SUSE-IU-2024:282-1: Security update of suse-sles-15-sp4-chost-byos-v20240312-x86_64-gen2

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Mar 14 08:01:08 UTC 2024


SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20240312-x86_64-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2024:282-1
Image Tags        : suse-sles-15-sp4-chost-byos-v20240312-x86_64-gen2:20240312
Image Release     : 
Severity          : critical
Type              : security
References        : 1027519 1029961 1084909 1107342 1108281 1158830 1170415 1170446
                        1177529 1178760 1179610 1183045 1183663 1193173 1193285 1196293
                        1198269 1198533 1201010 1201384 1206798 1207987 1209122 1209834
                        1210141 1210447 1210638 1211162 1211188 1211190 1211226 1211547
                        1211886 1212091 1212160 1212584 1213229 1213500 1214076 1214169
                        1214169 1214286 1214668 1214747 1214788 1214823 1214976 1215124
                        1215229 1215237 1215241 1215275 1215292 1215294 1215323 1215420
                        1215434 1215458 1215496 1215692 1215696 1215698 1215710 1215740
                        1215794 1215885 1215885 1216007 1216011 1216016 1216049 1216057
                        1216058 1216105 1216259 1216388 1216390 1216412 1216522 1216559
                        1216584 1216693 1216702 1216752 1216759 1216776 1216827 1216844
                        1216853 1216861 1216909 1216959 1216965 1216976 1216987 1217000
                        1217036 1217036 1217068 1217086 1217124 1217140 1217195 1217200
                        1217205 1217217 1217217 1217237 1217250 1217277 1217287 1217292
                        1217332 1217366 1217460 1217513 1217515 1217592 1217593 1217598
                        1217599 1217602 1217609 1217670 1217687 1217692 1217695 1217696
                        1217731 1217775 1217780 1217790 1217801 1217873 1217895 1217933
                        1217938 1217946 1217947 1217950 1217952 1217961 1217969 1217980
                        1217981 1217982 1217987 1217988 1217989 1218014 1218056 1218126
                        1218139 1218184 1218186 1218201 1218209 1218215 1218234 1218253
                        1218258 1218282 1218291 1218335 1218357 1218364 1218447 1218475
                        1218515 1218559 1218561 1218569 1218571 1218571 1218649 1218659
                        1218689 1218713 1218730 1218739 1218752 1218757 1218762 1218763
                        1218765 1218768 1218782 1218799 1218804 1218831 1218832 1218836
                        1218851 1218862 1218865 1218894 1218894 1218916 1218926 1218927
                        1218929 1218930 1218952 1218968 1219026 1219053 1219120 1219123
                        1219123 1219128 1219189 1219189 1219238 1219243 1219265 1219267
                        1219268 1219349 1219412 1219425 1219429 1219434 1219438 1219442
                        1219490 1219576 1219608 1219751 1219823 1219826 1219851 1219852
                        1219853 1219854 1220117 1220385 1220389 CVE-2020-12912 CVE-2020-26555
                        CVE-2020-8694 CVE-2020-8695 CVE-2021-33631 CVE-2023-1667 CVE-2023-1786
                        CVE-2023-2006 CVE-2023-2283 CVE-2023-25775 CVE-2023-27043 CVE-2023-38472
                        CVE-2023-39197 CVE-2023-39198 CVE-2023-39804 CVE-2023-4244 CVE-2023-42465
                        CVE-2023-4408 CVE-2023-45863 CVE-2023-45871 CVE-2023-46838 CVE-2023-46839
                        CVE-2023-46862 CVE-2023-47233 CVE-2023-48795 CVE-2023-48795 CVE-2023-49083
                        CVE-2023-4921 CVE-2023-50387 CVE-2023-50495 CVE-2023-50868 CVE-2023-51042
                        CVE-2023-51043 CVE-2023-51385 CVE-2023-5158 CVE-2023-51779 CVE-2023-51780
                        CVE-2023-51782 CVE-2023-5517 CVE-2023-5679 CVE-2023-5717 CVE-2023-5981
                        CVE-2023-6004 CVE-2023-6039 CVE-2023-6040 CVE-2023-6121 CVE-2023-6176
                        CVE-2023-6356 CVE-2023-6516 CVE-2023-6531 CVE-2023-6535 CVE-2023-6536
                        CVE-2023-6546 CVE-2023-6606 CVE-2023-6610 CVE-2023-6622 CVE-2023-6915
                        CVE-2023-6918 CVE-2023-6931 CVE-2023-6932 CVE-2023-7207 CVE-2023-7207
                        CVE-2024-0340 CVE-2024-0553 CVE-2024-0565 CVE-2024-0567 CVE-2024-0641
                        CVE-2024-0727 CVE-2024-0775 CVE-2024-1085 CVE-2024-1086 CVE-2024-21626
                        CVE-2024-21626 CVE-2024-22365 CVE-2024-23651 CVE-2024-23652 CVE-2024-23653
                        CVE-2024-24860 CVE-2024-25062 
-----------------------------------------------------------------

The container suse-sles-15-sp4-chost-byos-v20240312-x86_64-gen2 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4810-1
Released:    Wed Dec 13 18:59:03 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1084909,1210447,1214286,1214976,1215124,1215292,1215420,1215458,1215710,1216058,1216105,1216259,1216584,1216693,1216759,1216844,1216861,1216909,1216959,1216965,1216976,1217036,1217068,1217086,1217124,1217140,1217195,1217200,1217205,1217332,1217366,1217515,1217598,1217599,1217609,1217687,1217731,1217780,CVE-2023-2006,CVE-2023-25775,CVE-2023-39197,CVE-2023-39198,CVE-2023-4244,CVE-2023-45863,CVE-2023-45871,CVE-2023-46862,CVE-2023-5158,CVE-2023-5717,CVE-2023-6039,CVE-2023-6176
The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2023-6176: Fixed a denial of service in the cryptographic algorithm scatterwalk functionality (bsc#1217332).
- CVE-2023-2006: Fixed a race condition in the RxRPC network protocol (bsc#1210447).
- CVE-2023-39197: Fixed a out-of-bounds read in nf_conntrack_dccp_packet() (bsc#1216976).
- CVE-2023-4244: Fixed a use-after-free in the nf_tables component, which could be exploited to achieve local privilege escalation (bsc#1215420).
- CVE-2023-6039: Fixed a use-after-free in lan78xx_disconnect in drivers/net/usb/lan78xx.c (bsc#1217068).
- CVE-2023-45863: Fixed a out-of-bounds write in fill_kobj_path() (bsc#1216058).
- CVE-2023-5158: Fixed a denial of service in vringh_kiov_advance() in drivers/vhost/vringh.c in the host side of a virtio ring (bsc#1215710).
- CVE-2023-45871: Fixed an issue in the IGB driver, where the buffer size may not be adequate for frames larger than the MTU (bsc#1216259).
- CVE-2023-5717: Fixed a heap out-of-bounds write vulnerability in the Performance Events component (bsc#1216584).
- CVE-2023-39198: Fixed a race condition leading to use-after-free in qxl_mode_dumb_create() (bsc#1216965).
- CVE-2023-25775: Fixed improper access control in the Intel Ethernet Controller RDMA driver (bsc#1216959).
- CVE-2023-46862: Fixed a NULL pointer dereference in io_uring_show_fdinfo() (bsc#1216693).

The following non-security bugs were fixed:

- ACPI: FPDT: properly handle invalid FPDT subtables (git-fixes).
- ACPI: resource: Do IRQ override on TongFang GMxXGxx (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA (git-fixes).
- ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() (git-fixes).
- ALSA: hda/realtek - Add Dell ALC295 to pin fall back table (git-fixes).
- ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC (git-fixes).
- ALSA: hda/realtek: Add quirks for HP Laptops (git-fixes).
- ALSA: hda/realtek: Enable Mute LED on HP 255 G10 (git-fixes).
- ALSA: hda/realtek: Enable Mute LED on HP 255 G8 (git-fixes).
- ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140).
- ALSA: hda: Fix possible null-ptr-deref when assigning a stream (git-fixes).
- ALSA: hda: cs35l41: Fix unbalanced pm_runtime_get() (git-fixes).
- ALSA: hda: cs35l41: Undo runtime PM changes at driver exit time (git-fixes).
- ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection (git-fixes).
- ALSA: info: Fix potential deadlock at disconnection (git-fixes).
- ARM: 9321/1: memset: cast the constant byte to unsigned char (git-fixes).
- ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails (git-fixes).
- ASoC: ams-delta.c: use component after check (git-fixes).
- ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix (git-fixes).
- ASoC: cs35l41: Undo runtime PM changes at driver exit time (git-fixes).
- ASoC: cs35l41: Verify PM runtime resume errors in IRQ handler (git-fixes).
- ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe (git-fixes).
- ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not described (git-fixes).
- ASoC: hdmi-codec: register hpd callback on component probe (git-fixes).
- ASoC: rt5650: fix the wrong result of key button (git-fixes).
- ASoC: simple-card: fixup asoc_simple_probe() error handling (git-fixes).
- ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings (git-fixes).
- Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE (git-fixes).
- Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables (git-fixes).
- Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 (git-fixes).
- Bluetooth: btusb: Add date->evt_skb is NULL check (git-fixes).
- Drivers: hv: vmbus: Remove unused extern declaration vmbus_ontimer() (git-fixes).
- HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W (git-fixes).
- HID: hyperv: Replace one-element array with flexible-array member (git-fixes).
- HID: hyperv: avoid struct memcpy overrun warning (git-fixes).
- HID: hyperv: remove unused struct synthhid_msg (git-fixes).
- HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround (git-fixes).
- HID: logitech-hidpp: Do not restart IO, instead defer hid_connect() only (git-fixes).
- HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event() (git-fixes).
- HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk (git-fixes).
- HID: logitech-hidpp: Revert 'Do not restart communication if not necessary' (git-fixes).
- Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() (git-fixes).
- Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport (git-fixes).
- Input: xpad - add VID for Turtle Beach controllers (git-fixes).
- PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common() (git-fixes).
- PCI/sysfs: Protect driver's D3cold preference from user space (git-fixes).
- PCI: Disable ATS for specific Intel IPU E2000 devices (bsc#1215458).
- PCI: Extract ATS disabling to a helper function (bsc#1215458).
- PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device (git-fixes).
- PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk (git-fixes).
- PCI: Use FIELD_GET() to extract Link Width (git-fixes).
- PCI: exynos: Do not discard .remove() callback (git-fixes).
- PCI: keystone: Do not discard .probe() callback (git-fixes).
- PCI: keystone: Do not discard .remove() callback (git-fixes).
- PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields (git-fixes).
- PM / devfreq: rockchip-dfi: Make pmu regmap mandatory (git-fixes).
- PM: hibernate: Use __get_safe_page() rather than touching the list (git-fixes).
- USB: dwc2: write HCINT with INTMASK applied (bsc#1214286).
- USB: dwc3: qcom: fix ACPI platform device leak (git-fixes).
- USB: dwc3: qcom: fix resource leaks on probe deferral (git-fixes).
- USB: dwc3: qcom: fix software node leak on probe errors (git-fixes).
- USB: dwc3: qcom: fix wakeup after probe deferral (git-fixes).
- USB: serial: option: add Fibocom L7xx modules (git-fixes).
- USB: serial: option: add Luat Air72*U series products (git-fixes).
- USB: serial: option: do not claim interface 4 for ZTE MF290 (git-fixes).
- USB: serial: option: fix FM101R-GL defines (git-fixes).
- USB: usbip: fix stub_dev hub disconnect (git-fixes).
- arm/xen: fix xen_vcpu_info allocation alignment (git-fixes).
- arm64: Add Cortex-A520 CPU part definition (git-fixes)
- arm64: allow kprobes on EL0 handlers (git-fixes)
- arm64: armv8_deprecated move emulation functions (git-fixes)
- arm64: armv8_deprecated: fix unused-function error (git-fixes)
- arm64: armv8_deprecated: fold ops into insn_emulation (git-fixes)
- arm64: armv8_deprecated: move aarch32 helper earlier (git-fixes)
- arm64: armv8_deprecated: rework deprected instruction handling (git-fixes)
- arm64: consistently pass ESR_ELx to die() (git-fixes)
- arm64: die(): pass 'err' as long (git-fixes)
- arm64: factor insn read out of call_undef_hook() (git-fixes)
- arm64: factor out EL1 SSBS emulation hook (git-fixes)
- arm64: report EL1 UNDEFs better (git-fixes)
- arm64: rework BTI exception handling (git-fixes)
- arm64: rework EL0 MRS emulation (git-fixes)
- arm64: rework FPAC exception handling (git-fixes)
- arm64: split EL0/EL1 UNDEF handlers (git-fixes)
- ata: pata_isapnp: Add missing error check for devm_ioport_map() (git-fixes).
- atl1c: Work around the DMA RX overflow issue (git-fixes).
- atm: iphase: Do PCI error checks on own line (git-fixes).
- blk-mq: Do not clear driver tags own mapping (bsc#1217366).
- blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping() (bsc#1217366).
- bluetooth: Add device 0bda:887b to device tables (git-fixes).
- bluetooth: Add device 13d3:3571 to device tables (git-fixes).
- can: dev: can_put_echo_skb(): do not crash kernel if can_priv::echo_skb is accessed out of bounds (git-fixes).
- can: dev: can_restart(): do not crash kernel if carrier is OK (git-fixes).
- can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() (git-fixes).
- can: isotp: add local echo tx processing for consecutive frames (git-fixes).
- can: isotp: fix race between isotp_sendsmg() and isotp_release() (git-fixes).
- can: isotp: fix tx state handling for echo tx processing (git-fixes).
- can: isotp: handle wait_event_interruptible() return values (git-fixes).
- can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting (git-fixes).
- can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior (git-fixes).
- can: isotp: remove re-binding of bound socket (git-fixes).
- can: isotp: sanitize CAN ID checks in isotp_bind() (git-fixes).
- can: isotp: set max PDU size to 64 kByte (git-fixes).
- can: isotp: split tx timer into transmission and timeout (git-fixes).
- can: sja1000: Fix comment (git-fixes).
- clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name (git-fixes).
- clk: imx: Select MXC_CLK for CLK_IMX8QXP (git-fixes).
- clk: imx: imx8mq: correct error handling path (git-fixes).
- clk: imx: imx8qxp: Fix elcdif_pll clock (git-fixes).
- clk: keystone: pll: fix a couple NULL vs IS_ERR() checks (git-fixes).
- clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data (git-fixes).
- clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data (git-fixes).
- clk: npcm7xx: Fix incorrect kfree (git-fixes).
- clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies (git-fixes).
- clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM (git-fixes).
- clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src (git-fixes).
- clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks (git-fixes).
- clk: qcom: mmcc-msm8998: Do not check halt bit on some branch clks (git-fixes).
- clk: qcom: mmcc-msm8998: Fix the SMMU GDSC (git-fixes).
- clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped (git-fixes).
- clk: ti: Add ti_dt_clk_name() helper to use clock-output-names (git-fixes).
- clk: ti: Update component clocks to use ti_dt_clk_name() (git-fixes).
- clk: ti: Update pll and clockdomain clocks to use ti_dt_clk_name() (git-fixes).
- clk: ti: change ti_clk_register[_omap_hw]() API (git-fixes).
- clk: ti: fix double free in of_ti_divider_clk_setup() (git-fixes).
- crypto: caam/jr - fix Chacha20 + Poly1305 self test failure (git-fixes).
- crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure (git-fixes).
- crypto: hisilicon/hpre - Fix a erroneous check after snprintf() (git-fixes).
- dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() (git-fixes).
- dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe (git-fixes).
- dmaengine: stm32-mdma: correct desc prep when channel running (git-fixes).
- dmaengine: ti: edma: handle irq_of_parse_and_map() errors (git-fixes).
- docs: net: move the probe and open/close sections of driver.rst up (bsc#1215458).
- docs: net: reformat driver.rst from a list to sections (bsc#1215458).
- docs: net: use C syntax highlight in driver.rst (bsc#1215458).
- drm/amd/display: Avoid NULL dereference of timing generator (git-fixes).
- drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox (git-fixes).
- drm/amd/display: remove useless check in should_enable_fbc() (git-fixes).
- drm/amd/display: use full update for clip size increase of large plane source (git-fixes).
- drm/amd/pm: Handle non-terminated overdrive commands (git-fixes).
- drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga (git-fixes).
- drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 (git-fixes).
- drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL (git-fixes).
- drm/amdgpu: Fix potential null pointer derefernce (git-fixes).
- drm/amdgpu: do not use ATRM for external devices (git-fixes).
- drm/amdgpu: fix error handling in amdgpu_bo_list_get() (git-fixes).
- drm/amdgpu: fix software pci_unplug on some chips (git-fixes).
- drm/amdkfd: Fix a race condition of vram buffer unref in svm code (git-fixes).
- drm/amdkfd: Fix shift out-of-bounds issue (git-fixes).
- drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code (git-fixes).
- drm/bridge: Fix kernel-doc typo in desc of output_bus_cfg in drm_bridge_state (git-fixes).
- drm/bridge: lt8912b: Add missing drm_bridge_attach call (git-fixes).
- drm/bridge: lt8912b: Fix bridge_detach (git-fixes).
- drm/bridge: lt8912b: Fix crash on bridge detach (git-fixes).
- drm/bridge: lt8912b: Manually disable HPD only if it was enabled (git-fixes).
- drm/bridge: lt8912b: Register and attach our DSI device at probe (git-fixes).
- drm/bridge: lt8912b: Switch to devm MIPI-DSI helpers (git-fixes).
- drm/bridge: lt9611uxc: Register and attach our DSI device at probe (git-fixes).
- drm/bridge: lt9611uxc: Switch to devm MIPI-DSI helpers (git-fixes).
- drm/bridge: lt9611uxc: fix the race in the error path (git-fixes).
- drm/bridge: tc358768: Disable non-continuous clock mode (git-fixes).
- drm/bridge: tc358768: Fix bit updates (git-fixes).
- drm/bridge: tc358768: Fix use of uninitialized variable (git-fixes).
- drm/gud: Use size_add() in call to struct_size() (git-fixes).
- drm/i915/pmu: Check if pmu is closed before stopping event (git-fixes).
- drm/i915: Fix potential spectre vulnerability (git-fixes).
- drm/komeda: drop all currently held locks if deadlock happens (git-fixes).
- drm/mediatek: Fix iommu fault by swapping FBs after updating plane state (git-fixes).
- drm/mediatek: Fix iommu fault during crtc enabling (git-fixes).
- drm/mipi-dsi: Create devm device attachment (git-fixes).
- drm/mipi-dsi: Create devm device registration (git-fixes).
- drm/msm/dp: skip validity check for DP CTS EDID checksum (git-fixes).
- drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference (git-fixes).
- drm/panel: fix a possible null pointer dereference (git-fixes).
- drm/panel: simple: Fix Innolux G101ICE-L01 bus flags (git-fixes).
- drm/panel: simple: Fix Innolux G101ICE-L01 timings (git-fixes).
- drm/panel: st7703: Pick different reset sequence (git-fixes).
- drm/qxl: prevent memory leak (git-fixes).
- drm/radeon: possible buffer overflow (git-fixes).
- drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map() (git-fixes).
- drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() (git-fixes).
- drm/rockchip: vop: Fix call to crtc reset helper (git-fixes).
- drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full (git-fixes).
- drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs (git-fixes).
- drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE (git-fixes).
- drm/vc4: fix typo (git-fixes).
- drm: vmwgfx_surface.c: copy user-array safely (git-fixes).
- dt-bindings: usb: hcd: add missing phy name to example (git-fixes).
- dt-bindings: usb: qcom,dwc3: fix example wakeup interrupt types (git-fixes).
- fbdev: fsl-diu-fb: mark wr_reg_wa() static (git-fixes).
- fbdev: imsttfb: Fix error path of imsttfb_probe() (git-fixes).
- fbdev: imsttfb: Release framebuffer and dealloc cmap on error path (git-fixes).
- fbdev: imsttfb: fix a resource leak in probe (git-fixes).
- fbdev: imsttfb: fix double free in probe() (git-fixes).
- fbdev: omapfb: Drop unused remove function (git-fixes).
- firewire: core: fix possible memory leak in create_units() (git-fixes).
- firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() (git-fixes).
- gpio: mockup: fix kerneldoc (git-fixes).
- gpio: mockup: remove unused field (git-fixes).
- hid: cp2112: Fix duplicate workqueue initialization (git-fixes).
- hv: simplify sysctl registration (git-fixes).
- hv_netvsc: Fix race of register_netdevice_notifier and VF register (git-fixes).
- hv_netvsc: Mark VF as slave before exposing it to user-mode (git-fixes).
- hv_netvsc: fix netvsc_send_completion to avoid multiple message length checks (git-fixes).
- hv_netvsc: fix race of netvsc and VF register_netdevice (git-fixes).
- hwmon: (coretemp) Fix potentially truncated sysfs attribute name (git-fixes).
- i2c: aspeed: Fix i2c bus hang in slave read (git-fixes).
- i2c: core: Run atomic i2c xfer when !preemptible (git-fixes).
- i2c: designware: Disable TX_EMPTY irq while waiting for block length byte (git-fixes).
- i2c: dev: copy userspace array safely (git-fixes).
- i2c: i801: fix potential race in i801_block_transaction_byte_by_byte (git-fixes).
- i2c: iproc: handle invalid slave state (git-fixes).
- i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes).
- i2c: stm32f7: Fix PEC handling in case of SMBUS transfers (git-fixes).
- i2c: sun6i-p2wi: Prevent potential division by zero (git-fixes).
- i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs (git-fixes).
- i3c: master: cdns: Fix reading status register (git-fixes).
- i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data (git-fixes).
- i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen (git-fixes).
- i3c: master: svc: fix check wrong status register in irq handler (git-fixes).
- i3c: master: svc: fix ibi may not return mandatory data byte (git-fixes).
- i3c: master: svc: fix race condition in ibi work thread (git-fixes).
- i3c: master: svc: fix wrong data return when IBI happen during start frame (git-fixes).
- i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler (git-fixes).
- i915/perf: Fix NULL deref bugs with drm_dbg() calls (git-fixes).
- idpf: add RX splitq napi poll support (bsc#1215458).
- idpf: add SRIOV support and other ndo_ops (bsc#1215458).
- idpf: add TX splitq napi poll support (bsc#1215458).
- idpf: add controlq init and reset checks (bsc#1215458).
- idpf: add core init and interrupt request (bsc#1215458).
- idpf: add create vport and netdev configuration (bsc#1215458).
- idpf: add ethtool callbacks (bsc#1215458).
- idpf: add module register and probe functionality (bsc#1215458).
- idpf: add ptypes and MAC filter support (bsc#1215458).
- idpf: add singleq start_xmit and napi poll (bsc#1215458).
- idpf: add splitq start_xmit (bsc#1215458).
- idpf: cancel mailbox work in error path (bsc#1215458).
- idpf: configure resources for RX queues (bsc#1215458).
- idpf: configure resources for TX queues (bsc#1215458).
- idpf: fix potential use-after-free in idpf_tso() (bsc#1215458).
- idpf: initialize interrupts and enable vport (bsc#1215458).
- idpf: set scheduling mode for completion queue (bsc#1215458).
- iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale (git-fixes).
