container Release     : 9.36.4
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- python3-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:03:47 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:03:47 +0100 (CET)
Subject: SUSE-CU-2024:664-1: Security update of suse/manager/4.3/proxy-tftpd
Message-ID: <20240222080347.9F6EAFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:664-1
Container Tags        : suse/manager/4.3/proxy-tftpd:4.3.10 , suse/manager/4.3/proxy-tftpd:4.3.10.9.36.4 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.11 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.11.9.36.4
Container Release     : 9.36.4
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- python3-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:04:19 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:04:19 +0100 (CET)
Subject: SUSE-CU-2024:665-1: Security update of suse/sle-micro/5.1/toolbox
Message-ID: <20240222080419.2F70EFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:665-1
Container Tags        : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.545 , suse/sle-micro/5.1/toolbox:latest
Container Release     : 2.2.545
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 08:06:00 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 09:06:00 +0100 (CET)
Subject: SUSE-CU-2024:667-1: Security update of suse/sle-micro/5.2/toolbox
Message-ID: <20240222080600.6559CFBA3@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:667-1
Container Tags        : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.367 , suse/sle-micro/5.2/toolbox:latest
Container Release     : 6.2.367
Severity              : moderate
Type                  : security
References            : 1210638 CVE-2023-27043 
-----------------------------------------------------------------

The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 12:18:58 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 13:18:58 +0100 (CET)
Subject: SUSE-CU-2024:668-1: Security update of bci/dotnet-runtime
Message-ID: <20240222121858.CC7CEFBA3@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:668-1
Container Tags        : bci/dotnet-runtime:7.0 , bci/dotnet-runtime:7.0-25.3 , bci/dotnet-runtime:7.0.16 , bci/dotnet-runtime:7.0.16-25.3
Container Release     : 25.3
Severity              : moderate
Type                  : security
References            : 1219243 1219576 CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Thu Feb 22 12:19:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 22 Feb 2024 13:19:29 +0100 (CET)
Subject: SUSE-CU-2024:669-1: Security update of bci/python
Message-ID: <20240222121929.BD20AFBA3@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:669-1
Container Tags        : bci/python:3 , bci/python:3-18.10 , bci/python:3.6 , bci/python:3.6-18.10
Container Release     : 18.10
Severity              : moderate
Type                  : security
References            : 1210638 1219243 1219576 CVE-2023-27043 CVE-2024-0727 CVE-2024-25062
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- python3-3.6.15-150300.10.54.1 updated
- python3-devel-3.6.15-150300.10.54.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:21:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:21:01 +0100 (CET)
Subject: SUSE-CU-2024:672-1: Security update of suse/nginx
Message-ID: <20240223162101.89F4AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/nginx
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:672-1
Container Tags        : suse/nginx:1.21 , suse/nginx:1.21-10.10 , suse/nginx:latest
Container Release     : 10.10
Severity              : moderate
Type                  : security
References            : 1219213 CVE-2023-52356 
-----------------------------------------------------------------

The container suse/nginx was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:594-1
Released:    Thu Feb 22 15:57:58 2024
Summary:     Security update for tiff
Type:        security
Severity:    moderate
References:  1219213,CVE-2023-52356
This update for tiff fixes the following issues:

- CVE-2023-52356: Fixed segfault in TIFFReadRGBATileExt() (bsc#1219213).


The following package changes have been done:

- libtiff5-4.0.9-150000.45.38.1 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:21:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:21:34 +0100 (CET)
Subject: SUSE-CU-2024:673-1: Security update of bci/openjdk-devel
Message-ID: <20240223162134.85D1AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:673-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.19
Container Release     : 14.19
Severity              : important
Type                  : security
References            : 1215973 1216198 1219243 1219576 CVE-2023-37460 CVE-2023-5388
                        CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released:    Wed Feb 21 05:34:18 2024
Summary:     Recommended update for Java
Type:        recommended
Severity:    moderate
References:  1215973,CVE-2023-37460
This update for Java fixes the following issues:

plexus-archiver was updated from version 4.2.1 to 4.8.0:

- Changes of 4.8.0:

  * Security issues fixed:

    + CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)

  * New features and improvements:

    + Added tzst alias for tar.zst archiver/unarchived

  * Bugs fixed:

    + Detect permissions for addFile

  * Maintenance:

    + Removed public modifier from JUnit 5 tests
    + Use https in scm/url
    + Removed junit-jupiter-engine from project dependencies
    + Removed parent and reports menu from site
    + Cleanup after 'veryLargeJar' test
    + Override project.url

- Changes of 4.7.1:

  * Bugs fixed:

    + Don't apply umask on unknown perms (Win)

- Changes of 4.7.0:

  * New features and improvements:

    + add umask support and use 022 in RB mode
    + Use NIO Files for creating temporary files
    + Deprecate the JAR Index feature (JDK-8302819)
    + Added Archiver aliases for tar.*

  * Maintenance:

    + Use JUnit TempDir to manage temporary files in tests
    + Override uId and gId for Tar in test
    + Bump maven-resources-plugin from 2.7 to 3.3.1

- Changes of 4.6.3:

  * New features and improvements:

    + Fixed path traversal vulnerability
      The vulnerability affects only directories whose name begins
      with the same prefix as the destination directory. For example
      malicious archive may extract file in /opt/directory instead
      of /opt/dir.

- Changes of 4.6.2:

  * Bugs fixed:

    + Fixed regression in handling symbolic links

- Changes of 4.6.1:

  * Bugs fixed:

    + Normalize file separators before warning about equal archive entries

- Changes of 4.6.0:

  * New features and improvements:

    + keep file/directory permissions in Reproducible Builds mode

- Changes of 4.5.0:

  * New features and improvements:

    + Added zstd (un)archiver support

  * Bugs fixed:

    + Fixed UnArchiver#isOverwrite not working as expected

- Changes of 4.4.0:

  * New features and improvements:

    + Drop legacy plexus API and use only JSR330 components

- Changes of 4.3.0:

  * New features and improvements:

    + Require Java 8
    + Refactor to use FileTime API
    + Rename setTime method to setZipEntryTime
    + Convert InputStreamSupplier to lambdas

  * Bugs fixed:

    + Reproducible Builds not working when using modular jar

- Changes of 4.2.7:

  * New features and improvements:

    + Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file

- Changes of 4.2.6:

  * New features and improvements:

    + FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
    + Code cleanup

- Changes of 4.2.5:

  * New features and improvements:
    + Speed improvements

  * Bugs fixed:

    + Fixed use of a mismatching Unicode path extra field in zip unarchiving

- Changes of 4.2.4:

  * Bugs fixed:

    + Fixed unjustified warning about casing for directory entries

- Changes of 4.2.2:

  * Bugs fixed:

    + DirectoryArchiver fails for symlinks if a parent directory doesn't exist

objectweb-asm was updated to version 9.6:

- Changes of version 9.6:

  * New Opcodes.V22 constant for Java 22

  * Bugs fixed:

    + Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
    + Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
    + Analyzer can fail to catch thrown exceptions
    + `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
    + Fixed bug in `CheckFrameAnalyzer` with static methods

- Changes of version 9.5:

  * New Opcodes.V21 constant for Java 21
  * New readBytecodeInstructionOffset hook in ClassReader
  * Added more detailed exception messages
  * Javadoc improvements and fixes

  * Bugs fixed:

    + Silent removal of zero-valued entries from the line-number table

- Changes of version 9.4:

  * Changes:

    + New Opcodes.V20 constant for Java 20
    + Added more checks in CheckClassAdapter
    + Javadoc improvements and fixes
    + `module-info` classes can be built without Gradle and Bnd
    + Parent POM updated to `org.ow2:ow2:1.5.1`

  * Bugs fixed:

    +`CheckClassAdapter` is no longer transparent for MAXLOCALS
    + Added public `getDelegate` method to all visitor classes
    + Analyzer does not compute optimal maxLocals for static methods
    + Fixed `SignatureWriter` when a generic type has a depth over 30
    + Skip remap inner class name if not changed in Remapper

maven-archiver was updated from version 3.5.0 to 3.6.1:

- Changes of 3.6.1:

  * New Features:

    + Deprecated the JAR Index feature (JDK-8302819)

  * Task:

    + Refreshed download page
    + Prefer JDK features over plexus-utils, plexus-io

- Changes of 3.6.0:

  * Task:

    + Require Java 8
    + Drop m-shared-utils from deps

maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:

- Changes of 3.6.0:

  * Bugs fixed:

    + finalName as readonly parameter makes common usecases very complicated
    + Symbolic links get copied with absolute path
    + Warning if using Maven 3.9.1
    + Minimal default Manifest configuration of jar archiver should be respected

  * New Features:

    + Support Zstandard compression format

  * Improvements:

    + In RB mode, apply 022 umask to ignore environment group write umask
    + Added system requirements history

  * Task:
    + Dropped deprecated repository element
    + Support running build on Java 20
    + Refresh download page
    + Cleanup declared dependencies
    + Avoid using deprecated methods of `plexus-archiver`

- Changes of 3.5.0:

  * Bugs fixed:

    + File permissions removed during assembly:single since 3.2.0

- Changes of 3.4.2:

  * Bugs fixed:

    + Fixed Excludes filtering

  * Task:

    + Fixed examples to refer to https instead of http

- Changes of 3.4.1:

  * Bugs fixed:

    + Fixed error build with shared assemblies

- Changes of 3.4.0:

  * Bugs fixed:

    + dependencySet includes filter with classifier breaks include of artifacts without classifier

  * Task:

    + Speed improvements
    + Update plugin (requires Maven 3.2.5+)
    + Assembly plugin resolves too much, even plugins used to build dependencies
    + Deprecated the repository element in assembly descriptor
    + Upgraded to Java 8, drop unused dependencies

maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:

- Changes of 3.3.2:

  * Bugs fixed:

    + PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate

- Changes of 3.3.1:

  * Bugs fixed:

    + Pattern w/ 4 elements may be GATV or GATC

- Changes of 3.3.0:

  * Bugs fixed:

    + null passed to DependencyFilter in EclipseAetherFilterTransformerTest
    + PatternIncludesArtifactFilter#include(Artifact)
    + Common Artifact Filters pattern parsing with classifier is broken

  * Task:

    + Sanitized dependencies
    + Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies

- Changes of 3.2.0:

  * Improvements:

    + Big speed improvements for patterns that do not contain any wildcard

- Changes of 3.1.1:

  * Bugs fixed:

    + Updated JIRA URL for maven-common-artifact-filters

  * Improvements:

    + Made build Reproducible

- Changes of 3.1.0:

  * Bugs fixed:

    + Several filters do not preserve order of artifacts filtered

maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:

Changes of 3.11.0:

  * New features and improvements:

    + Added a useModulePath switch to the testCompile mojo
    + Allow dependency exclusions for 'annotationProcessorPaths'
    + Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
    + Upgrade plexus-compiler to improve compiling message
    + compileSourceRoots parameter should be writable
    + Change showWarnings to true by default
    + Warn about warn-config conflicting values
    + Update default source/target from 1.7 to 1.8
    + Display recompilation causes
    + Added some parameter to pattern from stale source calculation
    + Added dedicated option for implicit javac flag

  * Bugs fixed:

    + Fixed incorrect detection of dependency change
    + Test with Maven 3.9.0 and fix the failing IT
    + Resolved all annotation processor dependencies together
    + Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
    + Fixed missing dirs in createMissingPackageInfoClasses
    + Set Xcludes in config passed to actual compiler

maven-dependency-analyzer was updated from version 1.10 to 1.13.2:

- Changes of 1.13.2:

  * Changes and bugs fixed:

    + Made mvn dependency:analyze work with OpenJDK 11
    + Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
    + Upgraded asm to 8.0.1
    + Use try with resources to avoid leaks
    + dependency:analyze recommends test scope for test-only artifacts that have non-test scope
    + remove reference to deprecated public mutable field
    + Updated JIRA URL
    + dependency:analyze should recommend narrower scope where possible
    + Remove dependency on jmock
    + Inline deprecated field
    + Added more JavaDoc
    + Handle different classes from same artifact used by model and test code
    + Included class names in used undeclared dependencies
    + Check maximum allowed Maven version
    + Get rid of maven-plugin-testing-tools for IT test
    + Require Maven 3.2.5+
    + Analyze project classes only once
    + Fixed array parsing
    + CONSTANT_METHOD_TYPE should not add to classes
    + Inner classes are in same compilation unit as container class
    + Upgraded Parent to 36
    + Cleanup IT tests
    + Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
    + Fixed bug with 'non-test scoped test only dependencies found'
    + Bump asm from 9.4 to 9.5
    + Refresh download page
    + Upgrade Parent to 39
    + Build on JDK 19, 20
    + Prefer JDK classes to Plexus utils
    + Replaced System.out by logger
    + Fixed java.lang.RuntimeException: Unknown constant pool type
    + Switched to JUnit 5
    + Dependency improvements

maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:

- Changes in 3.6.0:

  * Bugs fixed:

    + Obsolete example of -Dverbose on web page
    + Unsupported verbose option still appears in docs
    + dependency:go-offline does not use repositories from parent pom in reactor build
    + Fixed possible NPE
    + `dependency:analyze-only` goal fails on OpenJDK 14
    + FileWriter and FileReader should be replaced
    + Dependency Plugin go-offline doesn't respect artifact classifier
    + analyze-only failed: Unsupported class file major version 60 (Java 16)
    + analyze-only failed: Unsupported class file major version 61 (Java 17)
    + copy-dependencies fails when using excludeScope=test
    + mvn dependency:analyze detected wrong transitive dependency
    + dependency plugin does not work with JDK 16
    + skip dependency analyze in ear packaging
    + Non-test dependency reported as Non-test scoped test only dependency
    + 'Dependency not found' with 3.2.0 and Java-17 while analyzing
    + Tree plugin does not terminate with 3.2.0
    + Minor improvement - continue
    + analyze-only failed: PermittedSubclasses requires ASM9
    + Broken Link to 'Introduction to Dependency Mechanism Page'
    + Sealed classes not supported
    + Dependency tree in verbose mode for war is empty
    + Javadoc was not updated to reflect that :tree's verbose option is now ok
    + error dependency:list (caused by postgresql dependency)
    + :list-classes does not skip if skip is set
    + :list-classes does not use GAV parameters

  * New Features:

    + Reintroduce the verbose option for dependency:tree
    + List classes in a given artifact
    + dependency:analyze should recommend narrower scope where possible
    + Added analyze parameter 'ignoreUnusedRuntime'
    + Allow ignoring non-test-scoped dependencies
    + Added a <stripType> option to unpack goals
    + Allow auto-ignore of all non-test scoped dependencies used only in test scope

  * Improvements:

    + Unused method o.a.m.p.d.t.TreeMojo.containsVersion
    + Minor improvements
    + GitHub Action build improvement
    + dependency:analyze should list the classes that cause a used undeclared dependency
    + Improve documentation of analyze - Non-test scoped
    + Turn warnings into errors instead of failOnWarning
    + maven-dependency-plugin should leverage plexus-build-api to support IDEs
    + TestListClassesMojo logs too much
    + Use outputDirectory from AbstractMavenReport
    + Removed not used dependencies / Replace parts
    + list-repositories - improvements
    + warns about depending on plexus-container-default
    + Replace AnalyzeReportView with a new AnalyzeReportRenderer

  * Task:

    + Removed no longer required exclusions
    + Java 1.8 as minimum
    + Explicitly start and end tables with Doxia Sinks in report renderers
    + Replace Maven shared StringUtils with Commons Lang3
    + Removed unused and ignored parameter - useJvmChmod
    + Removed custom plexus configuration
    + Code refactor - UnpackUtil
    + Refresh download page

maven-dependency-tree was updated from version 3.0.1 to 3.2.1:

- Changes in 3.2.1:

  * Bugs fixed:

    + DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
    + Transitive provided dependencies are not removed from collected dependency graph

  * New Features:

    + DependencyCollectorBuilder more configurable

  * Improvements:

    + DependencyGraphBuilder does not provide verbose tree
    + DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
    + Maven31DependencyGraphBuilder should not download dependencies other than the pom
    + Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
    + Upgraded parent to 31
    + Added functionality to collect raw dependencies in Maven 3+
    + Annotate DependencyNodes with dependency management metadata
    + Require Java 8
    + Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
    + Added Exclusions to DependencyNode
    + Made build Reproducible
    + Migrate plexus component to JSR-330
    + Drop maven 3.0 compatibility

  * Dependency upgrade:

    + Upgrade shared-component to version 33
    + Upgrade Parent to 36
    + Bump maven-shared-components from 36 to 37

- Removed unnecessary dependency on xmvn tools and parent pom

maven-enforcer was updated to version 3.4.1:

- Update to version 3.4.1:

  * Bugs fixed:

    + In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
    + Require Release Dependencies ignorant about aggregator build
    + banDuplicatePomDependencyVersions does not check managementDependencies
    + Beanshell rule is not thread-safe
    + RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
    + NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
    + Broken links on Maven Enforcer Plugin site
    + RequirePluginVersions not recognizing versions-from-properties
    + [REGRESSION] RequirePluginVersions fails when versions are inherited
    + requireFilesExist rule should be case sensitive
    + Broken Links on Project Home Page
    + TestRequireOS uses hamcrest via transitive dependency
    + plexus-container-default in enforcer-api is very outdated
    + classifier not included in output of failes RequireUpperBoundDeps test
    + Exclusions are not considered when looking at parent for requireReleaseDeps
    + requireUpperBoundDeps does not fail when packaging is 'war'
    + DependencyConvergence in 3.0.0 fails on provided scoped dependencies
    + NPE on requireReleaseDeps with non-matching includes
    + RequireUpperBoundDeps now follow scope provided transitive dependencies
    + Use currently build artifacts in IT tests
    + requireReleaseDeps does not support optional dependencies or runtime scope
    + Enforcer 3.0.0 breaks with Maven 3.8.4
    + Version 3.1.0 is not enforcing bannedDependencies rules
    + DependencyConvergence treats provided dependencies are runtime dependencies
    + Plugin shouldn't use NullPointerException for non-exceptional code flow
    + NPE in RequirePluginVersions
    + ReactorModuleConvergence not cached in reactor
    + RequireUpperBoundDeps fails on provided dependencies since 3.2.1
    + Problematic dependency resolution by new 'banDynamicVersions' rule
    + banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
    + Filtering dependency tree by scope
    + Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
    + DependencyConvergence in 3.1.0 fails when using version ranges
    + Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
    + Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
    + ENFORCER: plugin-info and mojo pages not found

  * New Features:

    + requireUpperBounds deps should have includes
    + Introduce RequireTextFileChecksum with line separator normalization
    + allow no rules
    + show rules processed
    + DependencyConvergence should support including/excluding certain dependencies
    + Support declaring external banned dependencies in an external file/URL
    + Maven enforcer rule which checks that all dependencies have an explicit scope set
    + Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
    + Rule for no version ranges, version placeholders or SNAPSHOT versions
    + Allow one of many files in RequireFiles rules to pass
    + Skip specific rules
    + New Enforcer API
    + New Enforcer API - RuleConfigProvider
    + Move Built-In Rules to new API

  * Improvements:

    + wildcard ignore in requireReleaseDeps
    + Improve documentation about writing own Enforcer Rule
    + RequireActiveProfile should respect inherited activated profiles
    + Upgrade maven-dependency-tree to 3.x
    + Improve dependency resolving in multiple modules project
    + requireUpperBoundDeps: add [<scope>] and colors to the output
    + Example for writing a custom rule should be upgraded
    + Along with JavaVersion, allow enforcement of the JavaVendor
    + Included Java vendor in display-info output
    + requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
    + Consistently format artifacts same as dependency:tree
    + Made build Reproducible
    + Added support for excludes/includes in requireJavaVendor rule
    + Introduce Maven Enforcer Extension
    + Extends RequirePluginVersions with banMavenDefaults
    + Shared GitHub Actions
    + Log at ERROR level when <fail> is set
    + Reuse getDependenciesToCheck results across rules
    + Violation messages can be really hard to find in a multi module project
    + Clarify class loading for custom Enforcer rules
    + Using junit jupiter bom instead of single artifacts.
    + Get rid of maven-dependency-tree dependency
    + Allow 8 as JDK version for requireJavaVersion
    + Improve error message for rule 'requireJavaVersion'
    + Include Java Home in Message for Java Rule Failures
    + Manage all Maven Core dependencies as provided
    + Mange rules configuration by plugin
    + Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
    + Change success message from executed to passed
    + EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
    + Properly declare dependencies

  * Test:

    + Regression test for dependency convergence problem fixed in 3.0.0

  * Task:

    + Removed reference to travis or switch to travis.com
    + Fixed maven assembly links
    + Require Java 8
    + Verify working with Maven 4
    + Code cleanup
    + Refresh download page
    + Deprecate display-info mojo
    + Refresh site descriptors
    + Superfluous blanks in BanDuplicatePomDependencyVersions
    + Rename ResolveUtil to ResolverUtil

 maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:

 - Changes of version 3.9.0:

  * Bugs fixed:

    + Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
    + Generated table by PluginXdocGenerator does not contain default attributes

  * Improvements:

    + Omit empty line in generated help goal output if plugin description is empty
    + Use Plexus I18N rather than fiddling with

  * Task:

    + Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin

  * Dependency upgrade:

    + Upgrade plugins and components (in ITs)

- Changes of version 3.8.2:

  * Improvements:

    + Used Resolver API, get rid of localRepository

  * Dependency upgrade:

    + Bump httpcore from 4.4.15 to 4.4.16
    + Bump httpclient from 4.5.13 to 4.5.14
    + Bump antVersion from 1.10.12 to 1.10.13
    + Bump slf4jVersion from 1.7.5 to 1.7.36
    + Bump plexus-java from 1.1.1 to 1.1.2
    + Bump plexus-archiver from 4.6.1 to 4.6.3
    + Bump jsoup from 1.15.3 to 1.15.4
    + Bump asmVersion from 9.4 to 9.5
    + Bump assertj-core from 3.23.1 to 3.24.2

- Changes of version 3.8.1:

  * Bugs fixed:

    + Javadoc reference containing a link label with spaces are not detected
    + JavadocLinkGenerator.createLink: Support nested binary class names
    + ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
    + 'Executes as an aggregator plugin' documentation: s/plugin/goal/
    + Maven scope warning should be logged at WARN level
    + Fixed Temporary File Information Disclosure Vulnerability

  * New features:

    + Support mojos using the new maven v4 api

  * Improvements:

    + Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
    + Execute annotation only supports standard lifecycle phases due to use of enum
    + Clarify deprecation of all extractors but the maven-plugin-tools-annotations

  * Dependency upgrade:

    + Update to Maven Parent POM 39
    + Bump junit-bom from 5.9.1 to 5.9.2
    + Bump plexus-archiver from 4.5.0 to 4.6.1

- Changes of version 3.7.1:
  * Bugs fixed:

    + Maven scope warning should be logged at WARN level

- Changes of version 3.7.0:

  * Bugs fixed:

    + The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
    + Report-Mojo doesn't respect input encoding
    + Generating site reports for plugin results in
      NoSuchMethodError
    + JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
    + Parameters documentation inheriting @ since from Mojo can be confusing
    + Don't emit warning for missing javadoc URL of primitives
    + Don't emit warning for missing javadoc URI if no javadoc sources are configured
    + Parameter description should be taken from annotated item

  * New Features:

    + Added link to javadoc in configuration description page for user defined types of Mojos.
    + Allow only @ Deprecated annotation without @ deprecated javadoc tag
    + add system requirements history section
    + report: allow to generate usage section in plugin-info.html with true
    + Allow @ Parameter on setters methods
    + Extract plugin report into its own plugin
    + report: Expose generics information of Collection and Map types

  * Improvement:

    + plugin-info.html should contain a better Usage section
    + Do not overwrite generate files with no content change
    + Upgrade to JUnit 5 and @ Inject annotations
    + Support for java 20 - ASM 9.4
    + Don't print empty Memory, Disk Space in System Requirements
    + simplification in helpmojo build
    + Get rid of plexus-compiler-manager from tests
    + Use Maven core artifacts in provided scope
    + report and descriptor goal need to evaluate Javadoc comments differently
    + Allow to reference aggregator javadoc from plugin report

  * Task:

    + Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
    + Update level to Java 8
    + Deprecate scripting support for mojos
    + Deprecate requirements parameter in report Mojo
    + Removed duplicate code from PluginReport
    + Prepare for Doxia (Sitetools) 2.0.0
    + Fixed documentation for maven-plugin-report-plugin
    + Removed deprecated items from new maven-plugin-report-plugin
    + Improve site build
    + Improve dependency management
    + Plugin generator generation fails when the parent class comes from a different project

  * Dependency upgrade:

    + Upgrade Maven Reporting API/Impl to 3.1.0
    + Upgrade Parent to 36
    + Upgrade project dependencies after JDK 1.8
    + Bump maven-parent from 36 to 37
    + Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
    + Upgrade plexus-utils to 3.5.0

- Changes of version 3.6.4:

  * Restored compatibility with Maven 3 ecosystem
  * Upgraded dependencies

- Changes of version 3.6.3:

  * Added prerequisites to plugin pom
  * Exclude dependency in provided scope from plugin descriptor
  * Get rid of String.format use
  * Fixed this logging as well
  * Simplify documentation
  * Exclude maven-archiver and maven-jxr from warning

- Changes of version 3.6.2:

  * Deprecated unused requiresReports flag
  * Check that Maven dependencies are provided scope
  * Update ITs
  * Use shared gh action
  * Deprecate unsupported Mojo descriptor items
  * Weed out ITs
  * Upgrade to maven 3.x and avoid using deprecated API
  * Drop legacy dependencies
  * Use shared gh action - v1
  * Fixed wording in javadoc

- Changes of version 3.6.1:

  * What's Changed:
  * Added missing @OverRide and make methods static
  * Upgraded to JUnit 4.12
  * Upgraded parent POM and other dependencies
  * Updated plugins
  * Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
  * removed Maven 2 info
  * Removed unneeded dependency
  * Tighten the dependency tree
  * Ignore .checkstyle
  * Strict dependencies for maven-plugin-tools-annotations
  * Improved @execute(goal...) docs
  * Improve @execute(lifecycle...) docs

plexus-compiler was updated from version 2.11.1 to 2.14.2:

- Changes of 2.14.2:

  * Removed:

    + Drop J2ObjC compiler

  * New features and improvements:

    + Update AspectJ Compiler to 1.9.21 to support Java 21
    + Require JDK 17 for build
    + Improve locking on JavacCompiler
    + Include 'parameter' and 'preview' describe log
    + Switch to SISU annotations and plugin, fixes #217
    + Support jdk 21
    + Require Maven 3.5.4+
    + Require Java 11 for plexus-compiler-eclipse an
      javac-errorprone and aspectj compilers
    + Added support to run its with Java 20

  * Bugs fixed:

    + Fixed javac memory leak
    + Validate zip file names before extracting (Zip Slip)
    + Restore AbstractCompiler#getLogger() method
    + Return empty list for not existing source root location
    + Improve javac error output parsing

- Changes of 2.13.0:

  * New features and improvements:

    + Fully ignore any possible jdk bug
    + MCOMPILER-402: Added implicitOption to CompilerConfiguration
    + Added a custom compile argument
      replaceProcessorPathWithProcessorModulePath to force the
      plugin replace processorPath with processormodulepath
    + describe compiler configuration on run
    + simplify 'Compiling' info message: display relative path

  * Bugs fixed:

    + Respect CompilerConfiguration.sourceFiles in
      EclipseJavaCompiler
    + Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+

  * Dependency updates:

    + Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
    + Bump error_prone_core from 2.11.0 to 2.13.1
    + Bump github/codeql-action from 1 to 2
    + Bump ecj from 3.28.0 to 3.29.0
    + Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
    + Bump ecj from 3.29.0 to 3.30.0
    + Bump maven-invoker-plugin from 3.2.2 to 3.3.0
    + Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
    + Bump error_prone_core from 2.13.1 to 2.14.0
    + Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
    + Bump ecj from 3.31.0 to 3.32.0
    + Bump junit-bom from 5.9.0 to 5.9.1
    + Bump ecj from 3.30.0 to 3.31.0
    + Bump groovy from 3.0.12 to 3.0.13
    + Bump groovy-json from 3.0.12 to 3.0.13
    + Bump groovy-xml from 3.0.12 to 3.0.13
    + Bump animal-sniffer-maven-plugin from 1.21 to 1.22
    + Bump error_prone_core from 2.14.0 to 2.15.0
    + Bump junit-bom from 5.8.2 to 5.9.0
    + Bump groovy-xml from 3.0.11 to 3.0.12
    + Bump groovy-json from 3.0.11 to 3.0.12
    + Bump groovy from 3.0.11 to 3.0.12

  * Maintenance:

    + Require Maven 3.2.5

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated
- objectweb-asm-9.6-150200.3.11.3 updated
- container:bci-openjdk-11-15.5.11-15.10 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:21:58 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:21:58 +0100 (CET)
Subject: SUSE-CU-2024:674-1: Security update of bci/openjdk
Message-ID: <20240223162158.EAB77F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:674-1
Container Tags        : bci/openjdk:11 , bci/openjdk:11-15.10
Container Release     : 15.10
Severity              : important
Type                  : security
References            : 1216198 CVE-2023-5388 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:22:27 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:22:27 +0100 (CET)
Subject: SUSE-CU-2024:675-1: Security update of bci/openjdk-devel
Message-ID: <20240223162227.7B09CF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:675-1
Container Tags        : bci/openjdk-devel:17 , bci/openjdk-devel:17-16.21 , bci/openjdk-devel:latest
Container Release     : 16.21
Severity              : important
Type                  : security
References            : 1215973 1216198 1219243 1219576 CVE-2023-37460 CVE-2023-5388
                        CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released:    Wed Feb 21 05:34:18 2024
Summary:     Recommended update for Java
Type:        recommended
Severity:    moderate
References:  1215973,CVE-2023-37460
This update for Java fixes the following issues:

plexus-archiver was updated from version 4.2.1 to 4.8.0:

- Changes of 4.8.0:

  * Security issues fixed:

    + CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)

  * New features and improvements:

    + Added tzst alias for tar.zst archiver/unarchived

  * Bugs fixed:

    + Detect permissions for addFile

  * Maintenance:

    + Removed public modifier from JUnit 5 tests
    + Use https in scm/url
    + Removed junit-jupiter-engine from project dependencies
    + Removed parent and reports menu from site
    + Cleanup after 'veryLargeJar' test
    + Override project.url

- Changes of 4.7.1:

  * Bugs fixed:

    + Don't apply umask on unknown perms (Win)

- Changes of 4.7.0:

  * New features and improvements:

    + add umask support and use 022 in RB mode
    + Use NIO Files for creating temporary files
    + Deprecate the JAR Index feature (JDK-8302819)
    + Added Archiver aliases for tar.*

  * Maintenance:

    + Use JUnit TempDir to manage temporary files in tests
    + Override uId and gId for Tar in test
    + Bump maven-resources-plugin from 2.7 to 3.3.1

- Changes of 4.6.3:

  * New features and improvements:

    + Fixed path traversal vulnerability
      The vulnerability affects only directories whose name begins
      with the same prefix as the destination directory. For example
      malicious archive may extract file in /opt/directory instead
      of /opt/dir.

- Changes of 4.6.2:

  * Bugs fixed:

    + Fixed regression in handling symbolic links

- Changes of 4.6.1:

  * Bugs fixed:

    + Normalize file separators before warning about equal archive entries

- Changes of 4.6.0:

  * New features and improvements:

    + keep file/directory permissions in Reproducible Builds mode

- Changes of 4.5.0:

  * New features and improvements:

    + Added zstd (un)archiver support

  * Bugs fixed:

    + Fixed UnArchiver#isOverwrite not working as expected

- Changes of 4.4.0:

  * New features and improvements:

    + Drop legacy plexus API and use only JSR330 components

- Changes of 4.3.0:

  * New features and improvements:

    + Require Java 8
    + Refactor to use FileTime API
    + Rename setTime method to setZipEntryTime
    + Convert InputStreamSupplier to lambdas

  * Bugs fixed:

    + Reproducible Builds not working when using modular jar

- Changes of 4.2.7:

  * New features and improvements:

    + Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file

- Changes of 4.2.6:

  * New features and improvements:

    + FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
    + Code cleanup

- Changes of 4.2.5:

  * New features and improvements:
    + Speed improvements

  * Bugs fixed:

    + Fixed use of a mismatching Unicode path extra field in zip unarchiving

- Changes of 4.2.4:

  * Bugs fixed:

    + Fixed unjustified warning about casing for directory entries

- Changes of 4.2.2:

  * Bugs fixed:

    + DirectoryArchiver fails for symlinks if a parent directory doesn't exist

objectweb-asm was updated to version 9.6:

- Changes of version 9.6:

  * New Opcodes.V22 constant for Java 22

  * Bugs fixed:

    + Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
    + Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
    + Analyzer can fail to catch thrown exceptions
    + `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
    + Fixed bug in `CheckFrameAnalyzer` with static methods

- Changes of version 9.5:

  * New Opcodes.V21 constant for Java 21
  * New readBytecodeInstructionOffset hook in ClassReader
  * Added more detailed exception messages
  * Javadoc improvements and fixes

  * Bugs fixed:

    + Silent removal of zero-valued entries from the line-number table

- Changes of version 9.4:

  * Changes:

    + New Opcodes.V20 constant for Java 20
    + Added more checks in CheckClassAdapter
    + Javadoc improvements and fixes
    + `module-info` classes can be built without Gradle and Bnd
    + Parent POM updated to `org.ow2:ow2:1.5.1`

  * Bugs fixed:

    +`CheckClassAdapter` is no longer transparent for MAXLOCALS
    + Added public `getDelegate` method to all visitor classes
    + Analyzer does not compute optimal maxLocals for static methods
    + Fixed `SignatureWriter` when a generic type has a depth over 30
    + Skip remap inner class name if not changed in Remapper

maven-archiver was updated from version 3.5.0 to 3.6.1:

- Changes of 3.6.1:

  * New Features:

    + Deprecated the JAR Index feature (JDK-8302819)

  * Task:

    + Refreshed download page
    + Prefer JDK features over plexus-utils, plexus-io

- Changes of 3.6.0:

  * Task:

    + Require Java 8
    + Drop m-shared-utils from deps

maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:

- Changes of 3.6.0:

  * Bugs fixed:

    + finalName as readonly parameter makes common usecases very complicated
    + Symbolic links get copied with absolute path
    + Warning if using Maven 3.9.1
    + Minimal default Manifest configuration of jar archiver should be respected

  * New Features:

    + Support Zstandard compression format

  * Improvements:

    + In RB mode, apply 022 umask to ignore environment group write umask
    + Added system requirements history

  * Task:
    + Dropped deprecated repository element
    + Support running build on Java 20
    + Refresh download page
    + Cleanup declared dependencies
    + Avoid using deprecated methods of `plexus-archiver`

- Changes of 3.5.0:

  * Bugs fixed:

    + File permissions removed during assembly:single since 3.2.0

- Changes of 3.4.2:

  * Bugs fixed:

    + Fixed Excludes filtering

  * Task:

    + Fixed examples to refer to https instead of http

- Changes of 3.4.1:

  * Bugs fixed:

    + Fixed error build with shared assemblies

- Changes of 3.4.0:

  * Bugs fixed:

    + dependencySet includes filter with classifier breaks include of artifacts without classifier

  * Task:

    + Speed improvements
    + Update plugin (requires Maven 3.2.5+)
    + Assembly plugin resolves too much, even plugins used to build dependencies
    + Deprecated the repository element in assembly descriptor
    + Upgraded to Java 8, drop unused dependencies

maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:

- Changes of 3.3.2:

  * Bugs fixed:

    + PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate

- Changes of 3.3.1:

  * Bugs fixed:

    + Pattern w/ 4 elements may be GATV or GATC

- Changes of 3.3.0:

  * Bugs fixed:

    + null passed to DependencyFilter in EclipseAetherFilterTransformerTest
    + PatternIncludesArtifactFilter#include(Artifact)
    + Common Artifact Filters pattern parsing with classifier is broken

  * Task:

    + Sanitized dependencies
    + Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies

- Changes of 3.2.0:

  * Improvements:

    + Big speed improvements for patterns that do not contain any wildcard

- Changes of 3.1.1:

  * Bugs fixed:

    + Updated JIRA URL for maven-common-artifact-filters

  * Improvements:

    + Made build Reproducible

- Changes of 3.1.0:

  * Bugs fixed:

    + Several filters do not preserve order of artifacts filtered

maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:

Changes of 3.11.0:

  * New features and improvements:

    + Added a useModulePath switch to the testCompile mojo
    + Allow dependency exclusions for 'annotationProcessorPaths'
    + Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
    + Upgrade plexus-compiler to improve compiling message
    + compileSourceRoots parameter should be writable
    + Change showWarnings to true by default
    + Warn about warn-config conflicting values
    + Update default source/target from 1.7 to 1.8
    + Display recompilation causes
    + Added some parameter to pattern from stale source calculation
    + Added dedicated option for implicit javac flag

  * Bugs fixed:

    + Fixed incorrect detection of dependency change
    + Test with Maven 3.9.0 and fix the failing IT
    + Resolved all annotation processor dependencies together
    + Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
    + Fixed missing dirs in createMissingPackageInfoClasses
    + Set Xcludes in config passed to actual compiler

maven-dependency-analyzer was updated from version 1.10 to 1.13.2:

- Changes of 1.13.2:

  * Changes and bugs fixed:

    + Made mvn dependency:analyze work with OpenJDK 11
    + Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
    + Upgraded asm to 8.0.1
    + Use try with resources to avoid leaks
    + dependency:analyze recommends test scope for test-only artifacts that have non-test scope
    + remove reference to deprecated public mutable field
    + Updated JIRA URL
    + dependency:analyze should recommend narrower scope where possible
    + Remove dependency on jmock
    + Inline deprecated field
    + Added more JavaDoc
    + Handle different classes from same artifact used by model and test code
    + Included class names in used undeclared dependencies
    + Check maximum allowed Maven version
    + Get rid of maven-plugin-testing-tools for IT test
    + Require Maven 3.2.5+
    + Analyze project classes only once
    + Fixed array parsing
    + CONSTANT_METHOD_TYPE should not add to classes
    + Inner classes are in same compilation unit as container class
    + Upgraded Parent to 36
    + Cleanup IT tests
    + Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
    + Fixed bug with 'non-test scoped test only dependencies found'
    + Bump asm from 9.4 to 9.5
    + Refresh download page
    + Upgrade Parent to 39
    + Build on JDK 19, 20
    + Prefer JDK classes to Plexus utils
    + Replaced System.out by logger
    + Fixed java.lang.RuntimeException: Unknown constant pool type
    + Switched to JUnit 5
    + Dependency improvements

maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:

- Changes in 3.6.0:

  * Bugs fixed:

    + Obsolete example of -Dverbose on web page
    + Unsupported verbose option still appears in docs
    + dependency:go-offline does not use repositories from parent pom in reactor build
    + Fixed possible NPE
    + `dependency:analyze-only` goal fails on OpenJDK 14
    + FileWriter and FileReader should be replaced
    + Dependency Plugin go-offline doesn't respect artifact classifier
    + analyze-only failed: Unsupported class file major version 60 (Java 16)
    + analyze-only failed: Unsupported class file major version 61 (Java 17)
    + copy-dependencies fails when using excludeScope=test
    + mvn dependency:analyze detected wrong transitive dependency
    + dependency plugin does not work with JDK 16
    + skip dependency analyze in ear packaging
    + Non-test dependency reported as Non-test scoped test only dependency
    + 'Dependency not found' with 3.2.0 and Java-17 while analyzing
    + Tree plugin does not terminate with 3.2.0
    + Minor improvement - continue
    + analyze-only failed: PermittedSubclasses requires ASM9
    + Broken Link to 'Introduction to Dependency Mechanism Page'
    + Sealed classes not supported
    + Dependency tree in verbose mode for war is empty
    + Javadoc was not updated to reflect that :tree's verbose option is now ok
    + error dependency:list (caused by postgresql dependency)
    + :list-classes does not skip if skip is set
    + :list-classes does not use GAV parameters

  * New Features:

    + Reintroduce the verbose option for dependency:tree
    + List classes in a given artifact
    + dependency:analyze should recommend narrower scope where possible
    + Added analyze parameter 'ignoreUnusedRuntime'
    + Allow ignoring non-test-scoped dependencies
    + Added a <stripType> option to unpack goals
    + Allow auto-ignore of all non-test scoped dependencies used only in test scope

  * Improvements:

    + Unused method o.a.m.p.d.t.TreeMojo.containsVersion
    + Minor improvements
    + GitHub Action build improvement
    + dependency:analyze should list the classes that cause a used undeclared dependency
    + Improve documentation of analyze - Non-test scoped
    + Turn warnings into errors instead of failOnWarning
    + maven-dependency-plugin should leverage plexus-build-api to support IDEs
    + TestListClassesMojo logs too much
    + Use outputDirectory from AbstractMavenReport
    + Removed not used dependencies / Replace parts
    + list-repositories - improvements
    + warns about depending on plexus-container-default
    + Replace AnalyzeReportView with a new AnalyzeReportRenderer

  * Task:

    + Removed no longer required exclusions
    + Java 1.8 as minimum
    + Explicitly start and end tables with Doxia Sinks in report renderers
    + Replace Maven shared StringUtils with Commons Lang3
    + Removed unused and ignored parameter - useJvmChmod
    + Removed custom plexus configuration
    + Code refactor - UnpackUtil
    + Refresh download page

maven-dependency-tree was updated from version 3.0.1 to 3.2.1:

- Changes in 3.2.1:

  * Bugs fixed:

    + DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
    + Transitive provided dependencies are not removed from collected dependency graph

  * New Features:

    + DependencyCollectorBuilder more configurable

  * Improvements:

    + DependencyGraphBuilder does not provide verbose tree
    + DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
    + Maven31DependencyGraphBuilder should not download dependencies other than the pom
    + Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
    + Upgraded parent to 31
    + Added functionality to collect raw dependencies in Maven 3+
    + Annotate DependencyNodes with dependency management metadata
    + Require Java 8
    + Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
    + Added Exclusions to DependencyNode
    + Made build Reproducible
    + Migrate plexus component to JSR-330
    + Drop maven 3.0 compatibility

  * Dependency upgrade:

    + Upgrade shared-component to version 33
    + Upgrade Parent to 36
    + Bump maven-shared-components from 36 to 37

- Removed unnecessary dependency on xmvn tools and parent pom

maven-enforcer was updated to version 3.4.1:

- Update to version 3.4.1:

  * Bugs fixed:

    + In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
    + Require Release Dependencies ignorant about aggregator build
    + banDuplicatePomDependencyVersions does not check managementDependencies
    + Beanshell rule is not thread-safe
    + RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
    + NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
    + Broken links on Maven Enforcer Plugin site
    + RequirePluginVersions not recognizing versions-from-properties
    + [REGRESSION] RequirePluginVersions fails when versions are inherited
    + requireFilesExist rule should be case sensitive
    + Broken Links on Project Home Page
    + TestRequireOS uses hamcrest via transitive dependency
    + plexus-container-default in enforcer-api is very outdated
    + classifier not included in output of failes RequireUpperBoundDeps test
    + Exclusions are not considered when looking at parent for requireReleaseDeps
    + requireUpperBoundDeps does not fail when packaging is 'war'
    + DependencyConvergence in 3.0.0 fails on provided scoped dependencies
    + NPE on requireReleaseDeps with non-matching includes
    + RequireUpperBoundDeps now follow scope provided transitive dependencies
    + Use currently build artifacts in IT tests
    + requireReleaseDeps does not support optional dependencies or runtime scope
    + Enforcer 3.0.0 breaks with Maven 3.8.4
    + Version 3.1.0 is not enforcing bannedDependencies rules
    + DependencyConvergence treats provided dependencies are runtime dependencies
    + Plugin shouldn't use NullPointerException for non-exceptional code flow
    + NPE in RequirePluginVersions
    + ReactorModuleConvergence not cached in reactor
    + RequireUpperBoundDeps fails on provided dependencies since 3.2.1
    + Problematic dependency resolution by new 'banDynamicVersions' rule
    + banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
    + Filtering dependency tree by scope
    + Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
    + DependencyConvergence in 3.1.0 fails when using version ranges
    + Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
    + Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
    + ENFORCER: plugin-info and mojo pages not found

  * New Features:

    + requireUpperBounds deps should have includes
    + Introduce RequireTextFileChecksum with line separator normalization
    + allow no rules
    + show rules processed
    + DependencyConvergence should support including/excluding certain dependencies
    + Support declaring external banned dependencies in an external file/URL
    + Maven enforcer rule which checks that all dependencies have an explicit scope set
    + Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
    + Rule for no version ranges, version placeholders or SNAPSHOT versions
    + Allow one of many files in RequireFiles rules to pass
    + Skip specific rules
    + New Enforcer API
    + New Enforcer API - RuleConfigProvider
    + Move Built-In Rules to new API

  * Improvements:

    + wildcard ignore in requireReleaseDeps
    + Improve documentation about writing own Enforcer Rule
    + RequireActiveProfile should respect inherited activated profiles
    + Upgrade maven-dependency-tree to 3.x
    + Improve dependency resolving in multiple modules project
    + requireUpperBoundDeps: add [<scope>] and colors to the output
    + Example for writing a custom rule should be upgraded
    + Along with JavaVersion, allow enforcement of the JavaVendor
    + Included Java vendor in display-info output
    + requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
    + Consistently format artifacts same as dependency:tree
    + Made build Reproducible
    + Added support for excludes/includes in requireJavaVendor rule
    + Introduce Maven Enforcer Extension
    + Extends RequirePluginVersions with banMavenDefaults
    + Shared GitHub Actions
    + Log at ERROR level when <fail> is set
    + Reuse getDependenciesToCheck results across rules
    + Violation messages can be really hard to find in a multi module project
    + Clarify class loading for custom Enforcer rules
    + Using junit jupiter bom instead of single artifacts.
    + Get rid of maven-dependency-tree dependency
    + Allow 8 as JDK version for requireJavaVersion
    + Improve error message for rule 'requireJavaVersion'
    + Include Java Home in Message for Java Rule Failures
    + Manage all Maven Core dependencies as provided
    + Mange rules configuration by plugin
    + Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
    + Change success message from executed to passed
    + EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
    + Properly declare dependencies

  * Test:

    + Regression test for dependency convergence problem fixed in 3.0.0

  * Task:

    + Removed reference to travis or switch to travis.com
    + Fixed maven assembly links
    + Require Java 8
    + Verify working with Maven 4
    + Code cleanup
    + Refresh download page
    + Deprecate display-info mojo
    + Refresh site descriptors
    + Superfluous blanks in BanDuplicatePomDependencyVersions
    + Rename ResolveUtil to ResolverUtil

 maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:

 - Changes of version 3.9.0:

  * Bugs fixed:

    + Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
    + Generated table by PluginXdocGenerator does not contain default attributes

  * Improvements:

    + Omit empty line in generated help goal output if plugin description is empty
    + Use Plexus I18N rather than fiddling with

  * Task:

    + Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin

  * Dependency upgrade:

    + Upgrade plugins and components (in ITs)

- Changes of version 3.8.2:

  * Improvements:

    + Used Resolver API, get rid of localRepository

  * Dependency upgrade:

    + Bump httpcore from 4.4.15 to 4.4.16
    + Bump httpclient from 4.5.13 to 4.5.14
    + Bump antVersion from 1.10.12 to 1.10.13
    + Bump slf4jVersion from 1.7.5 to 1.7.36
    + Bump plexus-java from 1.1.1 to 1.1.2
    + Bump plexus-archiver from 4.6.1 to 4.6.3
    + Bump jsoup from 1.15.3 to 1.15.4
    + Bump asmVersion from 9.4 to 9.5
    + Bump assertj-core from 3.23.1 to 3.24.2

- Changes of version 3.8.1:

  * Bugs fixed:

    + Javadoc reference containing a link label with spaces are not detected
    + JavadocLinkGenerator.createLink: Support nested binary class names
    + ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
    + 'Executes as an aggregator plugin' documentation: s/plugin/goal/
    + Maven scope warning should be logged at WARN level
    + Fixed Temporary File Information Disclosure Vulnerability

  * New features:

    + Support mojos using the new maven v4 api

  * Improvements:

    + Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
    + Execute annotation only supports standard lifecycle phases due to use of enum
    + Clarify deprecation of all extractors but the maven-plugin-tools-annotations

  * Dependency upgrade:

    + Update to Maven Parent POM 39
    + Bump junit-bom from 5.9.1 to 5.9.2
    + Bump plexus-archiver from 4.5.0 to 4.6.1

- Changes of version 3.7.1:
  * Bugs fixed:

    + Maven scope warning should be logged at WARN level

- Changes of version 3.7.0:

  * Bugs fixed:

    + The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
    + Report-Mojo doesn't respect input encoding
    + Generating site reports for plugin results in
      NoSuchMethodError
    + JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
    + Parameters documentation inheriting @ since from Mojo can be confusing
    + Don't emit warning for missing javadoc URL of primitives
    + Don't emit warning for missing javadoc URI if no javadoc sources are configured
    + Parameter description should be taken from annotated item

  * New Features:

    + Added link to javadoc in configuration description page for user defined types of Mojos.
    + Allow only @ Deprecated annotation without @ deprecated javadoc tag
    + add system requirements history section
    + report: allow to generate usage section in plugin-info.html with true
    + Allow @ Parameter on setters methods
    + Extract plugin report into its own plugin
    + report: Expose generics information of Collection and Map types

  * Improvement:

    + plugin-info.html should contain a better Usage section
    + Do not overwrite generate files with no content change
    + Upgrade to JUnit 5 and @ Inject annotations
    + Support for java 20 - ASM 9.4
    + Don't print empty Memory, Disk Space in System Requirements
    + simplification in helpmojo build
    + Get rid of plexus-compiler-manager from tests
    + Use Maven core artifacts in provided scope
    + report and descriptor goal need to evaluate Javadoc comments differently
    + Allow to reference aggregator javadoc from plugin report

  * Task:

    + Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
    + Update level to Java 8
    + Deprecate scripting support for mojos
    + Deprecate requirements parameter in report Mojo
    + Removed duplicate code from PluginReport
    + Prepare for Doxia (Sitetools) 2.0.0
    + Fixed documentation for maven-plugin-report-plugin
    + Removed deprecated items from new maven-plugin-report-plugin
    + Improve site build
    + Improve dependency management
    + Plugin generator generation fails when the parent class comes from a different project

  * Dependency upgrade:

    + Upgrade Maven Reporting API/Impl to 3.1.0
    + Upgrade Parent to 36
    + Upgrade project dependencies after JDK 1.8
    + Bump maven-parent from 36 to 37
    + Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
    + Upgrade plexus-utils to 3.5.0

- Changes of version 3.6.4:

  * Restored compatibility with Maven 3 ecosystem
  * Upgraded dependencies

- Changes of version 3.6.3:

  * Added prerequisites to plugin pom
  * Exclude dependency in provided scope from plugin descriptor
  * Get rid of String.format use
  * Fixed this logging as well
  * Simplify documentation
  * Exclude maven-archiver and maven-jxr from warning

- Changes of version 3.6.2:

  * Deprecated unused requiresReports flag
  * Check that Maven dependencies are provided scope
  * Update ITs
  * Use shared gh action
  * Deprecate unsupported Mojo descriptor items
  * Weed out ITs
  * Upgrade to maven 3.x and avoid using deprecated API
  * Drop legacy dependencies
  * Use shared gh action - v1
  * Fixed wording in javadoc

- Changes of version 3.6.1:

  * What's Changed:
  * Added missing @OverRide and make methods static
  * Upgraded to JUnit 4.12
  * Upgraded parent POM and other dependencies
  * Updated plugins
  * Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
  * removed Maven 2 info
  * Removed unneeded dependency
  * Tighten the dependency tree
  * Ignore .checkstyle
  * Strict dependencies for maven-plugin-tools-annotations
  * Improved @execute(goal...) docs
  * Improve @execute(lifecycle...) docs

plexus-compiler was updated from version 2.11.1 to 2.14.2:

- Changes of 2.14.2:

  * Removed:

    + Drop J2ObjC compiler

  * New features and improvements:

    + Update AspectJ Compiler to 1.9.21 to support Java 21
    + Require JDK 17 for build
    + Improve locking on JavacCompiler
    + Include 'parameter' and 'preview' describe log
    + Switch to SISU annotations and plugin, fixes #217
    + Support jdk 21
    + Require Maven 3.5.4+
    + Require Java 11 for plexus-compiler-eclipse an
      javac-errorprone and aspectj compilers
    + Added support to run its with Java 20

  * Bugs fixed:

    + Fixed javac memory leak
    + Validate zip file names before extracting (Zip Slip)
    + Restore AbstractCompiler#getLogger() method
    + Return empty list for not existing source root location
    + Improve javac error output parsing

- Changes of 2.13.0:

  * New features and improvements:

    + Fully ignore any possible jdk bug
    + MCOMPILER-402: Added implicitOption to CompilerConfiguration
    + Added a custom compile argument
      replaceProcessorPathWithProcessorModulePath to force the
      plugin replace processorPath with processormodulepath
    + describe compiler configuration on run
    + simplify 'Compiling' info message: display relative path

  * Bugs fixed:

    + Respect CompilerConfiguration.sourceFiles in
      EclipseJavaCompiler
    + Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+

  * Dependency updates:

    + Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
    + Bump error_prone_core from 2.11.0 to 2.13.1
    + Bump github/codeql-action from 1 to 2
    + Bump ecj from 3.28.0 to 3.29.0
    + Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
    + Bump ecj from 3.29.0 to 3.30.0
    + Bump maven-invoker-plugin from 3.2.2 to 3.3.0
    + Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
    + Bump error_prone_core from 2.13.1 to 2.14.0
    + Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
    + Bump ecj from 3.31.0 to 3.32.0
    + Bump junit-bom from 5.9.0 to 5.9.1
    + Bump ecj from 3.30.0 to 3.31.0
    + Bump groovy from 3.0.12 to 3.0.13
    + Bump groovy-json from 3.0.12 to 3.0.13
    + Bump groovy-xml from 3.0.12 to 3.0.13
    + Bump animal-sniffer-maven-plugin from 1.21 to 1.22
    + Bump error_prone_core from 2.14.0 to 2.15.0
    + Bump junit-bom from 5.8.2 to 5.9.0
    + Bump groovy-xml from 3.0.11 to 3.0.12
    + Bump groovy-json from 3.0.11 to 3.0.12
    + Bump groovy from 3.0.11 to 3.0.12

  * Maintenance:

    + Require Maven 3.2.5

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated
- objectweb-asm-9.6-150200.3.11.3 updated
- container:bci-openjdk-17-15.5.17-16.10 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:22:57 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:22:57 +0100 (CET)
Subject: SUSE-CU-2024:676-1: Security update of suse/pcp
Message-ID: <20240223162257.774B3F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/pcp
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:676-1
Container Tags        : suse/pcp:5 , suse/pcp:5-22.14 , suse/pcp:5.2 , suse/pcp:5.2-22.14 , suse/pcp:5.2.5 , suse/pcp:5.2.5-22.14 , suse/pcp:latest
Container Release     : 22.14
Severity              : important
Type                  : security
References            : 1216198 CVE-2023-5388 
-----------------------------------------------------------------

The container suse/pcp was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:23:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:23:20 +0100 (CET)
Subject: SUSE-CU-2024:677-1: Security update of bci/php-apache
Message-ID: <20240223162320.BF23FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:677-1
Container Tags        : bci/php-apache:8 , bci/php-apache:8-12.10
Container Release     : 12.10
Severity              : important
Type                  : security
References            : 1219757 CVE-2024-24821 
-----------------------------------------------------------------

The container bci/php-apache was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:592-1
Released:    Thu Feb 22 15:08:03 2024
Summary:     Security update for php-composer2
Type:        security
Severity:    important
References:  1219757,CVE-2024-24821
This update for php-composer2 fixes the following issues:

- CVE-2024-24821: Fixed potential arbitrary code execution when Composer is invoked within a directory with tampered files (bsc#1219757).


The following package changes have been done:

- php-composer2-2.2.3-150400.3.9.1 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:23:44 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:23:44 +0100 (CET)
Subject: SUSE-CU-2024:678-1: Security update of bci/php
Message-ID: <20240223162344.B7038F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:678-1
Container Tags        : bci/php:8 , bci/php:8-12.10
Container Release     : 12.10
Severity              : important
Type                  : security
References            : 1219757 CVE-2024-24821 
-----------------------------------------------------------------

The container bci/php was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:592-1
Released:    Thu Feb 22 15:08:03 2024
Summary:     Security update for php-composer2
Type:        security
Severity:    important
References:  1219757,CVE-2024-24821
This update for php-composer2 fixes the following issues:

- CVE-2024-24821: Fixed potential arbitrary code execution when Composer is invoked within a directory with tampered files (bsc#1219757).


The following package changes have been done:

- php-composer2-2.2.3-150400.3.9.1 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:23:50 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:23:50 +0100 (CET)
Subject: SUSE-CU-2024:679-1: Security update of
 bci/bci-sle15-kernel-module-devel
Message-ID: <20240223162350.526C9F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:679-1
Container Tags        : bci/bci-sle15-kernel-module-devel:15.5 , bci/bci-sle15-kernel-module-devel:15.5.6.11 , bci/bci-sle15-kernel-module-devel:latest
Container Release     : 6.11
Severity              : important
Type                  : security
References            : 1210638 1216198 1219243 1219576 CVE-2023-27043 CVE-2023-5388
                        CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libfreebl3-3.90.2-150400.3.39.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated
- mozilla-nss-tools-3.90.2-150400.3.39.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Fri Feb 23 16:24:56 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Fri, 23 Feb 2024 17:24:56 +0100 (CET)
Subject: SUSE-CU-2024:683-1: Security update of suse/manager/4.3/proxy-ssh
Message-ID: <20240223162456.E2AB2F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:683-1
Container Tags        : suse/manager/4.3/proxy-ssh:4.3.11 , suse/manager/4.3/proxy-ssh:4.3.11.9.39.1 , suse/manager/4.3/proxy-ssh:latest
Container Release     : 9.39.1
Severity              : important
Type                  : security
References            : 1218215 CVE-2023-51385 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:596-1
Released:    Thu Feb 22 20:05:29 2024
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1218215,CVE-2023-51385
This update for openssh fixes the following issues:

- CVE-2023-51385: Limit the use of shell metacharacters in host- and
  user names to avoid command injection. (bsc#1218215)


The following package changes have been done:

- openssh-common-8.4p1-150300.3.30.1 updated
- openssh-fips-8.4p1-150300.3.30.1 updated
- openssh-server-8.4p1-150300.3.30.1 updated
- openssh-clients-8.4p1-150300.3.30.1 updated
- openssh-8.4p1-150300.3.30.1 updated

From sle-container-updates at lists.suse.com  Sat Feb 24 08:02:00 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 24 Feb 2024 09:02:00 +0100 (CET)
Subject: SUSE-CU-2024:686-1: Security update of bci/openjdk
Message-ID: <20240224080200.B546FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:686-1
Container Tags        : bci/openjdk:17 , bci/openjdk:17-16.10 , bci/openjdk:latest
Container Release     : 16.10
Severity              : important
Type                  : security
References            : 1216198 CVE-2023-5388 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)


The following package changes have been done:

- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated

From sle-container-updates at lists.suse.com  Sat Feb 24 08:02:03 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 24 Feb 2024 09:02:03 +0100 (CET)
Subject: SUSE-CU-2024:687-1: Security update of suse/rmt-mariadb-client
Message-ID: <20240224080203.A5F72F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb-client
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:687-1
Container Tags        : suse/mariadb-client:10.6 , suse/mariadb-client:10.6-15.8 , suse/mariadb-client:latest , suse/rmt-mariadb-client:10.6 , suse/rmt-mariadb-client:10.6-15.8 , suse/rmt-mariadb-client:latest
Container Release     : 15.8
Severity              : moderate
Type                  : security
References            : 1219243 1219576 CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/rmt-mariadb-client was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated

From sle-container-updates at lists.suse.com  Sat Feb 24 08:02:07 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Sat, 24 Feb 2024 09:02:07 +0100 (CET)
Subject: SUSE-CU-2024:688-1: Security update of suse/rmt-mariadb
Message-ID: <20240224080207.0FF5FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:688-1
Container Tags        : suse/mariadb:10.6 , suse/mariadb:10.6-18.9 , suse/mariadb:latest , suse/rmt-mariadb:10.6 , suse/rmt-mariadb:10.6-18.9 , suse/rmt-mariadb:latest
Container Release     : 18.9
Severity              : moderate
Type                  : security
References            : 1210638 1219243 1219576 CVE-2023-27043 CVE-2024-0727 CVE-2024-25062
-----------------------------------------------------------------

The container suse/rmt-mariadb was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:04:32 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:04:32 +0100 (CET)
Subject: SUSE-CU-2024:691-1: Recommended update of suse/sle15
Message-ID: <20240227080432.2987DF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:691-1
Container Tags        : suse/sle15:15.2 , suse/sle15:15.2.9.5.408
Container Release     : 9.5.408
Severity              : moderate
Type                  : recommended
References            : 1211886 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- netcfg-11.6-150000.3.6.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:04:37 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:04:37 +0100 (CET)
Subject: SUSE-CU-2024:692-1: Recommended update of suse/ltss/sle15.3/sle15
Message-ID: <20240227080437.26CDEF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.3/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:692-1
Container Tags        : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.4.10 , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.4.10
Container Release     : 4.10
Severity              : moderate
Type                  : recommended
References            : 1211886 
-----------------------------------------------------------------

The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- netcfg-11.6-150000.3.6.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:04:43 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:04:43 +0100 (CET)
Subject: SUSE-CU-2024:693-1: Security update of suse/ltss/sle15.4/sle15
Message-ID: <20240227080443.302E3F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/ltss/sle15.4/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:693-1
Container Tags        : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.3.4 , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.3.4
Container Release     : 3.4
Severity              : important
Type                  : security
References            : 1211886 1216752 1219576 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:613-1
Released:    Mon Feb 26 11:21:43 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- libxml2-2-2.9.14-150400.5.28.1 updated
- netcfg-11.6-150000.3.6.1 updated
- rpm-ndb-4.14.3-150400.59.7.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:05:04 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:05:04 +0100 (CET)
Subject: SUSE-CU-2024:694-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240227080504.7B817F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:694-1
Container Tags        : bci/dotnet-aspnet:7.0 , bci/dotnet-aspnet:7.0-24.5 , bci/dotnet-aspnet:7.0.16 , bci/dotnet-aspnet:7.0.16-24.5
Container Release     : 24.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:05:07 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:05:07 +0100 (CET)
Subject: SUSE-CU-2024:695-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240227080507.6A38DF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:695-1
Container Tags        : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0-6.5 , bci/dotnet-aspnet:8.0.2 , bci/dotnet-aspnet:8.0.2-6.5 , bci/dotnet-aspnet:latest
Container Release     : 6.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:05:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:05:33 +0100 (CET)
Subject: SUSE-CU-2024:696-1: Recommended update of bci/dotnet-sdk
Message-ID: <20240227080533.47F9AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:696-1
Container Tags        : bci/dotnet-sdk:6.0 , bci/dotnet-sdk:6.0-23.5 , bci/dotnet-sdk:6.0.27 , bci/dotnet-sdk:6.0.27-23.5
Container Release     : 23.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:05:56 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:05:56 +0100 (CET)
Subject: SUSE-CU-2024:697-1: Recommended update of bci/dotnet-sdk
Message-ID: <20240227080556.33B42F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:697-1
Container Tags        : bci/dotnet-sdk:7.0 , bci/dotnet-sdk:7.0-25.5 , bci/dotnet-sdk:7.0.16 , bci/dotnet-sdk:7.0.16-25.5
Container Release     : 25.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:05:59 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:05:59 +0100 (CET)
Subject: SUSE-CU-2024:698-1: Recommended update of bci/dotnet-sdk
Message-ID: <20240227080559.F3B6EF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-sdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:698-1
Container Tags        : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0-6.5 , bci/dotnet-sdk:8.0.2 , bci/dotnet-sdk:8.0.2-6.5 , bci/dotnet-sdk:latest
Container Release     : 6.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-sdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:06:19 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:06:19 +0100 (CET)
Subject: SUSE-CU-2024:699-1: Recommended update of bci/dotnet-runtime
Message-ID: <20240227080619.198F9F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:699-1
Container Tags        : bci/dotnet-runtime:6.0 , bci/dotnet-runtime:6.0-23.5 , bci/dotnet-runtime:6.0.27 , bci/dotnet-runtime:6.0.27-23.5
Container Release     : 23.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:06:28 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:06:28 +0100 (CET)
Subject: SUSE-CU-2024:700-1: Security update of bci/golang
Message-ID: <20240227080628.E022EF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:700-1
Container Tags        : bci/golang:1.21-openssl , bci/golang:1.21-openssl-12.9 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-12.9
Container Release     : 12.9
Severity              : moderate
Type                  : security
References            : 1219243 1219576 CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libopenssl-1_1-devel-1.1.1l-150500.17.25.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:06:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:06:29 +0100 (CET)
Subject: SUSE-CU-2024:701-1: Recommended update of bci/golang
Message-ID: <20240227080629.5F210F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:701-1
Container Tags        : bci/golang:1.21-openssl , bci/golang:1.21-openssl-12.11 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-12.11
Container Release     : 12.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:06:36 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:06:36 +0100 (CET)
Subject: SUSE-CU-2024:702-1: Recommended update of bci/bci-minimal
Message-ID: <20240227080636.C0C5BF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-minimal
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:702-1
Container Tags        : bci/bci-minimal:15.5 , bci/bci-minimal:15.5.17.3 , bci/bci-minimal:latest
Container Release     : 17.3
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/bci-minimal was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:06:54 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:06:54 +0100 (CET)
Subject: SUSE-CU-2024:703-1: Recommended update of bci/nodejs
Message-ID: <20240227080654.6725AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:703-1
Container Tags        : bci/node:18 , bci/node:18-16.11 , bci/nodejs:18 , bci/nodejs:18-16.11
Container Release     : 16.11
Severity              : important
Type                  : recommended
References            : 1211886 1216752 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- netcfg-11.6-150000.3.6.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:07:15 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:07:15 +0100 (CET)
Subject: SUSE-CU-2024:704-1: Recommended update of bci/openjdk-devel
Message-ID: <20240227080715.97BF3F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:704-1
Container Tags        : bci/openjdk-devel:17 , bci/openjdk-devel:17-16.27 , bci/openjdk-devel:latest
Container Release     : 16.27
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:bci-openjdk-17-15.5.17-16.12 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:07:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:07:33 +0100 (CET)
Subject: SUSE-CU-2024:705-1: Recommended update of bci/openjdk
Message-ID: <20240227080733.57349F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:705-1
Container Tags        : bci/openjdk:17 , bci/openjdk:17-16.12 , bci/openjdk:latest
Container Release     : 16.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:07:56 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:07:56 +0100 (CET)
Subject: SUSE-CU-2024:706-1: Recommended update of suse/pcp
Message-ID: <20240227080756.1F899F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/pcp
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:706-1
Container Tags        : suse/pcp:5 , suse/pcp:5-22.20 , suse/pcp:5.2 , suse/pcp:5.2-22.20 , suse/pcp:5.2.5 , suse/pcp:5.2.5-22.20 , suse/pcp:latest
Container Release     : 22.20
Severity              : important
Type                  : recommended
References            : 1211886 1216752 
-----------------------------------------------------------------

The container suse/pcp was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- netcfg-11.6-150000.3.6.1 updated
- container:bci-bci-init-15.5-15.5-14.11 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:08:13 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:08:13 +0100 (CET)
Subject: SUSE-CU-2024:707-1: Security update of bci/php-fpm
Message-ID: <20240227080813.4B62BF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-fpm
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:707-1
Container Tags        : bci/php-fpm:8 , bci/php-fpm:8-12.9
Container Release     : 12.9
Severity              : important
Type                  : security
References            : 1219757 CVE-2024-24821 
-----------------------------------------------------------------

The container bci/php-fpm was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:592-1
Released:    Thu Feb 22 15:08:03 2024
Summary:     Security update for php-composer2
Type:        security
Severity:    important
References:  1219757,CVE-2024-24821
This update for php-composer2 fixes the following issues:

- CVE-2024-24821: Fixed potential arbitrary code execution when Composer is invoked within a directory with tampered files (bsc#1219757).