- iio: adc: xilinx-xadc: Do not clobber preset voltage/temperature thresholds (git-fixes).
- iio: exynos-adc: request second interupt only when touchscreen mode is used (git-fixes).
- irqchip/stm32-exti: add missing DT IRQ flag translation (git-fixes).
- leds: pwm: Do not disable the PWM when the LED should be off (git-fixes).
- leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' (git-fixes).
- leds: turris-omnia: Do not use SMBUS calls (git-fixes).
- lsm: fix default return value for inode_getsecctx (git-fixes).
- lsm: fix default return value for vm_enough_memory (git-fixes).
- media: bttv: fix use after free error due to btv->timeout timer (git-fixes).
- media: ccs: Correctly initialise try compose rectangle (git-fixes).
- media: ccs: Fix driver quirk struct documentation (git-fixes).
- media: cedrus: Fix clock/reset sequence (git-fixes).
- media: cobalt: Use FIELD_GET() to extract Link Width (git-fixes).
- media: gspca: cpia1: shift-out-of-bounds in set_flicker (git-fixes).
- media: i2c: max9286: Fix some redundant of_node_put() calls (git-fixes).
- media: imon: fix access to invalid resource for the second interface (git-fixes).
- media: lirc: drop trailing space from scancode transmit (git-fixes).
- media: qcom: camss: Fix VFE-17x vfe_disable_output() (git-fixes).
- media: qcom: camss: Fix missing vfe_lite clocks check (git-fixes).
- media: qcom: camss: Fix pm_domain_on sequence in probe (git-fixes).
- media: qcom: camss: Fix vfe_get() error jump (git-fixes).
- media: sharp: fix sharp encoding (git-fixes).
- media: siano: Drop unnecessary error check for debugfs_create_dir/file() (git-fixes).
- media: venus: hfi: add checks to handle capabilities from firmware (git-fixes).
- media: venus: hfi: add checks to perform sanity on queue pointers (git-fixes).
- media: venus: hfi: fix the check to handle session buffer requirement (git-fixes).
- media: venus: hfi_parser: Add check to keep the number of codecs within range (git-fixes).
- media: vidtv: mux: Add check and kfree for kstrdup (git-fixes).
- media: vidtv: psi: Add check for kstrdup (git-fixes).
- media: vivid: avoid integer overflow (git-fixes).
- mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs (git-fixes).
- mfd: core: Ensure disabled devices are skipped without aborting (git-fixes).
- mfd: dln2: Fix double put in dln2_probe (git-fixes).
- misc: fastrpc: Clean buffers on remote invocation failures (git-fixes).
- misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller (git-fixes).
- mm/hmm: fault non-owner device private entries (bsc#1216844, jsc#PED-7237, git-fixes).
- mmc: block: Be sure to wait while busy in CQE error recovery (git-fixes).
- mmc: block: Do not lose cache flush during CQE error recovery (git-fixes).
- mmc: block: Retry commands in CQE error recovery (git-fixes).
- mmc: cqhci: Fix task clearing in CQE error recovery (git-fixes).
- mmc: cqhci: Increase recovery halt timeout (git-fixes).
- mmc: cqhci: Warn of halt or task clear failure (git-fixes).
- mmc: meson-gx: Remove setting of CMD_CFG_ERROR (git-fixes).
- mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2 (git-fixes).
- mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER (git-fixes).
- mmc: sdhci_am654: fix start loop index for TAP value parsing (git-fixes).
- mmc: vub300: fix an error code (git-fixes).
- modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host (git-fixes).
- mt76: dma: use kzalloc instead of devm_kzalloc for txwi (git-fixes).
- mtd: cfi_cmdset_0001: Byte swap OTP info (git-fixes).
- mtd: rawnand: arasan: Include ECC syndrome along with in-band data while checking for ECC failure (git-fixes).
- net-memcg: Fix scope of sockmem pressure indicators (bsc#1216759).
- net: Avoid address overwrite in kernel_connect (bsc#1216861).
- net: add macro netif_subqueue_completed_wake (bsc#1215458).
- net: fix use-after-free in tw_timer_handler (bsc#1217195).
- net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() (git-fixes).
- net: mana: Fix return type of mana_start_xmit() (git-fixes).
- net: piggy back on the memory barrier in bql when waking queues (bsc#1215458).
- net: provide macros for commonly copied lockless queue stop/wake code (bsc#1215458).
- net: usb: ax88179_178a: fix failed operations during ax88179_reset (git-fixes).
- net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg (git-fixes).
- nvme: update firmware version after commit (bsc#1215292).
- pcmcia: cs: fix possible hung task and memory leak pccardd() (git-fixes).
- pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() (git-fixes).
- pcmcia: ds: fix refcount leak in pcmcia_device_add() (git-fixes).
- pinctrl: avoid reload of p state in list iteration (git-fixes).
- platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e (git-fixes).
- platform/x86: wmi: Fix opening of char device (git-fixes).
- platform/x86: wmi: Fix probe failure when failing to register WMI devices (git-fixes).
- platform/x86: wmi: remove unnecessary initializations (git-fixes).
- powerpc: Do not clobber f0/vs0 during fp|altivec register save (bsc#1217780).
- pwm: Fix double shift bug (git-fixes).
- pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume (git-fixes).
- pwm: sti: Reduce number of allocations and drop usage of chip_data (git-fixes).
- r8152: Cancel hw_phy_work if we have an error in probe (git-fixes).
- r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() (git-fixes).
- r8152: Check for unplug in rtl_phy_patch_request() (git-fixes).
- r8152: Increase USB control msg timeout to 5000ms as per spec (git-fixes).
- r8152: Release firmware if we have an error in probe (git-fixes).
- r8152: Run the unload routine if we have errors during probe (git-fixes).
- regmap: Ensure range selector registers are updated after cache sync (git-fixes).
- regmap: debugfs: Fix a erroneous check after snprintf() (git-fixes).
- regmap: prevent noinc writes from clobbering cache (git-fixes).
- s390/ap: fix AP bus crash on early config change callback invocation (git-fixes bsc#1217687).
- s390/cio: unregister device when the only path is gone (git-fixes bsc#1217609).
- s390/cmma: fix detection of DAT pages (LTC#203997 bsc#1217086).
- s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir (LTC#203997 bsc#1217086).
- s390/cmma: fix initial kernel address space page table walk (LTC#203997 bsc#1217086).
- s390/crashdump: fix TOD programmable field size (git-fixes bsc#1217205).
- s390/dasd: fix hanging device after request requeue (git-fixes LTC#203629 bsc#1215124).
- s390/dasd: protect device queue against concurrent access (git-fixes bsc#1217515).
- s390/dasd: use correct number of retries for ERP requests (git-fixes bsc#1217598).
- s390/ipl: add missing secure/has_secure file to ipl type 'unknown' (bsc#1214976 git-fixes).
- s390/mm: add missing arch_set_page_dat() call to gmap allocations (LTC#203997 bsc#1217086).
- s390/mm: add missing arch_set_page_dat() call to vmem_crst_alloc() (LTC#203997 bsc#1217086).
- s390/pkey: fix/harmonize internal keyblob headers (git-fixes bsc#1217200).
- s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling (git-fixes bsc#1217599).
- sbsa_gwdt: Calculate timeout with 64-bit math (git-fixes).
- scsi: lpfc: Copyright updates for 14.2.0.16 patches (bsc#1217731).
- scsi: lpfc: Correct maximum PCI function value for RAS fw logging (bsc#1217731).
- scsi: lpfc: Eliminate unnecessary relocking in lpfc_check_nlp_post_devloss() (bsc#1217731).
- scsi: lpfc: Enhance driver logging for selected discovery events (bsc#1217731).
- scsi: lpfc: Fix list_entry null check warning in lpfc_cmpl_els_plogi() (bsc#1217731).
- scsi: lpfc: Fix possible file string name overflow when updating firmware (bsc#1217731).
- scsi: lpfc: Introduce LOG_NODE_VERBOSE messaging flag (bsc#1217124).
- scsi: lpfc: Refactor and clean up mailbox command memory free (bsc#1217731).
- scsi: lpfc: Reject received PRLIs with only initiator fcn role for NPIV ports (bsc#1217124).
- scsi: lpfc: Remove unnecessary zero return code assignment in lpfc_sli4_hba_setup (bsc#1217124).
- scsi: lpfc: Return early in lpfc_poll_eratt() when the driver is unloading (bsc#1217731).
- scsi: lpfc: Treat IOERR_SLI_DOWN I/O completion status the same as pci offline (bsc#1217124).
- scsi: lpfc: Update lpfc version to 14.2.0.15 (bsc#1217124).
- scsi: lpfc: Update lpfc version to 14.2.0.16 (bsc#1217731).
- scsi: lpfc: Validate ELS LS_ACC completion payload (bsc#1217124).
- scsi: qla2xxx: Fix double free of dsd_list during driver load (git-fixes).
- scsi: qla2xxx: Use FIELD_GET() to extract PCIe capability fields (git-fixes).
- selftests/efivarfs: create-read: fix a resource leak (git-fixes).
- selftests/pidfd: Fix ksft print formats (git-fixes).
- selftests/resctrl: Ensure the benchmark commands fits to its array (git-fixes).
- selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests (git-fixes).
- selftests/resctrl: Remove duplicate feature check from CMT test (git-fixes).
- seq_buf: fix a misleading comment (git-fixes).
- serial: exar: Revert 'serial: exar: Add support for Sealevel 7xxxC serial cards' (git-fixes).
- serial: meson: Use platform_get_irq() to get the interrupt (git-fixes).
- soc: qcom: llcc: Handle a second device without data corruption (git-fixes).
- spi: nxp-fspi: use the correct ioremap function (git-fixes).
- spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies (git-fixes).
- spi: tegra: Fix missing IRQ check in tegra_slink_probe() (git-fixes).
- staging: media: ipu3: remove ftrace-like logging (git-fixes).
- string.h: add array-wrappers for (v)memdup_user() (git-fixes).
- supported.conf: marked idpf supported
- thermal: core: prevent potential string overflow (git-fixes).
- treewide: Spelling fix in comment (git-fixes).
- tty/sysrq: replace smp_processor_id() with get_cpu() (git-fixes).
- tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks (git-fixes).
- tty: 8250: Add support for Brainboxes UP cards (git-fixes).
- tty: 8250: Add support for Intashield IS-100 (git-fixes).
- tty: 8250: Add support for Intashield IX cards (git-fixes).
- tty: 8250: Add support for additional Brainboxes PX cards (git-fixes).
- tty: 8250: Add support for additional Brainboxes UC cards (git-fixes).
- tty: 8250: Fix port count of PX-257 (git-fixes).
- tty: 8250: Fix up PX-803/PX-857 (git-fixes).
- tty: 8250: Remove UC-257 and UC-431 (git-fixes).
- tty: Fix uninit-value access in ppp_sync_receive() (git-fixes).
- tty: n_gsm: fix race condition in status line change on dead connections (git-fixes).
- tty: serial: meson: fix hard LOCKUP on crtscts mode (git-fixes).
- tty: tty_jobctrl: fix pid memleak in disassociate_ctty() (git-fixes).
- tty: vcc: Add check for kstrdup() in vcc_probe() (git-fixes).
- usb: cdnsp: Fix deadlock issue during using NCM gadget (git-fixes).
- usb: chipidea: Fix DMA overwrite for Tegra (git-fixes).
- usb: chipidea: Simplify Tegra DMA alignment code (git-fixes).
- usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency (git-fixes).
- usb: dwc3: Fix default mode initialization (git-fixes).
- usb: dwc3: set the dma max_seg_size (git-fixes).
- usb: gadget: f_ncm: Always set current gadget in ncm_bind() (git-fixes).
- usb: raw-gadget: properly handle interrupted requests (git-fixes).
- usb: storage: set 1.50 as the lower bcdDevice for older 'Super Top' compatibility (git-fixes).
- usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() (git-fixes).
- usb: typec: tcpm: Skip hard reset when in error recovery (git-fixes).
- virtchnl: add virtchnl version 2 ops (bsc#1215458).
- wifi: ath10k: Do not touch the CE interrupt registers after power up (git-fixes).
- wifi: ath10k: fix clang-specific fortify warning (git-fixes).
- wifi: ath11k: debugfs: fix to work with multiple PCI devices (git-fixes).
- wifi: ath11k: fix dfs radar event locking (git-fixes).
- wifi: ath11k: fix htt pktlog locking (git-fixes).
- wifi: ath11k: fix temperature event locking (git-fixes).
- wifi: ath9k: fix clang-specific fortify warnings (git-fixes).
- wifi: iwlwifi: Use FW rate for non-data frames (git-fixes).
- wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues (git-fixes).
- wifi: iwlwifi: empty overflow queue during flush (git-fixes).
- wifi: iwlwifi: honor the enable_ini value (git-fixes).
- wifi: iwlwifi: pcie: synchronize IRQs before NAPI (git-fixes).
- wifi: mac80211: do not return unset power in ieee80211_get_tx_power() (git-fixes).
- wifi: mac80211: fix # of MSDU in A-MSDU calculation (git-fixes).
- wifi: mt76: mt7603: rework/fix rx pse hang check (git-fixes).
- wifi: rtlwifi: fix EDCA limit set by BT coexistence (git-fixes).
- wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git-fixes).
- x86/alternative: Add a __alt_reloc_selftest() prototype (git-fixes).
- x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs (git-fixes).
- x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 (git-fixes).
- x86/hyperv: Add HV_EXPOSE_INVARIANT_TSC define (git-fixes).
- x86/hyperv: Improve code for referencing hyperv_pcpu_input_arg (git-fixes).
- x86/hyperv: Make hv_get_nmi_reason public (git-fixes).
- x86/hyperv: fix a warning in mshyperv.h (git-fixes).
- x86/sev: Do not try to parse for the CC blob on non-AMD hardware (git-fixes).
- x86/sev: Fix calculation of end address based on number of pages (git-fixes).
- x86/sev: Use the GHCB protocol when available for SNP CPUID requests (git-fixes).
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- xfs: add attr state machine tracepoints (git-fixes).
- xfs: can't use kmem_zalloc() for attribute buffers (bsc#1216909).
- xfs: constify btree function parameters that are not modified (git-fixes).
- xfs: convert AGF log flags to unsigned (git-fixes).
- xfs: convert AGI log flags to unsigned (git-fixes).
- xfs: convert attr type flags to unsigned (git-fixes).
- xfs: convert bmap extent type flags to unsigned (git-fixes).
- xfs: convert bmapi flags to unsigned (git-fixes).
- xfs: convert btree buffer log flags to unsigned (git-fixes).
- xfs: convert buffer flags to unsigned (git-fixes).
- xfs: convert buffer log item flags to unsigned (git-fixes).
- xfs: convert da btree operations flags to unsigned (git-fixes).
- xfs: convert dquot flags to unsigned (git-fixes).
- xfs: convert inode lock flags to unsigned (git-fixes).
- xfs: convert log item tracepoint flags to unsigned (git-fixes).
- xfs: convert log ticket and iclog flags to unsigned (git-fixes).
- xfs: convert quota options flags to unsigned (git-fixes).
- xfs: convert scrub type flags to unsigned (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'blkno', 'block', or 'bno' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'count' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'len' (git-fixes).
- xfs: disambiguate units for ftrace fields tagged 'offset' (git-fixes).
- xfs: make the key parameters to all btree key comparison functions const (git-fixes).
- xfs: make the key parameters to all btree query range functions const (git-fixes).
- xfs: make the keys and records passed to btree inorder functions const (git-fixes).
- xfs: make the pointer passed to btree set_root functions const (git-fixes).
- xfs: make the start pointer passed to btree alloc_block functions const (git-fixes).
- xfs: make the start pointer passed to btree update_lastrec functions const (git-fixes).
- xfs: mark the record passed into btree init_key functions as const (git-fixes).
- xfs: mark the record passed into xchk_btree functions as const (git-fixes).
- xfs: remove xfs_btree_cur_t typedef (git-fixes).
- xfs: rename i_disk_size fields in ftrace output (git-fixes).
- xfs: resolve fork names in trace output (git-fixes).
- xfs: standardize AG block number formatting in ftrace output (git-fixes).
- xfs: standardize AG number formatting in ftrace output (git-fixes).
- xfs: standardize daddr formatting in ftrace output (git-fixes).
- xfs: standardize inode generation formatting in ftrace output (git-fixes).
- xfs: standardize inode number formatting in ftrace output (git-fixes).
- xfs: standardize remaining xfs_buf length tracepoints (git-fixes).
- xfs: standardize rmap owner number formatting in ftrace output (git-fixes).
- xhci: Enable RPM on controllers that support low-power states (git-fixes).
- xhci: Loosen RPM as default policy to cover for AMD xHC 1.1 (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4843-1
Released:    Thu Dec 14 12:22:44 2023
Summary:     Security update for python3-cryptography
Type:        security
Severity:    moderate
References:  1217592,CVE-2023-49083
This update for python3-cryptography fixes the following issues:

- CVE-2023-49083: Fixed a NULL pointer dereference when loading certificates from a PKCS#7 bundle (bsc#1217592).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4880-1
Released:    Fri Dec 15 10:43:44 2023
Summary:     Recommended update for xen
Type:        recommended
Severity:    moderate
References:  1027519
This update for xen fixes the following issues:

- Upstream bug fixes (bsc#1027519)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4891-1
Released:    Mon Dec 18 16:31:49 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1201384,1218014,CVE-2023-50495
This update for ncurses fixes the following issues:

- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
- Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4901-1
Released:    Tue Dec 19 11:25:47 2023
Summary:     Security update for avahi
Type:        security
Severity:    moderate
References:  1216853,CVE-2023-38472
This update for avahi fixes the following issues:

- CVE-2023-38472: Fixed reachable assertion in avahi_rdata_parse (bsc#1216853).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4902-1
Released:    Tue Dec 19 13:09:42 2023
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1214788,1217950,CVE-2023-48795
This update for openssh fixes the following issues:

- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950).

the following non-security bug was fixed:

- Fix the 'no route to host' error when connecting via ProxyJump

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4916-1
Released:    Wed Dec 20 08:49:04 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1215229
This update for lvm2 fixes the following issues:

- Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4936-1
Released:    Wed Dec 20 17:18:21 2023
Summary:     Security update for docker, rootlesskit
Type:        security
Severity:    important
References:  1170415,1170446,1178760,1210141,1213229,1213500,1215323,1217513,CVE-2020-12912,CVE-2020-8694,CVE-2020-8695
This update for docker, rootlesskit fixes the following issues:

docker:

- Update to Docker 24.0.7-ce. See upstream changelong online at
  https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
  * Deny containers access to /sys/devices/virtual/powercap by default.
    - CVE-2020-8694 bsc#1170415
    - CVE-2020-8695 bsc#1170446
    - CVE-2020-12912 bsc#1178760

- Update to Docker 24.0.6-ce. See upstream changelong online at

  	https://docs.docker.com/engine/release-notes/24.0/#2406 . bsc#1215323

- Add a docker.socket unit file, but with socket activation effectively
  disabled to ensure that Docker will always run even if you start the socket
  individually. Users should probably just ignore this unit file. bsc#1210141

- Update to Docker 24.0.5-ce. See upstream changelong online at

	https://docs.docker.com/engine/release-notes/24.0/#2405 . bsc#1213229

This update ships docker-rootless support in the docker-rootless-extra package. (jsc#PED-6180)

rootlesskit:

- new package, for docker rootless support. (jsc#PED-6180)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4962-1
Released:    Fri Dec 22 13:45:06 2023
Summary:     Recommended update for curl
Type:        recommended
Severity:    important
References:  1216987
This update for curl fixes the following issues:

- libssh: Implement SFTP packet size limit (bsc#1216987)

This update also ships curl to the INSTALLER channel.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4983-1
Released:    Thu Dec 28 14:21:40 2023
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1217277,CVE-2023-5981
This update for gnutls fixes the following issues:

- CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange (bsc#1217277).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:8-1
Released:    Tue Jan  2 13:18:50 2024
Summary:     Recommended update for samba
Type:        recommended
Severity:    moderate
References:  1214076
This update for samba fixes the following issues:

- Add 'net offlinejoin composeodj' command (bsc#1214076)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:11-1
Released:    Tue Jan  2 13:24:52 2024
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1029961,1158830,1206798,1209122
This update for procps fixes the following issues:

- Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369)

- For support up to 2048 CPU as well (bsc#1185417)
- Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122)
- Get the first CPU summary correct (bsc#1121753)
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
  the pwait tool and its manual page will be build
- Do not truncate output of w with option -n
- Prefer logind over utmp (jsc#PED-3144)
- Don't install translated man pages for non-installed binaries
  (uptime, kill).
- Fix directory for Ukrainian man pages translations.
- Move localized man pages to lang package.

- Update to procps-ng-3.3.17

  * library: Incremented to 8:3:0
    (no removals or additions, internal changes only)
  * all: properly handle utf8 cmdline translations
  * kill: Pass int to signalled process
  * pgrep: Pass int to signalled process
  * pgrep: Check sanity of SG_ARG_MAX
  * pgrep: Add older than selection
  * pidof: Quiet mode
  * pidof: show worker threads
  * ps.1: Mention stime alias
  * ps: check also match on truncated 16 char comm names
  * ps: Add exe output option
  * ps: A lot more sorting available
  * pwait: New command waits for a process
  * sysctl: Match systemd directory order
  * sysctl: Document directory order
  * top: ensure config file backward compatibility
  * top: add command line 'e' for symmetry with 'E'
  * top: add '4' toggle for two abreast cpu display
  * top: add '!' toggle for combining multiple cpus
  * top: fix potential SEGV involving -p switch
  * vmstat: Wide mode gives wider proc columns
  * watch: Add environment variable for interval
  * watch: Add no linewrap option
  * watch: Support more colors
  * free,uptime,slabtop: complain about extra ops

- Package translations in procps-lang.

- Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited.

- Enable pidof by default

- Update to procps-ng-3.3.16

  * library: Increment to 8:2:0

    No removals or functions
    Internal changes only, so revision is incremented.
    Previous version should have been 8:1:0 not 8:0:1

  * docs: Use correct symbols for -h option in free.1
  * docs: ps.1 now warns about command name length
  * docs: install translated man pages
  * pgrep: Match on runstate
  * snice: Fix matching on pid
  * top: can now exploit 256-color terminals
  * top: preserves 'other filters' in configuration file
  * top: can now collapse/expand forest view children
  * top: parent %CPU time includes collapsed children
  * top: improve xterm support for vim navigation keys
  * top: avoid segmentation fault at program termination
  * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:50-1
Released:    Mon Jan  8 03:20:25 2024
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        recommended
Severity:    moderate
References:  1217695,1217696
This update for python-instance-billing-flavor-check fixes the following issues:

-  Run the command as sudo only (bsc#1217696, bsc#1217695)
-  Handle exception for Python 3.4 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:62-1
Released:    Mon Jan  8 11:44:47 2024
Summary:     Recommended update for libxcrypt
Type:        recommended
Severity:    moderate
References:  1215496
This update for libxcrypt fixes the following issues:

- fix variable name for datamember [bsc#1215496]
- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:68-1
Released:    Tue Jan  9 15:26:08 2024
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1217292
This update for rsyslog fixes the following issues:

- Restart daemon after modules packages have been updated (bsc#1217292)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:70-1
Released:    Tue Jan  9 18:29:39 2024
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1217969,CVE-2023-39804
This update for tar fixes the following issues:

- CVE-2023-39804: Fixed  extension attributes in PAX archives incorrect hanling (bsc#1217969).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:88-1
Released:    Thu Jan 11 10:08:20 2024
Summary:     Recommended update for libsolv, zypper, libzypp
Type:        recommended
Severity:    moderate
References:  1212160,1215294,1216412,1217593,1217873,1218291
This update for libsolv, zypper, libzypp fixes the following issues:

- Expand RepoVars in URLs downloading a .repo file (bsc#1212160)
- Fix search/info commands ignoring --ignore-unknown (bsc#1217593)
- CheckAccessDeleted: fix 'running in container' filter (bsc#1218291)
- Open rpmdb just once during execution of %posttrans scripts (bsc#1216412)
- Make sure reboot-needed is remembered until next boot (bsc#1217873)
- Stop using boost version 1 timer library (bsc#1215294)
- Updated to version 0.7.27  
- Add zstd support for the installcheck tool
- Add putinowndirpool cache to make file list handling in repo_write much faster
- Do not use deprecated headerUnload with newer rpm versions
- Support complex deps in SOLVABLE_PREREQ_IGNOREINST
- Fix minimization not prefering installed packages in some cases
- Reduce memory usage in repo_updateinfoxml
- Fix lock-step interfering with architecture selection
- Fix choice rule handing for package downgrades
- Fix complex dependencies with an 'else' part sometimes leading to unsolved dependencies

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:105-1
Released:    Mon Jan 15 15:41:05 2024
Summary:     Recommended update for grub2 and efibootmgr
Type:        recommended
Severity:    important
References:  1217237
This update for grub2 and efibootmgr fixes the following issues:

grub2:

- Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237)

efibootmgr:

- Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:125-1
Released:    Tue Jan 16 13:46:56 2024
Summary:     Recommended update for suseconnect-ng
Type:        recommended
Severity:    moderate
References:  1218364
This update for suseconnect-ng fixes the following issues:

- Update to version 1.5.0
- Configure docker credentials for registry authentication
- Feature: Support usage from Agama + Cockpit for ALP Micro system registration (bsc#1218364)
- Add --json output option

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:128-1
Released:    Tue Jan 16 13:50:37 2024
Summary:     Security update for cloud-init
Type:        security
Severity:    moderate
References:  1198269,1201010,1214169,1215740,1215794,1216007,1216011,CVE-2023-1786
This update for cloud-init contains the following fixes:

- Move fdupes call back to %install.(bsc#1214169)

- Update to version 23.3. (bsc#1216011)
  * (bsc#1215794)
  * (bsc#1215740)
  * (bsc#1216007)
  + Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390)
  + Fix cc_keyboard in mantic (LP: #2030788)
  + ec2: initialize get_instance_userdata return value to bytes (#4387)
    [Noah Meyerhans]
  + cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley]
  + Fix pip-managed ansible
  + status: treat SubState=running and MainPID=0 as service exited
  + azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson]
  + collect-logs fix memory usage (SC-1590) (#4289)
    [Alec Warren] (LP: #1980150)
  + cc_mounts: Use fallocate to create swapfile on btrfs (#4369)
  + Undocument nocloud-net (#4318)
  + feat(akamai): add akamai to settings.py and apport.py (#4370)
  + read-version: fallback to get_version when git describe fails (#4366)
  + apt: fix cloud-init status --wait blocking on systemd v 253 (#4364)
  + integration tests: Pass username to pycloudlib (#4324)
  + Bump pycloudlib to 1!5.1.0 (#4353)
  + cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272)
    [dermotbradley]
  + analyze: fix (unexpected) timestamp parsing (#4347) [Mina Galić]
  + cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Galić]
  + subp: Fix spurious test failure on FreeBSD (#4355) [Mina Galić]
  + cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Galić]
  + util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Galić]
  + cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Galić]
  + unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource
    (#4328) [Ani Sinha]
  + Fix test_tools.py collection (#4315)
  + cc_keyboard: add Alpine support (#4278) [dermotbradley]
  + Flake8 fixes (#4340) [Robert Schweikert]
  + cc_mounts: Fix swapfile not working on btrfs (#4319) [王煎饼] (LP: #1884127)
  + ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281)
    [Wei Zhou]
  + ec2: Support double encoded userdata (#4275) [Noah Meyerhans]
  + cc_mounts: xfs is a Linux only FS (#4334) [Mina Galić]
  + tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336)
    [Chris Patterson]
  + change openEuler to openeuler and fix some bugs in openEuler (#4317)
    [sxt1001]
  + Replace flake8 with ruff (#4314)
  + NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64
    (#4291) [Ani Sinha]
  + cc_ssh_import_id: add Alpine support and add doas support (#4277)
    [dermotbradley]
  + sudoers not idempotent (SC-1589)  (#4296) [Alec Warren] (LP: #1998539)
  + Added support for Akamai Connected Cloud (formerly Linode) (#4167)
    [Will Smith]
  + Fix reference before assignment (#4292)
  + Overhaul module reference page (#4237) [Sally]
  + replaced spaces with commas for setting passenv (#4269) [Alec Warren]
  + DS VMware: modify a few log level (#4284) [PengpengSun]
  + tools/read-version refactors and unit tests (#4268)
  + Ensure get_features() grabs all features (#4285)
  + Don't always require passlib dependency (#4274)
  + tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275)
  + Fix NoCloud kernel commandline key parsing (#4273)
  + testing: Clear all LRU caches after each test (#4249)
  + Remove the crypt dependency (#2139) [Gonéri Le Bouder]
  + logging: keep current file mode of log file if its stricter than the
    new mode (#4250) [Ani Sinha]
  + Remove default membership in redundant groups (#4258)
    [Dave Jones] (LP: #1923363)
  + doc: improve datasource_creation.rst (#4262)
  + Remove duplicate Integration testing button (#4261) [Rishita Shaw]
  + tools/read-version: fix the tool so that it can handle version parsing
    errors (#4234) [Ani Sinha]
  + net/dhcp: add udhcpc support (#4190) [Jean-François Roche]
  + DS VMware: add i386 arch dir to deployPkg plugin search path
    [PengpengSun]
  + LXD moved from linuxcontainers.org to Canonical [Simon Deziel]
  + cc_mounts.py: Add note about issue with creating mounts inside mounts
    (#4232) [dermotbradley]
  + lxd: install lxd from snap, not deb if absent in image
  + landscape: use landscape-config to write configuration
  + Add deprecation log during init of DataSourceDigitalOcean (#4194)
    [tyb-truth]
  + doc: fix typo on apt.primary.arches (#4238) [Dan Bungert]
  + Inspect systemd state for cloud-init status (#4230)
  + instance-data: add system-info and features to combined-cloud-config
    (#4224)
  + systemd: Block login until config stage completes (#2111) (LP: #2013403)
  + tests: proposed should invoke apt-get install -t=<release>-proposed
    (#4235)
  + cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley]
  + Remove feature flag override ability (#4228)
  + tests: drop stray unrelated file presence test (#4227)
  + Update LXD URL (#4223) [Sally]
  + schema: add network v1 schema definition and validation functions
  + tests: daily PPA for devel series is version 99.daily update tests to
    match (#4225)
  + instance-data: write /run/cloud-init/combined-cloud-config.json
  + mount parse: Fix matching non-existent directories (#4222) [Mina Galić]
  + Specify build-system for pep517 (#4218)
  + Fix network v2 metric rendering (#4220)
  + Migrate content out of FAQ page (SD-1187) (#4205) [Sally]
  + setup: fix generation of init templates (#4209) [Mina Galić]
  + docs: Correct some bootcmd example wording
  + fix changelog
  + tests: reboot client to assert x-shellscript-per-boot is triggered
  + nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204)
    (LP: 4203, #2025180)
  + Add docstring and typing to mergemanydict (#4200)
  + BSD: add dsidentify to early startup scripts (#4182) [Mina Galić]
  + handler: report errors on skipped merged cloud-config.txt parts
    (LP: #1999952)
  + Add cloud-init summit writeups (#4179) [Sally]
  + tests: Update test_clean_log for oci (#4187)
  + gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163)
  + tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184)
  + Ephemeral Networking for FreeBSD (#2165) [Mina Galić]
  + Clarify directory syntax for nocloud local filesystem. (#4178)
  + Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha]
  + Test static routes and netplan 0.106
  + FreeBSD fix parsing of mount and mount options (#2146) [Mina Galić]
  + test: add tracking bug id (#4164)
  + tests: can't match MAC for LXD container veth due to netplan 0.106
    (#4162)
  + Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar]
  + BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Galić]
  + launching salt-minion in masterless mode (#4110) [Denis Halturin]
  + tools: fix run-container builds for rockylinux/8 git hash mismatch
    (#4161)
  + fix doc lint: spellchecker tripped up (#4160) [Mina Galić]
  + Support Ephemeral Networking for BSD (#2127)
  + Added / fixed support for static routes on OpenBSD and FreeBSD (#2157)
    [Kadir Mueller]
  + cc_rsyslog: Refactor for better multi-platform support (#4119)
    [Mina Galić] (LP: #1798055)
  + tests: fix test_lp1835584 (#4154)
  + cloud.cfg mod names: docs and rename salt_minion and set_password (#4153)
  + vultr: remove check_route check (#2151) [Jonas Chevalier]
  + Update SECURITY.md (#4150) [Indrranil Pawar]
  + Update CONTRIBUTING.rst (#4149) [Indrranil Pawar]
  + Update .github-cla-signers (#4151) [Indrranil Pawar]
  + Standardise module names in cloud.cfg.tmpl to only use underscore
    (#4128) [dermotbradley]
  + Modify PR template so autoclose works
>From 23.2.2
  + Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271)
    (LP: #2028562)
  + Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784)
>From 23.2.1
  + nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204)
    (Fixes: 4203) (LP: #2025180)
>From 23.2
  + BSD: simplify finding MBR partitions by removing duplicate code
   [Mina Galić]
  + tests: bump pycloudlib version for mantic builds
  + network-manager: Set higher autoconnect priority for nm keyfiles (#3671)
    [Ani Sinha]
  + alpine.py: change the locale file used (#4139) [dermotbradley]
  + cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Galić]
  + config: drop refresh_rmc_and_interface as RHEL 7 no longer supported
    [Robert Schweikert]
  + docs: Add feedback button to docs
  + net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh
    plugin (#4132) [Ani Sinha]
  + For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley]
  + network_manager: add a method for ipv6 static IP configuration (#4127)
    [Ani Sinha]
  + correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley]
  + nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115)
    [Ani Sinha]
  + Add templates for GitHub Issues
  + Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela]
  + FreeBSD: Fix user account locking (#4114) [Mina Galić] (GH: #1854594)
  + FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Galić]
  + Update tests in Azure TestCanDevBeReformatted class (#2771)
    [Ksenija Stanojevic]
  + Replace Launchpad references with GitHub Issues
  + Fix KeyError in iproute pformat (#3287) [Dmitry Zykov]
  + schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance
  + azure/errors: introduce reportable errors for imds (#3647)
    [Chris Patterson]
  + FreeBSD (and friends): better identify MBR slices (#2168)
    [Mina Galić] (LP: #2016350)
  + azure/errors: add host reporting for dhcp errors (#2167)
    [Chris Patterson]
  + net: purge blacklist_drivers across net and azure (#2160)
    [Chris Patterson]
  + net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153)
    [Chris Patterson]
  + tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d
    (#2251)
  + net: refactor find_candidate_nics_on_linux() to use get_interfaces()
    (#2159) [Chris Patterson]
  + resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden]
  + Remove mount NTFS error message (#2134) [Ksenija Stanojevic]
  + integration tests: fix image specification parsing (#2166)
  + ci: add hypothesis scheduled GH check (#2149)
  + Move supported distros list to docs (#2162)
  + Fix logger, use instance rather than module function (#2163)
  + README: Point to Github Actions build status (#2158)
  + Revert 'fix linux-specific code on bsd (#2143)' (#2161)
  + Do not generate dsa and ed25519 key types when crypto FIPS mode is
    enabled (#2142) [Ani Sinha] (LP: 2017761)
  + Add documentation label automatically (#2156)
  + sources/azure: report success to host and introduce kvp module (#2141)
    [Chris Patterson]
  + setup.py: use pkg-config for udev/rules path (#2137) [dankm]
  + openstack/static: honor the DNS servers associated with a network
    (#2138) [Gonéri Le Bouder]
  + fix linux-specific code on bsd (#2143)
  + cli: schema validation of jinja template user-data (SC-1385) (#2132)
    (LP: #1881925)
  + gce: activate network discovery on every boot (#2128)
  + tests: update integration test to assert 640 across reboots (#2145)
  + Make user/vendor data sensitive and remove log permissions (#2144)
    (LP: #2013967)
  + Update kernel command line docs (SC-1457) (#2133)
  + docs: update network configuration path links (#2140) [d1r3ct0r]
  + sources/azure: report failures to host via kvp (#2136) [Chris Patterson]
  + net: Document use of `ip route append` to add routes (#2130)
  + dhcp: Add missing mocks (#2135)
  + azure/imds: retry fetching metadata up to 300 seconds (#2121)
    [Chris Patterson]
  + [1/2] DHCP: Refactor dhcp client code  (#2122)
  + azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson]
  + azure/errors: introduce reportable errors (#2129) [Chris Patterson]
  + users: schema permit empty list to indicate create no users
  + azure: introduce identity module (#2116) [Chris Patterson]
  + Standardize disabling cloud-init on non-systemd (#2112)
  + Update .github-cla-signers (#2126) [Rob Tongue]
  + NoCloud: Use seedfrom protocol to determine mode (#2107)
  + rhel: Remove sysvinit files. (#2114)
  + tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson]
  + Fix NoCloud kernel commandline semi-colon args
  + run-container: make the container/VM timeout configurable (#2118)
    [Paride Legovini]
  + suse: Remove sysvinit files. (#2115)
  + test: Backport assert_call_count for old requests (#2119)
  + Add 'licebmi' as contributor (#2113) [Mark Martinez]
  + Adapt DataSourceScaleway to upcoming IPv6 support (#2033)
    [Louis Bouchard]
  + rhel: make sure previous-hostname file ends with a new line (#2108)
    [Ani Sinha]
  + Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai]
  + Cleanup ephemeral IP routes on exception (#2100) [sxt1001]
  + commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291)
  + Standardize kernel commandline user interface (#2093)
  + config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson]
  + Fix test_dhclient_exits_with_error (#2105)
  + net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083)
    [Chris Patterson]
  + sources/azure: move pps handling out of _poll_imds() (#2075)
    [Chris Patterson]
  + tests: bump pycloudlib version (#2102)
  + schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)
  + sources/azure/imds: don't count timeout errors as connection errors
    (#2074) [Chris Patterson]
  + Fix Python 3.12 unit test failures (#2099)
  + integration tests: Refactor instance checking (#1989)
  + ci: migrate remaining jobs from travis to gh (#2085)
  + missing ending quote in instancedata docs(#2094) [Hong L]
  + refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r]
  + tests/vmware: fix test_no_data_access_method failure (#2092)
    [Chris Patterson]
  + Don't change permissions of netrules target (#2076) (LP: #2011783)
  + tests/sources: patch util.get_cmdline() for datasource tests (#2091)
    [Chris Patterson]
  + macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090)
    (LP: #2008888)
  + Fedora: Enable CA handling (#2086) [František Zatloukal]
  + Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa]
  + cc_ansible: complete the examples and doc (#2082) [Yves]
  + bddeb: for dev package, derive debhelper-compat from host system
  + apport: only prompt for cloud_name when instance-data.json is absent
  + datasource: Optimize datasource detection, fix bugs (#2060)
  + Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi]
  + sources/azure: add networking check for all source PPS (#2061)
    [Chris Patterson]
  + do not attempt dns resolution on ip addresses (#2040)
  + chore: fix style tip (#2071)
  + Fix metadata IP in instancedata.rst (#2063) [Brian Haley]
  + util: Pass deprecation schedule in deprecate_call() (#2064)
  + config: Update grub-dpkg docs (#2058)
  + docs: Cosmetic improvements and styling (#2057) [s-makin]
  + cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner]
  + tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059)
  + oracle-ds: prefer system_cfg over ds network config source (#1998)
    (LP: #1956788)
  + Remove dead code (#2038)
  + source: Force OpenStack when it is only option (#2045) (LP: #2008727)
  + cc_ubuntu_advantage: improve UA logs discovery
  + sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson]
  + tests: fix test_schema (#2042)
  + dhcp: Cleanup unused kwarg (#2037)
  + sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027)
    [PengpengSun]
  + dhclient_hook: remove vestigal dhclient_hook command (#2015)
  + log: Add standardized deprecation tooling (SC-1312) (#2026)
  + Enable SUSE based distros for ca handling (#2036) [Robert Schweikert]
>From 23.1.2
  + Make user/vendor data sensitive and remove log permissions
    (LP: #2013967) (CVE-2023-1786)

- Remove six dependency (bsc#1198269)
- Update to version 22.4 (bsc#1201010)

  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:136-1
Released:    Thu Jan 18 09:53:47 2024
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1217000,1218475,CVE-2024-22365
This update for pam fixes the following issues:

- CVE-2024-22365: Fixed a local denial of service during PAM login
  due to a missing check during path manipulation (bsc#1218475).
- Check localtime_r() return value to fix crashing (bsc#1217000) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:140-1
Released:    Thu Jan 18 11:34:58 2024
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918
This update for libssh fixes the following issues:

Security fixes:

  - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209)
  - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126)
  - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186)
  - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm  guessing (bsc#1211188)
  - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)

Other fixes:

- Update to version 0.9.8
  - Allow @ in usernames when parsing from URI composes

- Update to version 0.9.7
  - Fix several memory leaks in GSSAPI handling code

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:156-1
Released:    Thu Jan 18 17:01:26 2024
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1179610,1183045,1193285,1211162,1211226,1212584,1214747,1214823,1215237,1215696,1215885,1216057,1216559,1216776,1217036,1217217,1217250,1217602,1217692,1217790,1217801,1217933,1217938,1217946,1217947,1217980,1217981,1217982,1218056,1218139,1218184,1218234,1218253,1218258,1218335,1218357,1218447,1218515,1218559,1218569,1218659,CVE-2020-26555,CVE-2023-51779,CVE-2023-6121,CVE-2023-6531,CVE-2023-6546,CVE-2023-6606,CVE-2023-6610,CVE-2023-6622,CVE-2023-6931,CVE-2023-6932
The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes.


The following security bugs were fixed:

- CVE-2023-6531: Fixed a use-after-free flaw due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic()on the socket that the SKB is queued on (bsc#1218447).
- CVE-2023-6610: Fixed an out of bounds read in the SMB client when printing debug information (bsc#1217946).
- CVE-2023-51779: Fixed a use-after-free because of a bt_sock_ioctl race condition in bt_sock_recvmsg (bsc#1218559).
- CVE-2020-26555: Fixed an issue during BR/EDR PIN code pairing in the Bluetooth subsystem that would allow replay attacks (bsc#1179610 bsc#1215237).
- CVE-2023-6606: Fixed an out of bounds read in the SMB client when receiving a malformed length from a server (bsc#1217947).
- CVE-2023-6546: Fixed a race condition in the GSM 0710 tty multiplexor via the GSMIOC_SETCONF ioctl that could lead to local privilege escalation (bsc#1218335).
- CVE-2023-6931: Fixed an out of bounds write in the Performance Events subsystem when adding a new event (bsc#1218258).
- CVE-2023-6932: Fixed a use-after-free issue when receiving an IGMP query packet due to reference count mismanagement (bsc#1218253).
- CVE-2023-6622: Fixed a null pointer dereference vulnerability in nft_dynset_init() that could allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service (bsc#1217938).
- CVE-2023-6121: Fixed an information leak via dmesg when receiving a crafted packet in the NVMe-oF/TCP subsystem (bsc#1217250).