The following package changes have been done:

- php-composer2-2.2.3-150400.3.9.1 updated
- container:sles15-image-15.0.0-36.11.5 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:08:31 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:08:31 +0100 (CET)
Subject: SUSE-CU-2024:708-1: Recommended update of bci/php
Message-ID: <20240227080831.60AB1F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:708-1
Container Tags        : bci/php:8 , bci/php:8-12.12
Container Release     : 12.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/php was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:08:49 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:08:49 +0100 (CET)
Subject: SUSE-CU-2024:709-1: Recommended update of suse/postgres
Message-ID: <20240227080849.2E271F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:709-1
Container Tags        : suse/postgres:15 , suse/postgres:15-17.11 , suse/postgres:15.6 , suse/postgres:15.6-17.11
Container Release     : 17.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:08:55 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:08:55 +0100 (CET)
Subject: SUSE-CU-2024:710-1: Recommended update of suse/postgres
Message-ID: <20240227080855.0C8D0F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:710-1
Container Tags        : suse/postgres:16 , suse/postgres:16-6.11 , suse/postgres:16.2 , suse/postgres:16.2-6.11 , suse/postgres:latest
Container Release     : 6.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:09:13 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:09:13 +0100 (CET)
Subject: SUSE-CU-2024:711-1: Recommended update of bci/python
Message-ID: <20240227080913.0A95FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:711-1
Container Tags        : bci/python:3 , bci/python:3-18.12 , bci/python:3.6 , bci/python:3.6-18.12
Container Release     : 18.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:52:24 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:52:24 +0100 (CET)
Subject: SUSE-CU-2024:712-1: Security update of suse/389-ds
Message-ID: <20240227085224.DCC25F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/389-ds
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:712-1
Container Tags        : suse/389-ds:2.2 , suse/389-ds:2.2-20.14 , suse/389-ds:latest
Container Release     : 20.14
Severity              : important
Type                  : security
References            : 1210638 1216198 1216752 CVE-2023-27043 CVE-2023-5388 
-----------------------------------------------------------------

The container suse/389-ds was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released:    Thu Feb 22 20:07:11 2024
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:

Update to NSS 3.90.2:

- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- libfreebl3-3.90.2-150400.3.39.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- python3-3.6.15-150300.10.54.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated
- mozilla-nss-tools-3.90.2-150400.3.39.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:52:46 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:52:46 +0100 (CET)
Subject: SUSE-CU-2024:713-1: Recommended update of bci/dotnet-aspnet
Message-ID: <20240227085246.2A405F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-aspnet
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:713-1
Container Tags        : bci/dotnet-aspnet:6.0 , bci/dotnet-aspnet:6.0-24.5 , bci/dotnet-aspnet:6.0.27 , bci/dotnet-aspnet:6.0.27-24.5
Container Release     : 24.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-aspnet was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:53:08 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:53:08 +0100 (CET)
Subject: SUSE-CU-2024:714-1: Recommended update of bci/dotnet-runtime
Message-ID: <20240227085308.43E94F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:714-1
Container Tags        : bci/dotnet-runtime:7.0 , bci/dotnet-runtime:7.0-25.5 , bci/dotnet-runtime:7.0.16 , bci/dotnet-runtime:7.0.16-25.5
Container Release     : 25.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:53:29 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:53:29 +0100 (CET)
Subject: SUSE-CU-2024:715-1: Recommended update of bci/bci-init
Message-ID: <20240227085329.7EEC9F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-init
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:715-1
Container Tags        : bci/bci-init:15.5 , bci/bci-init:15.5.14.11 , bci/bci-init:latest
Container Release     : 14.11
Severity              : important
Type                  : recommended
References            : 1211886 1216752 
-----------------------------------------------------------------

The container bci/bci-init was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- netcfg-11.6-150000.3.6.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:53:46 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:53:46 +0100 (CET)
Subject: SUSE-CU-2024:716-1: Recommended update of suse/nginx
Message-ID: <20240227085346.8E59AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/nginx
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:716-1
Container Tags        : suse/nginx:1.21 , suse/nginx:1.21-10.12 , suse/nginx:latest
Container Release     : 10.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/nginx was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:54:13 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:54:13 +0100 (CET)
Subject: SUSE-CU-2024:717-1: Recommended update of bci/openjdk-devel
Message-ID: <20240227085413.6EACFF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:717-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.25
Container Release     : 14.25
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:bci-openjdk-11-15.5.11-15.12 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:54:34 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:54:34 +0100 (CET)
Subject: SUSE-CU-2024:718-1: Recommended update of bci/openjdk
Message-ID: <20240227085434.2017AF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:718-1
Container Tags        : bci/openjdk:11 , bci/openjdk:11-15.12
Container Release     : 15.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:54:57 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:54:57 +0100 (CET)
Subject: SUSE-CU-2024:719-1: Recommended update of bci/php-apache
Message-ID: <20240227085457.6FA56F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:719-1
Container Tags        : bci/php-apache:8 , bci/php-apache:8-12.12
Container Release     : 12.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/php-apache was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:55:16 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:55:16 +0100 (CET)
Subject: SUSE-CU-2024:711-1: Recommended update of bci/python
Message-ID: <20240227085516.0CA38F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:711-1
Container Tags        : bci/python:3 , bci/python:3-18.12 , bci/python:3.6 , bci/python:3.6-18.12
Container Release     : 18.12
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:55:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:55:20 +0100 (CET)
Subject: SUSE-CU-2024:720-1: Recommended update of suse/rmt-mariadb-client
Message-ID: <20240227085520.D7A4EF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb-client
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:720-1
Container Tags        : suse/mariadb-client:10.6 , suse/mariadb-client:10.6-15.10 , suse/mariadb-client:latest , suse/rmt-mariadb-client:10.6 , suse/rmt-mariadb-client:10.6-15.10 , suse/rmt-mariadb-client:latest
Container Release     : 15.10
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/rmt-mariadb-client was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:55:25 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:55:25 +0100 (CET)
Subject: SUSE-CU-2024:721-1: Recommended update of suse/rmt-mariadb
Message-ID: <20240227085525.87D73F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-mariadb
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:721-1
Container Tags        : suse/mariadb:10.6 , suse/mariadb:10.6-18.11 , suse/mariadb:latest , suse/rmt-mariadb:10.6 , suse/rmt-mariadb:10.6-18.11 , suse/rmt-mariadb:latest
Container Release     : 18.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/rmt-mariadb was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:55:35 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:55:35 +0100 (CET)
Subject: SUSE-CU-2024:722-1: Recommended update of suse/rmt-server
Message-ID: <20240227085535.D4447F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/rmt-server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:722-1
Container Tags        : suse/rmt-server:2.14 , suse/rmt-server:2.14-15.10 , suse/rmt-server:latest
Container Release     : 15.10
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container suse/rmt-server was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:55:54 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:55:54 +0100 (CET)
Subject: SUSE-CU-2024:723-1: Recommended update of bci/ruby
Message-ID: <20240227085554.7FBF4F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:723-1
Container Tags        : bci/ruby:2 , bci/ruby:2-16.10 , bci/ruby:2.5 , bci/ruby:2.5-16.10 , bci/ruby:latest
Container Release     : 16.10
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:56:15 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:56:15 +0100 (CET)
Subject: SUSE-CU-2024:724-1: Recommended update of bci/rust
Message-ID: <20240227085615.4C39EF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:724-1
Container Tags        : bci/rust:1.75 , bci/rust:1.75-1.4.10 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.4.10
Container Release     : 4.10
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:56:20 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:56:20 +0100 (CET)
Subject: SUSE-CU-2024:725-1: Recommended update of
 bci/bci-sle15-kernel-module-devel
Message-ID: <20240227085620.6F4DEF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:725-1
Container Tags        : bci/bci-sle15-kernel-module-devel:15.5 , bci/bci-sle15-kernel-module-devel:15.5.6.13 , bci/bci-sle15-kernel-module-devel:latest
Container Release     : 6.13
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- rpm-build-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 08:56:38 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 09:56:38 +0100 (CET)
Subject: SUSE-CU-2024:726-1: Security update of suse/manager/4.3/proxy-httpd
Message-ID: <20240227085638.179C9F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:726-1
Container Tags        : suse/manager/4.3/proxy-httpd:4.3.11 , suse/manager/4.3/proxy-httpd:4.3.11.9.49.2 , suse/manager/4.3/proxy-httpd:latest
Container Release     : 9.49.2
Severity              : important
Type                  : security
References            : 1216752 1219576 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:613-1
Released:    Mon Feb 26 11:21:43 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- python3-rpm-4.14.3-150400.59.7.1 updated
- python3-libxml2-2.9.14-150400.5.28.1 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 11:54:47 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 12:54:47 +0100 (CET)
Subject: SUSE-CU-2024:728-1: Recommended update of bci/nodejs
Message-ID: <20240227115447.9AA06FBA5@maintenance.suse.de>

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:728-1
Container Tags        : bci/node:20 , bci/node:20-6.11 , bci/node:latest , bci/nodejs:20 , bci/nodejs:20-6.11 , bci/nodejs:latest
Container Release     : 6.11
Severity              : important
Type                  : recommended
References            : 1211886 1216752 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- netcfg-11.6-150000.3.6.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 11:55:07 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 12:55:07 +0100 (CET)
Subject: SUSE-CU-2024:729-1: Recommended update of bci/rust
Message-ID: <20240227115507.90172FBA5@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:729-1
Container Tags        : bci/rust:1.74 , bci/rust:1.74-2.4.10 , bci/rust:oldstable , bci/rust:oldstable-2.4.10
Container Release     : 4.10
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Tue Feb 27 11:55:23 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Tue, 27 Feb 2024 12:55:23 +0100 (CET)
Subject: SUSE-CU-2024:730-1: Security update of suse/sle15
Message-ID: <20240227115523.3FE27FBA5@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:730-1
Container Tags        : bci/bci-base:15.5 , bci/bci-base:15.5.36.11.6 , suse/sle15:15.5 , suse/sle15:15.5.36.11.6
Container Release     : 36.11.6
Severity              : important
Type                  : security
References            : 1211886 1216752 1219243 1219576 CVE-2024-0727 CVE-2024-25062
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)


The following package changes have been done:

- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libxml2-2-2.10.3-150500.5.14.1 updated
- netcfg-11.6-150000.3.6.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- rpm-ndb-4.14.3-150400.59.7.1 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:01:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:01:33 +0100 (CET)
Subject: SUSE-CU-2024:731-1: Security update of suse/sle-micro/5.5/toolbox
Message-ID: <20240228080133.2F47BF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:731-1
Container Tags        : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.163 , suse/sle-micro/5.5/toolbox:latest
Container Release     : 2.2.163
Severity              : moderate
Type                  : security
References            : 1219243 1219576 CVE-2024-0727 CVE-2024-25062 
-----------------------------------------------------------------

The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).


The following package changes have been done:

- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libxml2-2-2.10.3-150500.5.14.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:02:02 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:02:02 +0100 (CET)
Subject: SUSE-CU-2024:732-1: Recommended update of bci/dotnet-runtime
Message-ID: <20240228080202.DE197F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/dotnet-runtime
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:732-1
Container Tags        : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0-6.5 , bci/dotnet-runtime:8.0.2 , bci/dotnet-runtime:8.0.2-6.5 , bci/dotnet-runtime:latest
Container Release     : 6.5
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/dotnet-runtime was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:02:09 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:02:09 +0100 (CET)
Subject: SUSE-CU-2024:733-1: Security update of suse/git
Message-ID: <20240228080209.7DD2FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/git
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:733-1
Container Tags        : suse/git:2.35 , suse/git:2.35-9.1 , suse/git:latest
Container Release     : 9.1
Severity              : important
Type                  : security
References            : 1214668 1214788 1215241 1215313 1217460 1217950 1218215 CVE-2023-48795
                        CVE-2023-51385 
-----------------------------------------------------------------

The container suse/git was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4153-1
Released:    Fri Oct 20 19:27:58 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1215313
This update for systemd fixes the following issues:

- Fix mismatch of nss-resolve version in Package Hub (no source code changes)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4902-1
Released:    Tue Dec 19 13:09:42 2023
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1214788,1217950,CVE-2023-48795
This update for openssh fixes the following issues:

- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950).

the following non-security bug was fixed:

- Fix the 'no route to host' error when connecting via ProxyJump

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:596-1
Released:    Thu Feb 22 20:05:29 2024
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1218215,CVE-2023-51385
This update for openssh fixes the following issues:

- CVE-2023-51385: Limit the use of shell metacharacters in host- and
  user names to avoid command injection. (bsc#1218215)


The following package changes have been done:

- libcbor0-0.5.0-150100.4.6.1 added
- libedit0-3.1.snap20150325-2.12 added
- libfido2-1-1.13.0-150400.5.6.1 added
- libhidapi-hidraw0-0.10.1-150300.3.2.1 added
- libudev1-249.17-150400.8.40.1 added
- openssh-clients-8.4p1-150300.3.30.1 added
- openssh-common-8.4p1-150300.3.30.1 added

From sle-container-updates at lists.suse.com  Wed Feb 28 08:02:23 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:02:23 +0100 (CET)
Subject: SUSE-CU-2024:734-1: Security update of bci/golang
Message-ID: <20240228080223.3DDD3F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:734-1
Container Tags        : bci/golang:1.21 , bci/golang:1.21-2.2.11 , bci/golang:oldstable , bci/golang:oldstable-2.2.11
Container Release     : 2.11
Severity              : important
Type                  : security
References            : 1212475 1212475 1212475 1212475 1212475 1212475 1212475 1212667
                        1212669 1215084 1215085 1215086 1215087 1215090 1215985 1216109
                        1216752 1216943 1216943 1216944 1217833 1217834 1219243 1219576
                        CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322
                        CVE-2023-39323 CVE-2023-39325 CVE-2023-39326 CVE-2023-44487 CVE-2023-45283
                        CVE-2023-45284 CVE-2023-45284 CVE-2023-45285 CVE-2024-0727 CVE-2024-25062
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3323-1
Released:    Tue Aug 15 20:29:53 2023
Summary:     Recommended update for go1.21
Type:        recommended
Severity:    moderate
References:  1212475,1212667,1212669
This update for go1.21 fixes the following issues:


go1.21 (released 2023-08-08) is a major release of Go.

go1.21.x minor releases will be provided through August 2024.
https://github.com/golang/go/wiki/Go-Release-Cycle

go1.21 arrives six months after go1.20. Most of its changes are
in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.