The following non-security bugs were fixed:

- Reviewed and added more information to README.SUSE (jsc#PED-5021).
- Enabled multibuild for kernel packages (JSC-SLE#5501, boo#1211226, bsc#1218184).
- Drop drm/bridge lt9611uxc patches that have been reverted on stable trees
- KVM: s390/mm: Properly reset no-dat (bsc#1218056).
- KVM: s390: vsie: fix wrong VIR 37 when MSO is used (bsc#1217933).
- KVM: x86: Mask LVTPC when handling a PMI (jsc#PED-7322).
- NFS: Fix O_DIRECT locking issues (bsc#1211162).
- NFS: Fix a few more clear_bit() instances that need release semantics (bsc#1211162).
- NFS: Fix a potential data corruption (bsc#1211162).
- NFS: Fix a use after free in nfs_direct_join_group() (bsc#1211162).
- NFS: Fix error handling for O_DIRECT write scheduling (bsc#1211162).
- NFS: More O_DIRECT accounting fixes for error paths (bsc#1211162).
- NFS: More fixes for nfs_direct_write_reschedule_io() (bsc#1211162).
- NFS: Use the correct commit info in nfs_join_page_group() (bsc#1211162).
- NLM: Defend against file_lock changes after vfs_test_lock() (bsc#1217692).
- Updated SPI patches for NVIDIA Grace enablement (bsc#1212584 jsc#PED-3459)
- block: fix revalidate performance regression (bsc#1216057).
- bpf: Adjust insufficient default bpf_jit_limit (bsc#1218234).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1217980).
- ceph: fix type promotion bug on 32bit systems (bsc#1217982).
- clocksource: Add a Kconfig option for WATCHDOG_MAX_SKEW (bsc#1215885 bsc#1217217).
- clocksource: Enable TSC watchdog checking of HPET and PMTMR only when requested (bsc#1215885 bsc#1217217).
- clocksource: Handle negative skews in 'skew is too large' messages (bsc#1215885 bsc#1217217).
- clocksource: Improve 'skew is too large' messages (bsc#1215885 bsc#1217217).
- clocksource: Improve read-back-delay message (bsc#1215885 bsc#1217217).
- clocksource: Loosen clocksource watchdog constraints (bsc#1215885 bsc#1217217).
- clocksource: Print clocksource name when clocksource is tested unstable (bsc#1215885 bsc#1217217).
- clocksource: Verify HPET and PMTMR when TSC unverified (bsc#1215885 bsc#1217217).
- dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776).
- fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() (bsc#1218659).
- libceph: use kernel_connect() (bsc#1217981).
- mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors (bsc#1218515).
- net/smc: Fix pos miscalculation in statistics (bsc#1218139).
- net/tg3: fix race condition in tg3_reset_task() (bsc#1217801).
- nfs: only issue commit in DIO codepath if we have uncommitted data (bsc#1211162).
- remove unnecessary WARN_ON_ONCE() (bsc#1214823 bsc#1218569).
- s390/vx: fix save/restore of fpu kernel context (bsc#1218357).
- scsi: lpfc: use unsigned type for num_sge (bsc#1214747).
- swiotlb: fix a braino in the alignment check fix (bsc#1216559).
- swiotlb: fix slot alignment checks (bsc#1216559).
- tracing: Disable preemption when using the filter buffer (bsc#1217036).
- tracing: Fix a possible race when disabling buffered events (bsc#1217036).
- tracing: Fix a warning when allocating buffered events fails (bsc#1217036).
- tracing: Fix incomplete locking when disabling buffered events (bsc#1217036).
- tracing: Fix warning in trace_buffered_event_disable() (bsc#1217036).
- tracing: Use __this_cpu_read() in trace_event_buffer_lock_reserver() (bsc#1217036).
- uapi: propagate __struct_group() attributes to the container union (jsc#SLE-18978).
- vsprintf/kallsyms: Prevent invalid data when printing symbol (bsc#1217602).
- x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285).
- x86/platform/uv: Use alternate source for socket to node data (bsc#1215696 bsc#1217790).
- x86/tsc: Add option to force frequency recalibration with HW timer (bsc#1215885 bsc#1217217).
- x86/tsc: Be consistent about use_tsc_delay() (bsc#1215885 bsc#1217217).
- x86/tsc: Extend watchdog check exemption to 4-Sockets platform (bsc#1215885 bsc#1217217).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:187-1
Released:    Tue Jan 23 13:38:00 2024
Summary:     Recommended update for python-chardet
Type:        recommended
Severity:    moderate
References:  1218765
This update for python-chardet fixes the following issues:

- Fix update-alternative in %postun (bsc#1218765)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:188-1
Released:    Tue Jan 23 13:53:14 2024
Summary:     Recommended update for suseconnect-ng
Type:        recommended
Severity:    critical
References:  1217961,1218649
This update for suseconnect-ng contains the following fix:

- Update to version 1.6.0:
  * Disable EULA display for addons. (bsc#1218649 and bsc#1217961)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:214-1
Released:    Wed Jan 24 16:01:31 2024
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1214668,1215241,1217460
This update for systemd fixes the following issues:

- resolved: actually check authenticated flag of SOA transaction
- core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
- core: Add trace logging to mount_add_device_dependencies()
- core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
- core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
- core: wrap some long comment
- utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
- utmp-wtmp: Fix error in case isatty() fails
- homed: Handle EINTR gracefully when waiting for device node
- resolved: Handle EINTR returned from fd_wait_for_event() better
- sd-netlink: Handle EINTR from poll() gracefully, as success
- varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
- stdio-bridge: Don't be bothered with EINTR
- sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
- core: Replace slice dependencies as they get added (bsc#1214668)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:219-1
Released:    Wed Jan 24 19:43:28 2024
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1218799
This update for rsyslog fixes the following issues:

- suppress installation errors when systemd is not running (bsc#1218799)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:233-1
Released:    Thu Jan 25 11:58:47 2024
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1217775
This update for suse-module-tools fixes the following issues:

- Update to version 15.4.19
- Add symlink /boot/.vmlinuz.hmac (bsc#1217775)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:238-1
Released:    Fri Jan 26 10:56:41 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,CVE-2023-7207
This update for cpio fixes the following issues:

- CVE-2023-7207: Fixed a path traversal issue that could lead to an
  arbitrary file write during archive extraction (bsc#1218571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:243-1
Released:    Fri Jan 26 13:00:47 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1207987
This update for util-linux fixes the following issues:

- Fix performance degradation (bsc#1207987)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:254-1
Released:    Fri Jan 26 17:19:30 2024
Summary:     Recommended update for containerd
Type:        recommended
Severity:    moderate
References:  1217952
This update for containerd fixes the following issues:

- Fix permissions of address file (bsc#1217952)
- Update to version 1.7.10

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:268-1
Released:    Tue Jan 30 14:19:42 2024
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1218851,CVE-2023-46839
This update for xen fixes the following issues:

- CVE-2023-46839: Fixed phantom functions assigned to incorrect contexts (XSA-449) (bsc#1218851)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:295-1
Released:    Thu Feb  1 08:23:17 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

Update to runc v1.1.11:

- CVE-2024-21626: Fixed container breakout. (bsc#1218894)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:306-1
Released:    Thu Feb  1 17:58:09 2024
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        recommended
Severity:    moderate
References:  1218561,1218739
This update for python-instance-billing-flavor-check fixes the following issues:

- Support proxy setup on the client to access the update infrastructure API (bsc#1218561) 
- Add IPv6 support (bsc#1218739) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:427-1
Released:    Thu Feb  8 12:56:57 2024
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1183663,1193173,1196293,1211547,1216049,1216388,1216390,1216522,1216827,1217287,1218201,1218282
This update for supportutils fixes the following issues:

- Update to version 3.1.28
- Correctly detects Xen Dom0 (bsc#1218201)
- Fixed smart disk error (bsc#1218282)
- Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
- Added missing klp information to kernel-livepatch.txt (bsc#1216390)
- Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
- Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
- Optimize lsof usage (bsc#1183663)
- Collects chrony or ntp as needed (bsc#1196293)
- Fixed podman display issue (bsc#1217287)
- Added nvme-stas configuration to nvme.txt (bsc#1216049)
- Added timed command to fs-files.txt (bsc#1216827)
- Collects zypp history file issue#166 (bsc#1216522)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:444-1
Released:    Fri Feb  9 16:39:32 2024
Summary:     Security update for suse-build-key
Type:        security
Severity:    important
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

This update runs a import-suse-build-key script.

The previous libzypp-post-script based installation is replaced
with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777).
  - suse-build-key-import.service
  - suse-build-key-import.timer

It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys.
After successful import the timer is disabled.

To manually import them you can also run:

# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc
# rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc

Bugfix added since last update:

- run rpm commands in import script only when libzypp is not 
  active. bsc#1219189 bsc#1219123

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:458-1
Released:    Tue Feb 13 14:34:14 2024
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  
This update for hwdata fixes the following issues:

- Update to version 0.378
- Update pci, usb and vendor ids

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:459-1
Released:    Tue Feb 13 15:28:56 2024
Summary:     Security update for runc
Type:        security
Severity:    important
References:  1218894,CVE-2024-21626
This update for runc fixes the following issues:

- Update to runc v1.1.12 (bsc#1218894)                                                         
                                                                                               
The following CVE was already fixed with the previous release.                                 
                                                                                               
- CVE-2024-21626: Fixed container breakout.                                                                                                                                                    

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:480-1
Released:    Thu Feb 15 12:35:51 2024
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    important
References:  1215698,1218782,1218831,1219442
This update for libsolv, libzypp fixes the following issues:

- build for multiple python versions [jsc#PED-6218]
- applydeltaprm: Create target directory if it does not exist (bsc#1219442)
- Fix problems with EINTR in ExternalDataSource::getline (bsc#1215698)
- CheckAccessDeleted: fix running_in_container detection (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:515-1
Released:    Thu Feb 15 15:45:38 2024
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1108281,1177529,1209834,1212091,1215275,1215885,1216016,1216702,1217217,1217670,1217895,1217987,1217988,1217989,1218689,1218713,1218730,1218752,1218757,1218768,1218804,1218832,1218836,1218916,1218929,1218930,1218968,1219053,1219120,1219128,1219349,1219412,1219429,1219434,1219490,1219608,CVE-2021-33631,CVE-2023-46838,CVE-2023-47233,CVE-2023-4921,CVE-2023-51042,CVE-2023-51043,CVE-2023-51780,CVE-2023-51782,CVE-2023-6040,CVE-2023-6356,CVE-2023-6535,CVE-2023-6536,CVE-2023-6915,CVE-2024-0340,CVE-2024-0565,CVE-2024-0641,CVE-2024-0775,CVE-2024-1085,CVE-2024-1086,CVE-2024-24860
The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes.