* Go 1.21 introduces a small change to the numbering of
  releases. In the past, we used Go 1.N to refer to both the
  overall Go language version and release family as well as the
  first release in that family. Starting in Go 1.21, the first
  release is now Go 1.N.0. Today we are releasing both the Go
  1.21 language and its initial implementation, the Go 1.21.0
  release. These notes refer to 'Go 1.21'; tools like go version
  will report 'go1.21.0' (until you upgrade to Go 1.21.1). See
  'Go versions' in the 'Go Toolchains' documentation for details
  about the new version numbering.
* Language change: Go 1.21 adds three new built-ins to the
  language.
* Language change: The new functions min and max compute the
  smallest (or largest, for max) value of a fixed number of given
  arguments. See the language spec for details.
* Language change: The new function clear deletes all elements
  from a map or zeroes all elements of a slice. See the language
  spec for details.
* Package initialization order is now specified more
  precisely. This may change the behavior of some programs that
  rely on a specific initialization ordering that was not
  expressed by explicit imports. The behavior of such programs
  was not well defined by the spec in past releases. The new rule
  provides an unambiguous definition.
* Multiple improvements that increase the power and precision of
  type inference have been made.
* A (possibly partially instantiated generic) function may now be
  called with arguments that are themselves (possibly partially
  instantiated) generic functions.
* Type inference now also considers methods when a value is
  assigned to an interface: type arguments for type parameters
  used in method signatures may be inferred from the
  corresponding parameter types of matching methods.
* Similarly, since a type argument must implement all the methods
  of its corresponding constraint, the methods of the type
  argument and constraint are matched which may lead to the
  inference of additional type arguments.
* If multiple untyped constant arguments of different kinds (such
  as an untyped int and an untyped floating-point constant) are
  passed to parameters with the same (not otherwise specified)
  type parameter type, instead of an error, now type inference
  determines the type using the same approach as an operator with
  untyped constant operands. This change brings the types
  inferred from untyped constant arguments in line with the types
  of constant expressions.
* Type inference is now precise when matching corresponding types
  in assignments
* The description of type inference in the language spec has been
  clarified.
* Go 1.21 includes a preview of a language change we are
  considering for a future version of Go: making for loop
  variables per-iteration instead of per-loop, to avoid
  accidental sharing bugs. For details about how to try that
  language change, see the LoopvarExperiment wiki page.
* Go 1.21 now defines that if a goroutine is panicking and
  recover was called directly by a deferred function, the return
  value of recover is guaranteed not to be nil. To ensure this,
  calling panic with a nil interface value (or an untyped nil)
  causes a run-time panic of type *runtime.PanicNilError.
  To support programs written for older versions of Go, nil
  panics can be re-enabled by setting GODEBUG=panicnil=1. This
  setting is enabled automatically when compiling a program whose
  main package is in a module with that declares go 1.20 or
  earlier.
* Go 1.21 adds improved support for backwards compatibility and
  forwards compatibility in the Go toolchain.
* To improve backwards compatibility, Go 1.21 formalizes Go's use
  of the GODEBUG environment variable to control the default
  behavior for changes that are non-breaking according to the
  compatibility policy but nonetheless may cause existing
  programs to break. (For example, programs that depend on buggy
  behavior may break when a bug is fixed, but bug fixes are not
  considered breaking changes.) When Go must make this kind of
  behavior change, it now chooses between the old and new
  behavior based on the go line in the workspace's go.work file
  or else the main module's go.mod file. Upgrading to a new Go
  toolchain but leaving the go line set to its original (older)
  Go version preserves the behavior of the older toolchain. With
  this compatibility support, the latest Go toolchain should
  always be the best, most secure, implementation of an older
  version of Go. See 'Go, Backwards Compatibility, and GODEBUG'
  for details.
* To improve forwards compatibility, Go 1.21 now reads the go
  line in a go.work or go.mod file as a strict minimum
  requirement: go 1.21.0 means that the workspace or module
  cannot be used with Go 1.20 or with Go 1.21rc1. This allows
  projects that depend on fixes made in later versions of Go to
  ensure that they are not used with earlier versions. It also
  gives better error reporting for projects that make use of new
  Go features: when the problem is that a newer Go version is
  needed, that problem is reported clearly, instead of attempting
  to build the code and instead printing errors about unresolved
  imports or syntax errors.
* To make these new stricter version requirements easier to
  manage, the go command can now invoke not just the toolchain
  bundled in its own release but also other Go toolchain versions
  found in the PATH or downloaded on demand. If a go.mod or
  go.work go line declares a minimum requirement on a newer
  version of Go, the go command will find and run that version
  automatically. The new toolchain directive sets a suggested
  minimum toolchain to use, which may be newer than the strict go
  minimum. See 'Go Toolchains' for details.
* go command: The -pgo build flag now defaults to -pgo=auto, and
  the restriction of specifying a single main package on the
  command line is now removed. If a file named default.pgo is
  present in the main package's directory, the go command will
  use it to enable profile-guided optimization for building the
  corresponding program.
* go command: The -C dir flag must now be the first flag on the
  command-line when used.
* go command: The new go test option -fullpath prints full path
  names in test log messages, rather than just base names.
* go command: The go test -c flag now supports writing test
  binaries for multiple packages, each to pkg.test where pkg is
  the package name. It is an error if more than one test package
  being compiled has a given package name.]
* go command: The go test -o flag now accepts a directory
  argument, in which case test binaries are written to that
  directory instead of the current directory.
* cgo: In files that import 'C', the Go toolchain now correctly
  reports errors for attempts to declare Go methods on C types.
* runtime: When printing very deep stacks, the runtime now prints
  the first 50 (innermost) frames followed by the bottom 50
  (outermost) frames, rather than just printing the first 100
  frames. This makes it easier to see how deeply recursive stacks
  started, and is especially valuable for debugging stack
  overflows.
* runtime: On Linux platforms that support transparent huge
  pages, the Go runtime now manages which parts of the heap may
  be backed by huge pages more explicitly. This leads to better
  utilization of memory: small heaps should see less memory used
  (up to 50% in pathological cases) while large heaps should see
  fewer broken huge pages for dense parts of the heap, improving
  CPU usage and latency by up to 1%.
* runtime: As a result of runtime-internal garbage collection
  tuning, applications may see up to a 40% reduction in
  application tail latency and a small decrease in memory
  use. Some applications may also observe a small loss in
  throughput. The memory use decrease should be proportional to
  the loss in throughput, such that the previous release's
  throughput/memory tradeoff may be recovered (with little change
  to latency) by increasing GOGC and/or GOMEMLIMIT slightly.
* runtime: Calls from C to Go on threads created in C require
  some setup to prepare for Go execution. On Unix platforms, this
  setup is now preserved across multiple calls from the same
  thread. This significantly reduces the overhead of subsequent C
  to Go calls from ~1-3 microseconds per call to ~100-200
  nanoseconds per call.
* compiler: Profile-guide optimization (PGO), added as a preview
  in Go 1.20, is now ready for general use. PGO enables
  additional optimizations on code identified as hot by profiles
  of production workloads. As mentioned in the Go command
  section, PGO is enabled by default for binaries that contain a
  default.pgo profile in the main package directory. Performance
  improvements vary depending on application behavior, with most
  programs from a representative set of Go programs seeing
  between 2 and 7% improvement from enabling PGO. See the PGO
  user guide for detailed documentation.
* compiler: PGO builds can now devirtualize some interface method
  calls, adding a concrete call to the most common callee. This
  enables further optimization, such as inlining the callee.
* compiler: Go 1.21 improves build speed by up to 6%, largely
  thanks to building the compiler itself with PGO.
* assembler: On amd64, frameless nosplit assembly functions are
  no longer automatically marked as NOFRAME. Instead, the NOFRAME
  attribute must be explicitly specified if desired, which is
  already the behavior on other architectures supporting frame
  pointers. With this, the runtime now maintains the frame
  pointers for stack transitions.
* assembler: The verifier that checks for incorrect uses of R15
  when dynamic linking on amd64 has been improved.
* linker: On windows/amd64, the linker (with help from the
  compiler) now emits SEH unwinding data by default, which
  improves the integration of Go applications with Windows
  debuggers and other tools.
* linker: In Go 1.21 the linker (with help from the compiler) is
  now capable of deleting dead (unreferenced) global map
  variables, if the number of entries in the variable initializer
  is sufficiently large, and if the initializer expressions are
  side-effect free.
* core library: The new log/slog package provides structured
  logging with levels. Structured logging emits key-value pairs
  to enable fast, accurate processing of large amounts of log
  data. The package supports integration with popular log
  analysis tools and services.
* core library: The new testing/slogtest package can help to
  validate slog.Handler implementations.
* core library: The new slices package provides many common
  operations on slices, using generic functions that work with
  slices of any element type.
* core library: The new maps package provides several common
  operations on maps, using generic functions that work with maps
  of any key or element type.
* core library: The new cmp package defines the type constraint
  Ordered and two new generic functions Less and Compare that are
  useful with ordered types.
* Minor changes to the library: As always, there are various
  minor changes and updates to the library, made with the Go 1
  promise of compatibility in mind. There are also various
  performance improvements, not enumerated here.
* archive/tar: The implementation of the io/fs.FileInfo interface
  returned by Header.FileInfo now implements a String method that
  calls io/fs.FormatFileInfo.
* archive/zip: The implementation of the io/fs.FileInfo interface
  returned by FileHeader.FileInfo now implements a String method
  that calls io/fs.FormatFileInfo.
* archive/zip: The implementation of the io/fs.DirEntry interface
  returned by the io/fs.ReadDirFile.ReadDir method of the
  io/fs.File returned by Reader.Open now implements a String
  method that calls io/fs.FormatDirEntry.
* bytes: The Buffer type has two new methods: Available and
  AvailableBuffer. These may be used along with the Write method
  to append directly to the Buffer.
* context: The new WithoutCancel function returns a copy of a
  context that is not canceled when the original context is
  canceled.
* context: The new WithDeadlineCause and WithTimeoutCause
  functions provide a way to set a context cancellation cause
  when a deadline or timer expires. The cause may be retrieved
  with the Cause function.
* context: The new AfterFunc function registers a function to run
  after a context has been cancelled.
* context: An optimization means that the results of calling
  Background and TODO and converting them to a shared type can be
  considered equal. In previous releases they were always
  different. Comparing Context values for equality has never been
  well-defined, so this is not considered to be an incompatible
  change.
* crypto/ecdsa: PublicKey.Equal and PrivateKey.Equal now execute
  in constant time.
* crypto/elliptic: All of the Curve methods have been deprecated,
  along with GenerateKey, Marshal, and Unmarshal. For ECDH
  operations, the new crypto/ecdh package should be used
  instead. For lower-level operations, use third-party modules
  such as filippo.io/nistec.
* crypto/rand: The crypto/rand package now uses the getrandom
  system call on NetBSD 10.0 and later.
* crypto/rsa: The performance of private RSA operations
  (decryption and signing) is now better than Go 1.19 for
  GOARCH=amd64 and GOARCH=arm64. It had regressed in Go 1.20.
* crypto/rsa: Due to the addition of private fields to
  PrecomputedValues, PrivateKey.Precompute must be called for
  optimal performance even if deserializing (for example from
  JSON) a previously-precomputed private key.
* crypto/rsa: PublicKey.Equal and PrivateKey.Equal now execute in
  constant time.
* crypto/rsa: The GenerateMultiPrimeKey function and the
  PrecomputedValues.CRTValues field have been
  deprecated. PrecomputedValues.CRTValues will still be populated
  when PrivateKey.Precompute is called, but the values will not
  be used during decryption operations.
* crypto/sha256: SHA-224 and SHA-256 operations now use native
  instructions when available when GOARCH=amd64, providing a
  performance improvement on the order of 3-4x.
* crypto/tls: Servers now skip verifying client certificates
  (including not running Config.VerifyPeerCertificate) for
  resumed connections, besides checking the expiration time. This
  makes session tickets larger when client certificates are in
  use. Clients were already skipping verification on resumption,
  but now check the expiration time even if
  Config.InsecureSkipVerify is set.
* crypto/tls: Applications can now control the content of session
  tickets.
* crypto/tls: The new SessionState type describes a resumable
  session.
* crypto/tls: The SessionState.Bytes method and ParseSessionState
  function serialize and deserialize a SessionState.
* crypto/tls: The Config.WrapSession and Config.UnwrapSession
  hooks convert a SessionState to and from a ticket on the server
  side.
* crypto/tls: The Config.EncryptTicket and Config.DecryptTicket
  methods provide a default implementation of WrapSession and
  UnwrapSession.
* crypto/tls: The ClientSessionState.ResumptionState method and
  NewResumptionState function may be used by a ClientSessionCache
  implementation to store and resume sessions on the client side.
* crypto/tls: To reduce the potential for session tickets to be
  used as a tracking mechanism across connections, the server now
  issues new tickets on every resumption (if they are supported
  and not disabled) and tickets don't bear an identifier for the
  key that encrypted them anymore. If passing a large number of
  keys to Conn.SetSessionTicketKeys, this might lead to a
  noticeable performance cost.
* crypto/tls: Both clients and servers now implement the Extended
  Master Secret extension (RFC 7627). The deprecation of
  ConnectionState.TLSUnique has been reverted, and is now set for
  resumed connections that support Extended Master Secret.
* crypto/tls: The new QUICConn type provides support for QUIC
  implementations, including 0-RTT support. Note that this is not
  itself a QUIC implementation, and 0-RTT is still not supported
  in TLS.
* crypto/tls: The new VersionName function returns the name for a
  TLS version number.
* crypto/tls: The TLS alert codes sent from the server for client
  authentication failures have been improved. Previously, these
  failures always resulted in a 'bad certificate' alert. Now,
  certain failures will result in more appropriate alert codes,
  as defined by RFC 5246 and RFC 8446:
* crypto/tls: For TLS 1.3 connections, if the server is
  configured to require client authentication using
  RequireAnyClientCert or RequireAndVerifyClientCert, and the
  client does not provide any certificate, the server will now
  return the 'certificate required' alert.
* crypto/tls: If the client provides a certificate that is not
  signed by the set of trusted certificate authorities configured
  on the server, the server will return the 'unknown certificate
  authority' alert.
* crypto/tls: If the client provides a certificate that is either
  expired or not yet valid, the server will return the 'expired
  certificate' alert.
* crypto/tls: In all other scenarios related to client
  authentication failures, the server still returns 'bad
  certificate'.
* crypto/x509: RevocationList.RevokedCertificates has been
  deprecated and replaced with the new RevokedCertificateEntries
  field, which is a slice of RevocationListEntry.
  RevocationListEntry contains all of the fields in
  pkix.RevokedCertificate, as well as the revocation reason code.
* crypto/x509: Name constraints are now correctly enforced on
  non-leaf certificates, and not on the certificates where they
  are expressed.
* debug/elf: The new File.DynValue method may be used to retrieve
  the numeric values listed with a given dynamic tag.
* debug/elf: The constant flags permitted in a DT_FLAGS_1 dynamic
  tag are now defined with type DynFlag1. These tags have names
  starting with DF_1.
* debug/elf: The package now defines the constant COMPRESS_ZSTD.
* debug/elf: The package now defines the constant
  R_PPC64_REL24_P9NOTOC.
* debug/pe: Attempts to read from a section containing
  uninitialized data using Section.Data or the reader returned by
  Section.Open now return an error.
* embed: The io/fs.File returned by FS.Open now has a ReadAt
  method that implements io.ReaderAt.
* embed: Calling FS.Open.Stat will return a type that now
  implements a String method that calls io/fs.FormatFileInfo.
* errors: The new ErrUnsupported error provides a standardized
  way to indicate that a requested operation may not be performed
  because it is unsupported. For example, a call to os.Link when
  using a file system that does not support hard links.
* flag: The new BoolFunc function and FlagSet.BoolFunc method
  define a flag that does not require an argument and calls a
  function when the flag is used. This is similar to Func but for
  a boolean flag.
* flag: A flag definition (via Bool, BoolVar, Int, IntVar, etc.)
  will panic if Set has already been called on a flag with the
  same name. This change is intended to detect cases where
  changes in initialization order cause flag operations to occur
  in a different order than expected. In many cases the fix to
  this problem is to introduce a explicit package dependence to
  correctly order the definition before any Set operations.
* go/ast: The new IsGenerated predicate reports whether a file
  syntax tree contains the special comment that conventionally
  indicates that the file was generated by a tool.
* go/ast: The new File.GoVersion field records the minimum Go
  version required by any //go:build or // +build directives.
* go/build: The package now parses build directives (comments
  that start with //go:) in file headers (before the package
  declaration). These directives are available in the new Package
  fields Directives, TestDirectives, and XTestDirectives.
* go/build/constraint: The new GoVersion function returns the
  minimum Go version implied by a build expression.
* go/token: The new File.Lines method returns the file's
  line-number table in the same form as accepted by
  File.SetLines.
* go/types: The new Package.GoVersion method returns the Go
  language version used to check the package.
* hash/maphash: The hash/maphash package now has a pure Go
  implementation, selectable with the purego build tag.
* html/template: The new error ErrJSTemplate is returned when an
  action appears in a JavaScript template literal. Previously an
  unexported error was returned.
* io/fs: The new FormatFileInfo function returns a formatted
  version of a FileInfo. The new FormatDirEntry function returns
  a formatted version of a DirEntry. The implementation of
  DirEntry returned by ReadDir now implements a String method
  that calls FormatDirEntry, and the same is true for the
  DirEntry value passed to WalkDirFunc.
* math/big: The new Int.Float64 method returns the nearest
  floating-point value to a multi-precision integer, along with
  an indication of any rounding that occurred.
* net: On Linux, the net package can now use Multipath TCP when
  the kernel supports it. It is not used by default. To use
  Multipath TCP when available on a client, call the
  Dialer.SetMultipathTCP method before calling the Dialer.Dial or
  Dialer.DialContext methods. To use Multipath TCP when available
  on a server, call the ListenConfig.SetMultipathTCP method
  before calling the ListenConfig.Listen method. Specify the
  network as 'tcp' or 'tcp4' or 'tcp6' as usual. If Multipath TCP
  is not supported by the kernel or the remote host, the
  connection will silently fall back to TCP. To test whether a
  particular connection is using Multipath TCP, use the
  TCPConn.MultipathTCP method.
* net: In a future Go release we may enable Multipath TCP by
  default on systems that support it.
* net/http: The new ResponseController.EnableFullDuplex method
  allows server handlers to concurrently read from an HTTP/1
  request body while writing the response. Normally, the HTTP/1
  server automatically consumes any remaining request body before
  starting to write the response, to avoid deadlocking clients
  which attempt to write a complete request before reading the
  response. The EnableFullDuplex method disables this behavior.
* net/http: The new ErrSchemeMismatch error is returned by Client
  and Transport when the server responds to an HTTPS request with
  an HTTP response.
* net/http: The net/http package now supports
  errors.ErrUnsupported, in that the expression
  errors.Is(http.ErrNotSupported, errors.ErrUnsupported) will
  return true.
* os: Programs may now pass an empty time.Time value to the
  Chtimes function to leave either the access time or the
  modification time unchanged.
* os: On Windows the File.Chdir method now changes the current
  directory to the file, rather than always returning an error.
* os: On Unix systems, if a non-blocking descriptor is passed to
  NewFile, calling the File.Fd method will now return a
  non-blocking descriptor. Previously the descriptor was
  converted to blocking mode.
* os: On Windows calling Truncate on a non-existent file used to
  create an empty file. It now returns an error indicating that
  the file does not exist.
* os: On Windows calling TempDir now uses GetTempPath2W when
  available, instead of GetTempPathW. The new behavior is a
  security hardening measure that prevents temporary files
  created by processes running as SYSTEM to be accessed by
  non-SYSTEM processes.
* os: On Windows the os package now supports working with files
  whose names, stored as UTF-16, can't be represented as valid
  UTF-8.
* os: On Windows Lstat now resolves symbolic links for paths
  ending with a path separator, consistent with its behavior on
  POSIX platforms.
* os: The implementation of the io/fs.DirEntry interface returned
  by the ReadDir function and the File.ReadDir method now
  implements a String method that calls io/fs.FormatDirEntry.
* os: The implementation of the io/fs.FS interface returned by
  the DirFS function now implements the io/fs.ReadFileFS and the
  io/fs.ReadDirFS interfaces.
* path/filepath: The implementation of the io/fs.DirEntry
  interface passed to the function argument of WalkDir now
  implements a String method that calls io/fs.FormatDirEntry.
* reflect: In Go 1.21, ValueOf no longer forces its argument to
  be allocated on the heap, allowing a Value's content to be
  allocated on the stack. Most operations on a Value also allow
  the underlying value to be stack allocated.
* reflect: The new Value method Value.Clear clears the contents
  of a map or zeros the contents of a slice. This corresponds to
  the new clear built-in added to the language.
* reflect: The SliceHeader and StringHeader types are now
  deprecated. In new code prefer unsafe.Slice, unsafe.SliceData,
  unsafe.String, or unsafe.StringData.
* regexp: Regexp now defines MarshalText and UnmarshalText
  methods. These implement encoding.TextMarshaler and
  encoding.TextUnmarshaler and will be used by packages such as
  encoding/json.
* runtime: Textual stack traces produced by Go programs, such as
  those produced when crashing, calling runtime.Stack, or
  collecting a goroutine profile with debug=2, now include the
  IDs of the goroutines that created each goroutine in the stack
  trace.
* runtime: Crashing Go applications can now opt-in to Windows
  Error Reporting (WER) by setting the environment variable
  GOTRACEBACK=wer or calling debug.SetTraceback('wer') before the
  crash. Other than enabling WER, the runtime will behave as with
  GOTRACEBACK=crash. On non-Windows systems, GOTRACEBACK=wer is
  ignored.
* runtime: GODEBUG=cgocheck=2, a thorough checker of cgo pointer
  passing rules, is no longer available as a debug
  option. Instead, it is available as an experiment using
  GOEXPERIMENT=cgocheck2. In particular this means that this mode
  has to be selected at build time instead of startup time.
* runtime: GODEBUG=cgocheck=1 is still available (and is still
  the default).
* runtime: A new type Pinner has been added to the runtime
  package. Pinners may be used to 'pin' Go memory such that it
  may be used more freely by non-Go code. For instance, passing
  Go values that reference pinned Go memory to C code is now
  allowed. Previously, passing any such nested reference was
  disallowed by the cgo pointer passing rules. See the docs for
  more details.
* runtime/metrics: A few previously-internal GC metrics, such as
  live heap size, are now available. GOGC and GOMEMLIMIT are also
  now available as metrics.
* runtime/trace: Collecting traces on amd64 and arm64 now incurs
  a substantially smaller CPU cost: up to a 10x improvement over
  the previous release.
* runtime/trace: Traces now contain explicit stop-the-world
  events for every reason the Go runtime might stop-the-world,
  not just garbage collection.
* sync: The new OnceFunc, OnceValue, and OnceValues functions
  capture a common use of Once to lazily initialize a value on
  first use.
* syscall: On Windows the Fchdir function now changes the current
  directory to its argument, rather than always returning an
  error.
* syscall: On FreeBSD SysProcAttr has a new field Jail that may
  be used to put the newly created process in a jailed
  environment.
* syscall: On Windows the syscall package now supports working
  with files whose names, stored as UTF-16, can't be represented
  as valid UTF-8. The UTF16ToString and UTF16FromString functions
  now convert between UTF-16 data and WTF-8 strings. This is
  backward compatible as WTF-8 is a superset of the UTF-8 format
  that was used in earlier releases.
* syscall: Several error values match the new
  errors.ErrUnsupported, such that errors.Is(err,
  errors.ErrUnsupported) returns true.
  ENOSYS
  ENOTSUP
  EOPNOTSUPP
  EPLAN9 (Plan 9 only)
  ERROR_CALL_NOT_IMPLEMENTED (Windows only)
  ERROR_NOT_SUPPORTED (Windows only)
  EWINDOWS (Windows only)
* testing: The new -test.fullpath option will print full path
  names in test log messages, rather than just base names.
* testing: The new Testing function reports whether the program
  is a test created by go test.
* testing/fstest: Calling Open.Stat will return a type that now
  implements a String method that calls io/fs.FormatFileInfo.
* unicode: The unicode package and associated support throughout
  the system has been upgraded to Unicode 15.0.0.
* Darwin port: As announced in the Go 1.20 release notes, Go 1.21
  requires macOS 10.15 Catalina or later; support for previous
  versions has been discontinued.
* Windows port: As announced in the Go 1.20 release notes, Go
  1.21 requires at least Windows 10 or Windows Server 2016;
  support for previous versions has been discontinued.
* WebAssembly port: The new go:wasmimport directive can now be
  used in Go programs to import functions from the WebAssembly
  host.
* WebAssembly port: The Go scheduler now interacts much more
  efficiently with the JavaScript event loop, especially in
  applications that block frequently on asynchronous events.
* WebAssembly System Interface port: Go 1.21 adds an experimental
  port to the WebAssembly System Interface (WASI), Preview 1
  (GOOS=wasip1, GOARCH=wasm).
* WebAssembly System Interface port: As a result of the addition
  of the new GOOS value 'wasip1', Go files named *_wasip1.go will
  now be ignored by Go tools except when that GOOS value is being
  used. If you have existing filenames matching that pattern, you
  will need to rename them.
* ppc64/ppc64le port: On Linux, GOPPC64=power10 now generates
  PC-relative instructions, prefixed instructions, and other new
  Power10 instructions. On AIX, GOPPC64=power10 generates Power10
  instructions, but does not generate PC-relative instructions.
* ppc64/ppc64le port: When building position-independent binaries
  for GOPPC64=power10 GOOS=linux GOARCH=ppc64le, users can expect
  reduced binary sizes in most cases, in some cases
  3.5%. Position-independent binaries are built for ppc64le with
  the following -buildmode values: c-archive, c-shared, shared,
  pie, plugin.
* loong64 port: The linux/loong64 port now supports
  -buildmode=c-archive, -buildmode=c-shared and -buildmode=pie.

* go1.21+ change default GOTOOLCHAIN=auto to local to prevent go
  tool commands from downloading upstream go1.x toolchain binaries

* go1.21+ introduce new default behavior that can download
  additional versions of go1.x toolchain binaries built by
  upstream. See https://go.dev/doc/toolchain for details. The go
  tool would attempt toolchain downloads as needed to satisfy a
  minimum go version specified in go.mod of the program
  containing main() or any of its dependencies.
* Users can override the default GOTOOLCHAIN setting with
  go env -w, stored in in ~/.config/go/env.

- Add missing go.env to package. go.env sets defaults including:
  GOPROXY GOSUMDB GOTOOLCHAIN

* Starting in go1.21+ a missing go.env defaults to GOPROXY=''
  resulting in errors e.g. with online cmds e.g. go mod download:
  'GOPROXY list is not the empty string, but contains no entries'
  It is not clear why GOPROXY='' is not evaluated as 'the empty
  string'.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3701-1
Released:    Wed Sep 20 11:19:10 2023
Summary:     Security update for go1.21
Type:        security
Severity:    important
References:  1212475,1215084,1215085,1215086,1215087,1215090,CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322
This update for go1.21 fixes the following issues:

Update to go1.21.1 (bsc#1212475).

- CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts in html/template (bsc#1215084).
- CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085).
- CVE-2023-39320: Fixed arbitrary execution in go.mod toolchain directive (bsc#1215086).
- CVE-2023-39321, CVE-2023-39322: Fixed a panic when processing post-handshake message on QUIC connections in crypto/tls (bsc#1215087).

The following non-security bug was fixed:

- Add missing directory pprof html asset directory to package (bsc#1215090).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4017-1
Released:    Mon Oct  9 19:23:23 2023
Summary:     Security update for go1.21
Type:        security
Severity:    important
References:  1212475,1215985,CVE-2023-39323
This update for go1.21 fixes the following issues:

- Updated to version 1.21.2 (bsc#1212475):

  - CVE-2023-39323: Fixed an arbitrary execution issue during build
    time due to path directive bypass (bsc#1215985).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4069-1
Released:    Fri Oct 13 10:09:29 2023
Summary:     Security update for go1.21
Type:        security
Severity:    important
References:  1212475,1216109,CVE-2023-39325,CVE-2023-44487
This update for go1.21 fixes the following issues:

- Update to go1.21.3 (bsc#1212475)
- CVE-2023-39325: Fixed a flaw that can lead to a DoS due to a rapid stream resets causing excessive work. This is also known as CVE-2023-44487. (bsc#1216109)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4471-1
Released:    Thu Nov 16 19:00:52 2023
Summary:     Security update for go1.21
Type:        security
Severity:    moderate
References:  1212475,1216943,1216944,CVE-2023-45283,CVE-2023-45284
This update for go1.21 fixes the following issues:

go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.

* security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944)
* spec: update unification rules
* cmd/compile: internal compiler error: expected struct value to have type struct
* cmd/link: split text sections for arm 32-bit
* runtime: MADV_COLLAPSE causes production performance issues on Linux
* go/types, x/tools/go/ssa: panic: type param without replacement encountered
* cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* net/http: http2 page fails on firefox/safari if pushing resources

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4709-1
Released:    Mon Dec 11 10:45:08 2023
Summary:     Security update for go1.21
Type:        security
Severity:    important
References:  1212475,1216943,1217833,1217834,CVE-2023-39326,CVE-2023-45284,CVE-2023-45285
This update for go1.21 fixes the following issues:

Update to go1.21.5:

- CVE-2023-45285: cmd/go: git VCS qualifier in module path uses git:// scheme (bsc#1217834).
- CVE-2023-45284: path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4 (bsc#1216943).
- CVE-2023-39326: net/http: limit chunked data overhead (bsc#1217833).
- cmd/go: go mod download needs to support toolchain upgrades
- cmd/compile: invalid pointer found on stack when compiled with -race
- os: NTFS deduped file changed from regular to irregular
- net: TCPConn.ReadFrom hangs when io.Reader is TCPConn or UnixConn, Linux kernel < 5.1
- cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
- syscall: TestOpenFileLimit unintentionally runs on non-Unix platforms
- runtime: self-deadlock on mheap_.lock
- crypto/rand: Legacy RtlGenRandom use on Windows

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:139-1
Released:    Thu Jan 18 11:33:54 2024
Summary:     Recommended update for go1.21
Type:        recommended
Severity:    moderate
References:  1212475
This update for go1.21 fixes the following issues:

go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof
packages. (bsc#1212475)

* x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
* runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
* cmd/compile: linux/s390x: inlining bug in s390x
* maps: maps.Clone reference semantics when cloning a map with large value types
* runtime: excessive memory use between 1.21.0 -> 1.21.1
* cmd/compile: max/min builtin broken when used with string(byte) conversions
* runtime/pprof: incorrect function names for generics functions
* crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
* runtime: race condition raised with parallel tests, panic(nil) and -race

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released:    Tue Feb 20 17:05:52 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released:    Tue Feb 20 17:22:17 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- rpm-ndb-4.14.3-150400.59.7.1 updated
- go1.21-doc-1.21.6-150000.1.21.1 added
- go1.21-1.21.6-150000.1.21.1 added
- go1.21-race-1.21.6-150000.1.21.1 added
- container:sles15-image-15.0.0-36.11.6 updated
- go1.20-1.20.13-150000.1.38.1 removed
- go1.20-doc-1.20.13-150000.1.38.1 removed
- go1.20-race-1.20.13-150000.1.38.1 removed

From sle-container-updates at lists.suse.com  Wed Feb 28 08:02:35 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:02:35 +0100 (CET)
Subject: SUSE-CU-2024:735-1: Recommended update of bci/golang
Message-ID: <20240228080235.87F29F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:735-1
Container Tags        : bci/golang:1.20-openssl , bci/golang:1.20-openssl-12.11 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-12.11
Container Release     : 12.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:02:55 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:02:55 +0100 (CET)
Subject: SUSE-CU-2024:736-1: Security update of bci/php-apache
Message-ID: <20240228080255.4A746F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-apache
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:736-1
Container Tags        : bci/php-apache:8 , bci/php-apache:8-12.13
Container Release     : 12.13
Severity              : moderate
Type                  : security
References            : 1218862 1218865 CVE-2024-0553 CVE-2024-0567 
-----------------------------------------------------------------

The container bci/php-apache was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:638-1
Released:    Tue Feb 27 10:36:11 2024
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1218862,1218865,CVE-2024-0553,CVE-2024-0567
This update for gnutls fixes the following issues:

- CVE-2024-0567: Fixed an incorrect rejection of certificate chains
  with distributed trust (bsc#1218862).
- CVE-2024-0553: Fixed a timing attack against the RSA-PSK key
  exchange, which could lead to the leakage of sensitive data
  (bsc#1218865).


The following package changes have been done:

- libgnutls30-3.7.3-150400.4.41.3 updated
- libgnutls30-hmac-3.7.3-150400.4.41.3 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:03:13 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:03:13 +0100 (CET)
Subject: SUSE-CU-2024:737-1: Security update of bci/php
Message-ID: <20240228080313.57824F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:737-1
Container Tags        : bci/php:8 , bci/php:8-12.13
Container Release     : 12.13
Severity              : moderate
Type                  : security
References            : 1218862 1218865 CVE-2024-0553 CVE-2024-0567 
-----------------------------------------------------------------

The container bci/php was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:638-1
Released:    Tue Feb 27 10:36:11 2024
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1218862,1218865,CVE-2024-0553,CVE-2024-0567
This update for gnutls fixes the following issues:

- CVE-2024-0567: Fixed an incorrect rejection of certificate chains
  with distributed trust (bsc#1218862).
- CVE-2024-0553: Fixed a timing attack against the RSA-PSK key
  exchange, which could lead to the leakage of sensitive data
  (bsc#1218865).


The following package changes have been done:

- libgnutls30-3.7.3-150400.4.41.3 updated
- libgnutls30-hmac-3.7.3-150400.4.41.3 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:03:33 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:03:33 +0100 (CET)
Subject: SUSE-CU-2024:738-1: Recommended update of suse/postgres
Message-ID: <20240228080333.5A478F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:738-1
Container Tags        : suse/postgres:15 , suse/postgres:15-17.12 , suse/postgres:15.6 , suse/postgres:15.6-17.12
Container Release     : 17.12
Severity              : moderate
Type                  : recommended
References            : 1219340 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:635-1
Released:    Tue Feb 27 10:03:23 2024
Summary:     Recommended update for postgresql
Type:        recommended
Severity:    moderate
References:  1219340
This update for postgresql fixes the following issues:

- Require fillup package to properly create the config file (bsc#1219340)


The following package changes have been done:

- postgresql-16-150500.10.6.1 updated
- postgresql-server-16-150500.10.6.1 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:03:52 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:03:52 +0100 (CET)
Subject: SUSE-CU-2024:739-1: Recommended update of bci/python
Message-ID: <20240228080352.D6652F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:739-1
Container Tags        : bci/python:3 , bci/python:3-17.11 , bci/python:3.11 , bci/python:3.11-17.11 , bci/python:latest
Container Release     : 17.11
Severity              : important
Type                  : recommended
References            : 1216752 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Wed Feb 28 08:04:12 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:04:12 +0100 (CET)
Subject: SUSE-CU-2024:740-1: Recommended update of bci/rust
Message-ID: <20240228080412.6EC96F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:740-1
Container Tags        : bci/rust:1.75 , bci/rust:1.75-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1
Container Release     : 2.1
Severity              : moderate
Type                  : recommended
References            : 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:80-1
Released:    Wed Jan 10 16:04:05 2024
Summary:     Recommended update for rust, rust1.75
Type:        recommended
Severity:    moderate
References:  
This update for rust, rust1.75 fixes the following issues:

This update ships rust 1.75.

Version 1.75.0 (2023-12-28)
==========================

Language
--------

- Stabilize `async fn` and return-position `impl Trait` in traits.
- Allow function pointer signatures containing `&mut T` in `const` contexts.
- Match `usize`/`isize` exhaustively with half-open ranges.
- Guarantee that `char` has the same size and alignment as `u32`.
- Document that the null pointer has the 0 address.
- Allow partially moved values in `match`.
- Add notes about non-compliant FP behavior on 32bit x86 targets.
- Stabilize ratified RISC-V target features.

Compiler
--------

- Rework negative coherence to properly consider impls that only partly overlap.
- Bump `COINDUCTIVE_OVERLAP_IN_COHERENCE` to deny, and warn in dependencies.
- Consider alias bounds when computing liveness in NLL.
- Add the V (vector) extension to the `riscv64-linux-android` target spec.
- Automatically enable cross-crate inlining for small functions

Libraries
---------

- Override `Waker::clone_from` to avoid cloning `Waker`s unnecessarily.
- Implement `BufRead` for `VecDeque<u8>`.
- Implement `FusedIterator` for `DecodeUtf16` when the inner iterator does.
- Implement `Not, Bit{And,Or}{,Assign}` for IP addresses.
- Implement `Default` for `ExitCode`.
- Guarantee representation of None in NPO
- Document when atomic loads are guaranteed read-only.
- Broaden the consequences of recursive TLS initialization.
- Windows: Support sub-millisecond sleep.
- Fix generic bound of `str::SplitInclusive`'s `DoubleEndedIterator` impl
- Fix exit status / wait status on non-Unix `cfg(unix)` platforms.

Stabilized APIs
---------------

- `Atomic*::from_ptr`
- `FileTimes`
- `FileTimesExt`
- `File::set_modified`
- `File::set_times`
- `IpAddr::to_canonical`
- `Ipv6Addr::to_canonical`
- `Option::as_slice`
- `Option::as_mut_slice`
- `pointer::byte_add`
- `pointer::byte_offset`
- `pointer::byte_offset_from`
- `pointer::byte_sub`
- `pointer::wrapping_byte_add`
- `pointer::wrapping_byte_offset`
- `pointer::wrapping_byte_sub`

These APIs are now stable in const contexts:

- `Ipv6Addr::to_ipv4_mapped`
- `MaybeUninit::assume_init_read`
- `MaybeUninit::zeroed`
- `mem::discriminant`
- `mem::zeroed`

Cargo
-----

- Add new packages to `[workspace.members
- Allow version-less `Cargo.toml` manifests.
- Make browser links out of HTML file paths.

Rustdoc
-------

- Accept less invalid Rust in rustdoc.
- Document lack of object safety on affected traits.
- Hide `#[repr(transparent)
- Show enum discriminant if it is a C-like variant.

Compatibility Notes
-------------------

- Make misalignment a hard error in `const` contexts.
- Fix detecting references to packed unsized fields.
- Remove support for compiler plugins.


The following package changes have been done:

- rust1.75-1.75.0-150500.11.3.1 added
- cargo1.75-1.75.0-150500.11.3.1 added
- cargo1.74-1.74.0-150400.9.3.1 removed
- rust1.74-1.74.0-150400.9.3.1 removed

From sle-container-updates at lists.suse.com  Wed Feb 28 08:04:31 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Wed, 28 Feb 2024 09:04:31 +0100 (CET)
Subject: SUSE-CU-2024:741-1: Recommended update of bci/rust
Message-ID: <20240228080431.429BAF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/rust
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:741-1
Container Tags        : bci/rust:1.76 , bci/rust:1.76-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1
Container Release     : 2.1
Severity              : moderate
Type                  : recommended
References            : 
-----------------------------------------------------------------

The container bci/rust was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:582-1
Released:    Wed Feb 21 21:04:00 2024
Summary:     Recommended update for rust
Type:        recommended
Severity:    moderate
References:  
This update for rust fixes the following issues:

- Update to version 1.76.0 - for details see the rust1.76 package

Version 1.76.0 (2024-02-08)
==========================

Language
--------

- Document Rust ABI compatibility between various types
- Also: guarantee that char and u32 are ABI-compatible
- Warn against ambiguous wide pointer comparisons
- Add lint `ambiguous_wide_pointer_comparisons` that supersedes `clippy::vtable_address_comparisons`

Compiler
--------

- Lint pinned `#[must_use]` pointers (in particular, `Box<T>` where `T` is `#[must_use]`) in `unused_must_use`.
- Soundness fix: fix computing the offset of an unsized field in a packed struct
- Soundness fix: fix dynamic size/align computation logic for packed types with dyn Trait tail
- Add `$message_type` field to distinguish json diagnostic outputs
- Enable Rust to use the EHCont security feature of Windows
- Add tier 3 {x86_64,i686}-win7-windows-msvc targets
- Add tier 3 aarch64-apple-watchos target
- Add tier 3 arm64e-apple-ios & arm64e-apple-darwin targets

Refer to Rust's [platform support page for more information on Rust's tiered platform support.

Libraries
---------

- Add a column number to `dbg!()`
- Add `std::hash::{DefaultHasher, RandomState}` exports
- Fix rounding issue with exponents in fmt
- Add T: ?Sized to `RwLockReadGuard` and `RwLockWriteGuard`'s Debug impls.
- Windows: Allow `File::create` to work on hidden files

Stabilized APIs
---------------

- `Arc::unwrap_or_clone` (https://doc.rust-lang.org/stable/std/sync/struct.Arc.html#method.unwrap_or_clone)
- `Rc::unwrap_or_clone` (https://doc.rust-lang.org/stable/std/rc/struct.Rc.html#method.unwrap_or_clone)
- `Result::inspect` (https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.inspect)
- `Result::inspect_err` (https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.inspect_err)
- `Option::inspect` (https://doc.rust-lang.org/stable/std/option/enum.Option.html#method.inspect)
- `type_name_of_val` (https://doc.rust-lang.org/stable/std/any/fn.type_name_of_val.html)
- `std::hash::{DefaultHasher, RandomState}` (https://doc.rust-lang.org/stable/std/hash/index.html#structs)
  These were previously available only through `std::collections::hash_map`.
- `ptr::{from_ref, from_mut}` (https://doc.rust-lang.org/stable/std/ptr/fn.from_ref.html)
- `ptr::addr_eq` (https://doc.rust-lang.org/stable/std/ptr/fn.addr_eq.html)

Cargo
-----

See Cargo release notes at https://github.com/rust-lang/cargo/blob/master/CHANGELOG.md#cargo-176-2024-02-08 .

Rustdoc
-------

- Don't merge cfg and doc(cfg) attributes for re-exports
- rustdoc: allow resizing the sidebar / hiding the top bar
- rustdoc-search: add support for traits and associated types
- rustdoc: Add highlighting for comments in items declaration


The following package changes have been done:

- rust1.76-1.76.0-150500.11.3.1 added
- cargo1.76-1.76.0-150500.11.3.1 added
- cargo1.75-1.75.0-150500.11.3.1 removed
- rust1.75-1.75.0-150500.11.3.1 removed

From sle-container-updates at lists.suse.com  Thu Feb 29 08:04:02 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:04:02 +0100 (CET)
Subject: SUSE-CU-2024:746-1: Recommended update of bci/golang
Message-ID: <20240229080402.3676DF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:746-1
Container Tags        : bci/golang:1.21 , bci/golang:1.21-2.2.12 , bci/golang:oldstable , bci/golang:oldstable-2.2.12
Container Release     : 2.12
Severity              : moderate
Type                  : recommended
References            : 1214934 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:641-1
Released:    Wed Feb 28 09:13:19 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1214934
This update for gcc7 fixes the following issues:

- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.


The following package changes have been done:

- libasan4-7.5.0+r278197-150000.4.41.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.41.1 updated
- libubsan0-7.5.0+r278197-150000.4.41.1 updated
- cpp7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-7.5.0+r278197-150000.4.41.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:04:12 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:04:12 +0100 (CET)
Subject: SUSE-CU-2024:747-1: Recommended update of bci/golang
Message-ID: <20240229080412.F0F6DF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:747-1
Container Tags        : bci/golang:1.20-openssl , bci/golang:1.20-openssl-12.12 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-12.12
Container Release     : 12.12
Severity              : moderate
Type                  : recommended
References            : 1214934 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:641-1
Released:    Wed Feb 28 09:13:19 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1214934
This update for gcc7 fixes the following issues:

- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.


The following package changes have been done:

- libasan4-7.5.0+r278197-150000.4.41.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.41.1 updated
- libubsan0-7.5.0+r278197-150000.4.41.1 updated
- cpp7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-7.5.0+r278197-150000.4.41.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:04:23 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:04:23 +0100 (CET)
Subject: SUSE-CU-2024:748-1: Recommended update of bci/golang
Message-ID: <20240229080423.CF50FF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:748-1
Container Tags        : bci/golang:1.21-openssl , bci/golang:1.21-openssl-12.12 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-12.12
Container Release     : 12.12
Severity              : moderate
Type                  : recommended
References            : 1214934 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:641-1
Released:    Wed Feb 28 09:13:19 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1214934
This update for gcc7 fixes the following issues:

- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.


The following package changes have been done:

- libasan4-7.5.0+r278197-150000.4.41.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.41.1 updated
- libubsan0-7.5.0+r278197-150000.4.41.1 updated
- cpp7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-7.5.0+r278197-150000.4.41.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:04:30 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:04:30 +0100 (CET)
Subject: SUSE-CU-2024:749-1: Security update of bci/nodejs
Message-ID: <20240229080430.F0931F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:749-1
Container Tags        : bci/node:20 , bci/node:20-6.12 , bci/node:latest , bci/nodejs:20 , bci/nodejs:20-6.12 , bci/nodejs:latest
Container Release     : 6.12
Severity              : important
Type                  : security
References            : 1219152 1219724 1219992 1219993 1219994 1219995 1219997 1219998
                        1219999 1220014 1220017 CVE-2023-46809 CVE-2024-21890 CVE-2024-21891
                        CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 CVE-2024-22025
                        CVE-2024-24758 CVE-2024-24806 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:643-1
Released:    Wed Feb 28 09:43:41 2024
Summary:     Security update for nodejs20
Type:        security
Severity:    important
References:  1219152,1219724,1219992,1219993,1219994,1219995,1219997,1219998,1219999,1220014,1220017,CVE-2023-46809,CVE-2024-21890,CVE-2024-21891,CVE-2024-21892,CVE-2024-21896,CVE-2024-22017,CVE-2024-22019,CVE-2024-22025,CVE-2024-24758,CVE-2024-24806
This update for nodejs20 fixes the following issues:

Update to 20.11.1: (security updates)

* CVE-2024-21892: Code injection and privilege escalation through Linux capabilities (bsc#1219992).
* CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (bsc#1219993).
* CVE-2024-21896: Path traversal by monkey-patching Buffer internals (bsc#1219994).j
* CVE-2024-22017: setuid() does not drop all privileges due to io_uring (bsc#1219995).
* CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (bsc#1219997).
* CVE-2024-21891: Multiple permission model bypasses due to improper path traversal sequence sanitization (bsc#1219998).
* CVE-2024-21890: Improper handling of wildcards in --allow-fs-read and --allow-fs-write (bsc#1219999).
* CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (bsc#1220014).
* CVE-2024-24758: undici version 5.28.3 (bsc#1220017).
* CVE-2024-24806: libuv version 1.48.0 (bsc#1219724).

Update to 20.11.0:

* esm: add import.meta.dirname and import.meta.filename
* fs: add c++ fast path for writeFileSync utf8
* module: remove useCustomLoadersIfPresent flag
* module: bootstrap module loaders in shadow realm
* src: add --disable-warning option
* src: create per isolate proxy env template
* src: make process binding data weak
* stream: use Array for Readable buffer
* stream: optimize creation
* test_runner: adds built in lcov reporter
* test_runner: add Date to the supported mock APIs
* test_runner, cli: add --test-timeout flag

Update to 20.10.0:

* --experimental-default-type flag to flip module defaults
* The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected.
* Added flush option in file system functions for fs.writeFile functions
* Added experimental WebSocket client
* vm: fix V8 compilation cache support for vm.Script. This fixes performance regression since v16.x when support for importModuleDynamically was added to vm.Script


The following package changes have been done:

- nodejs20-20.11.1-150500.11.6.1 updated
- npm20-20.11.1-150500.11.6.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:05:32 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:05:32 +0100 (CET)
Subject: SUSE-CU-2024:752-1: Security update of bci/php-fpm
Message-ID: <20240229080532.C32D2F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/php-fpm
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:752-1
Container Tags        : bci/php-fpm:8 , bci/php-fpm:8-12.13
Container Release     : 12.13
Severity              : important
Type                  : security
References            : 1216752 1218862 1218865 CVE-2024-0553 CVE-2024-0567 
-----------------------------------------------------------------

The container bci/php-fpm was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:638-1
Released:    Tue Feb 27 10:36:11 2024
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1218862,1218865,CVE-2024-0553,CVE-2024-0567
This update for gnutls fixes the following issues:

- CVE-2024-0567: Fixed an incorrect rejection of certificate chains
  with distributed trust (bsc#1218862).
- CVE-2024-0553: Fixed a timing attack against the RSA-PSK key
  exchange, which could lead to the leakage of sensitive data
  (bsc#1218865).


The following package changes have been done:

- rpm-ndb-4.14.3-150400.59.7.1 updated
- libgnutls30-3.7.3-150400.4.41.3 updated
- libgnutls30-hmac-3.7.3-150400.4.41.3 updated
- container:sles15-image-15.0.0-36.11.6 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:05:38 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:05:38 +0100 (CET)
Subject: SUSE-CU-2024:753-1: Recommended update of suse/postgres
Message-ID: <20240229080538.990E7F7A4@maintenance.suse.de>

SUSE Container Update Advisory: suse/postgres
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:753-1
Container Tags        : suse/postgres:16 , suse/postgres:16-6.13 , suse/postgres:16.2 , suse/postgres:16.2-6.13 , suse/postgres:latest
Container Release     : 6.13
Severity              : moderate
Type                  : recommended
References            : 1219340 
-----------------------------------------------------------------

The container suse/postgres was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:635-1
Released:    Tue Feb 27 10:03:23 2024
Summary:     Recommended update for postgresql
Type:        recommended
Severity:    moderate
References:  1219340
This update for postgresql fixes the following issues:

- Require fillup package to properly create the config file (bsc#1219340)


The following package changes have been done:

- postgresql-16-150500.10.6.1 updated
- postgresql-server-16-150500.10.6.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:05:56 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:05:56 +0100 (CET)
Subject: SUSE-CU-2024:754-1: Recommended update of bci/ruby
Message-ID: <20240229080556.4CC1DF7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:754-1
Container Tags        : bci/ruby:2 , bci/ruby:2-16.11 , bci/ruby:2.5 , bci/ruby:2.5-16.11 , bci/ruby:latest
Container Release     : 16.11
Severity              : moderate
Type                  : recommended
References            : 1214934 
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:641-1
Released:    Wed Feb 28 09:13:19 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1214934
This update for gcc7 fixes the following issues:

- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.


The following package changes have been done:

- libasan4-7.5.0+r278197-150000.4.41.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.41.1 updated
- libubsan0-7.5.0+r278197-150000.4.41.1 updated
- cpp7-7.5.0+r278197-150000.4.41.1 updated
- libstdc++6-devel-gcc7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-c++-7.5.0+r278197-150000.4.41.1 updated

From sle-container-updates at lists.suse.com  Thu Feb 29 08:06:01 2024
From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com)
Date: Thu, 29 Feb 2024 09:06:01 +0100 (CET)
Subject: SUSE-CU-2024:755-1: Recommended update of
 bci/bci-sle15-kernel-module-devel
Message-ID: <20240229080601.1D4F1F7A4@maintenance.suse.de>

SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:755-1
Container Tags        : bci/bci-sle15-kernel-module-devel:15.5 , bci/bci-sle15-kernel-module-devel:15.5.6.14 , bci/bci-sle15-kernel-module-devel:latest
Container Release     : 6.14
Severity              : moderate
Type                  : recommended
References            : 1214934 
-----------------------------------------------------------------

The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:641-1
Released:    Wed Feb 28 09:13:19 2024
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1214934
This update for gcc7 fixes the following issues:

- Add support for -fmin-function-alignment.  [bsc#1214934]
- Use %{_target_cpu} to determine host and build.


The following package changes have been done:

- libasan4-7.5.0+r278197-150000.4.41.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.41.1 updated
- libubsan0-7.5.0+r278197-150000.4.41.1 updated
- cpp7-7.5.0+r278197-150000.4.41.1 updated
- gcc7-7.5.0+r278197-150000.4.41.1 updated