The following security bugs were fixed:

- CVE-2024-1085: Fixed nf_tables use-after-free vulnerability in the nft_setelem_catchall_deactivate() function (bsc#1219429).
- CVE-2024-1086: Fixed a use-after-free vulnerability inside the nf_tables component that could have been exploited to achieve local privilege escalation (bsc#1219434).
- CVE-2023-51042: Fixed use-after-free in amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c (bsc#1219128).
- CVE-2023-51780: Fixed a use-after-free in do_vcc_ioctl in net/atm/ioctl.c, because of a vcc_recvmsg race condition (bsc#1218730).
- CVE-2023-46838: Fixed an issue with Xen netback processing of zero-length transmit fragment (bsc#1218836).
- CVE-2021-33631: Fixed an integer overflow in ext4_write_inline_data_end() (bsc#1219412).
- CVE-2023-6535: Fixed a NULL pointer dereference in nvmet_tcp_execute_request (bsc#1217988).
- CVE-2023-6536: Fixed a NULL pointer dereference in __nvmet_req_complete (bsc#1217989).
- CVE-2023-6356: Fixed a NULL pointer dereference in nvmet_tcp_build_pdu_iovec (bsc#1217987).
- CVE-2023-47233: Fixed a use-after-free in the device unplugging (disconnect the USB by hotplug) code inside the brcm80211 component (bsc#1216702).
- CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalation (bsc#1215275).
- CVE-2023-51043: Fixed use-after-free during a race condition between a nonblocking atomic commit and a driver unload in drivers/gpu/drm/drm_atomic.c (bsc#1219120).
- CVE-2024-0775: Fixed use-after-free in __ext4_remount in fs/ext4/super.c that could allow a local user to cause an information leak problem while freeing the old quota file names before a potential failure (bsc#1219053).
- CVE-2023-6040: Fixed an out-of-bounds access vulnerability while creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function (bsc#1218752).
- CVE-2024-0641: Fixed a denial of service vulnerability in tipc_crypto_key_revoke in net/tipc/crypto.c (bsc#1218916).
- CVE-2024-0565: Fixed an out-of-bounds memory read flaw in receive_encrypted_standard in fs/smb/client/smb2ops.c (bsc#1218832).
- CVE-2023-6915: Fixed a NULL pointer dereference problem in ida_free in lib/idr.c (bsc#1218804).
- CVE-2023-51782: Fixed use-after-free in rose_ioctl in net/rose/af_rose.c because of a rose_accept race condition (bsc#1218757).
- CVE-2024-0340: Fixed information disclosure in vhost/vhost.c:vhost_new_msg() (bsc#1218689).
- CVE-2024-24860: Fixed a denial of service caused by a race condition in {min,max}_key_size_set() (bsc#1219608).

The following non-security bugs were fixed:

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713).
- bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent (git-fixes).
- bcache: Remove unnecessary NULL point check in node allocations (git-fixes).
- bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() (git-fixes).
- bcache: avoid NULL checking to c->root in run_cache_set() (git-fixes).
- bcache: avoid oversize memory allocation by small stripe_size (git-fixes).
- bcache: check return value from btree_node_alloc_replacement() (git-fixes).
- bcache: fixup btree_cache_wait list damage (git-fixes).
- bcache: fixup init dirty data errors (git-fixes).
- bcache: fixup lock c->root error (git-fixes).
- bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race (git-fixes).
- bcache: prevent potential division by zero error (git-fixes).
- bcache: remove redundant assignment to variable cur_idx (git-fixes).
- bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() (git-fixes).
- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes).
- block: Fix kabi header include (bsc#1218929).
- block: free the extended dev_t minor later (bsc#1218930).
- clocksource: Skip watchdog check for large watchdog intervals (bsc#1217217).
- clocksource: disable watchdog checks on TSC when TSC is watchdog (bsc#1215885).
- dm cache policy smq: ensure IO does not prevent cleaner policy progress (git-fixes).
- dm cache: add cond_resched() to various workqueue loops (git-fixes).
- dm clone: call kmem_cache_destroy() in dm_clone_init() error path (git-fixes).
- dm crypt: add cond_resched() to dmcrypt_write() (git-fixes).
- dm crypt: avoid accessing uninitialized tasklet (git-fixes).
- dm flakey: do not corrupt the zero page (git-fixes).
- dm flakey: fix a crash with invalid table line (git-fixes).
- dm flakey: fix logic when corrupting a bio (git-fixes).
- dm init: add dm-mod.waitfor to wait for asynchronously probed block devices (git-fixes).
- dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path (git-fixes).
- dm integrity: reduce vmalloc space footprint on 32-bit architectures (git-fixes).
- dm raid: clean up four equivalent goto tags in raid_ctr() (git-fixes).
- dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths (git-fixes).
- dm stats: check for and propagate alloc_percpu failure (git-fixes).
- dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client (git-fixes).
- dm thin metadata: check fail_io before using data_sm (git-fixes).
- dm thin: add cond_resched() to various workqueue loops (git-fixes).
- dm thin: fix deadlock when swapping to thin device (bsc#1177529).
- dm verity: do not perform FEC for failed readahead IO (git-fixes).
- dm verity: fix error handling for check_at_most_once on FEC (git-fixes).
- dm verity: skip redundant verity_handle_err() on I/O errors (git-fixes).
- dm zoned: free dmz->ddev array in dmz_put_zoned_devices (git-fixes).
- dm-delay: fix a race between delay_presuspend and delay_bio (git-fixes).
- dm-integrity: do not modify bio's immutable bio_vec in integrity_metadata() (git-fixes).
- dm-verity: align struct dm_verity_fec_io properly (git-fixes).
- dm: add cond_resched() to dm_wq_work() (git-fixes).
- dm: do not lock fs when the map is NULL during suspend or resume (git-fixes).
- dm: do not lock fs when the map is NULL in process of resume (git-fixes).
- dm: remove flush_scheduled_work() during local_exit() (git-fixes).
- dm: send just one event on resize, not two (git-fixes).
- doc/README.KSYMS: Add to repo.
- hv_netvsc: rndis_filter needs to select NLS (git-fixes).
- intel_idle: add Emerald Rapids Xeon support (bsc#1216016).
- kabi, vmstat: skip periodic vmstat update for isolated CPUs (bsc#1217895).
- loop: suppress uevents while reconfiguring the device (git-fixes).
- nbd: Fix debugfs_create_dir error checking (git-fixes).
- nbd: fix incomplete validation of ioctl arg (git-fixes).
- nbd: use the correct block_device in nbd_bdev_reset (git-fixes).
- nfsd: fix RELEASE_LOCKOWNER (bsc#1218968).
- nfsd4: add refcount for nfsd4_blocked_lock (bsc#1218968 bsc#1219349).
- null_blk: Always check queue mode setting from configfs (git-fixes).
- powerpc/pseries/iommu: enable_ddw incorrectly returns direct mapping for SR-IOV device (bsc#1212091 ltc#199106 git-fixes).
- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails (git-fixes).
- rbd: decouple header read-in from updating rbd_dev->header (git-fixes).
- rbd: decouple parent info read-in from updating rbd_dev (git-fixes).
- rbd: get snapshot context after exclusive lock is ensured to be held (git-fixes).
- rbd: harden get_lock_owner_info() a bit (git-fixes).
- rbd: make get_lock_owner_info() return a single locker or NULL (git-fixes).
- rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting (git-fixes).
- rbd: move rbd_dev_refresh() definition (git-fixes).
- rbd: prevent busy loop when requesting exclusive lock (git-fixes).
- rbd: retrieve and check lock owner twice before blocklisting (git-fixes).
- rbd: take header_rwsem in rbd_dev_refresh() only when updating (git-fixes).
- sched/isolation: add cpu_is_isolated() API (bsc#1217895).
- scsi: ibmvfc: Implement channel queue depth and event buffer accounting (bsc#1209834 ltc#202097).
- scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool (bsc#1209834 ltc#202097).
- trace,smp: Add tracepoints around remotelly called functions (bsc#1217895).
- vmstat: skip periodic vmstat update for isolated CPUs (bsc#1217895).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:534-1
Released:    Tue Feb 20 08:48:52 2024
Summary:     Recommended update for supportutils-plugin-suse-public-cloud
Type:        recommended
Severity:    moderate
References:  1218762,1218763
This update for supportutils-plugin-suse-public-cloud fixes the following issues:

- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
- Remove duplicate data collection for the plugin itself
- Collect archive metering data when available
- Query billing flavor status

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:565-1
Released:    Wed Feb 21 07:18:46 2024
Summary:     Recommended update for suseconnect-ng
Type:        recommended
Severity:    important
References:  1219425
This update for suseconnect-ng fixes the following issues:

- Allow SUSEConnect on read write transactional systems (bsc#1219425)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:581-1
Released:    Wed Feb 21 14:08:16 2024
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1210638,CVE-2023-27043
This update for python3 fixes the following issues:

- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:586-1
Released:    Thu Feb 22 09:54:21 2024
Summary:     Security update for docker
Type:        security
Severity:    important
References:  1219267,1219268,1219438,CVE-2024-23651,CVE-2024-23652,CVE-2024-23653
This update for docker fixes the following issues:

Vendor latest buildkit v0.11 including bugfixes for the following:

* CVE-2024-23653: BuildKit API doesn't validate entitlement on container creation (bsc#1219438).
* CVE-2024-23652: Fixed arbitrary deletion of files (bsc#1219268).
* CVE-2024-23651: Fixed race condition in mount (bsc#1219267).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:590-1
Released:    Thu Feb 22 14:38:47 2024
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1219823,1219826,1219851,1219852,1219853,1219854,CVE-2023-4408,CVE-2023-50387,CVE-2023-50868,CVE-2023-5517,CVE-2023-5679,CVE-2023-6516
This update for bind fixes the following issues:

Update to release 9.16.48:

Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
  170.247.170.2 and 2801:1b8:10::b.

Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
  could cause excessive CPU load, leading to a denial-of-service
  condition. This has been fixed. (CVE-2023-50387) [bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessive
  CPU load, leading to a denial-of-service condition. This has
  been fixed. (CVE-2023-50868) [bsc#1219826]
* Parsing DNS messages with many different names could cause
  excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851]
* Specific queries could cause named to crash with an assertion
  failure when nxdomain-redirect was enabled. This has been
  fixed. (CVE-2023-5517) [bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
  named to crash with an assertion failure, when both of these
  features were enabled. This has been fixed. (CVE-2023-5679)
  [bsc#1219853]
* Query patterns that continuously triggered cache database
  maintenance could cause an excessive amount of memory to be
  allocated, exceeding max-cache-size and potentially leading to
  all available memory on the host running named being exhausted.
  This has been fixed. (CVE-2023-6516) [bsc#1219854]

Removed Features:
* Support for using AES as the DNS COOKIE algorithm
  (cookie-algorithm aes;) has been deprecated and will be removed
  in a future release. Please use the current default,
  SipHash-2-4, instead.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:596-1
Released:    Thu Feb 22 20:05:29 2024
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1218215,CVE-2023-51385
This update for openssh fixes the following issues:

- CVE-2023-51385: Limit the use of shell metacharacters in host- and
  user names to avoid command injection. (bsc#1218215)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:613-1
Released:    Mon Feb 26 11:21:43 2024
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:

- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:614-1
Released:    Mon Feb 26 11:31:18 2024
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1216752
This update for rpm fixes the following issues:

- backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:615-1
Released:    Mon Feb 26 11:32:32 2024
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1211886
This update for netcfg fixes the following issues:

- Add krb-prop entry (bsc#1211886)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:638-1
Released:    Tue Feb 27 10:36:11 2024
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1218862,1218865,CVE-2024-0553,CVE-2024-0567
This update for gnutls fixes the following issues:

- CVE-2024-0567: Fixed an incorrect rejection of certificate chains
  with distributed trust (bsc#1218862).
- CVE-2024-0553: Fixed a timing attack against the RSA-PSK key
  exchange, which could lead to the leakage of sensitive data
  (bsc#1218865).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:725-1
Released:    Thu Feb 29 11:03:34 2024
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1219123,1219189
This update for suse-build-key fixes the following issues:

- Switch container key to be default RSA 4096bit. (jsc#PED-2777)
- run import script also in %posttrans section, but only when
  libzypp is not active. bsc#1219189 bsc#1219123
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:766-1
Released:    Tue Mar  5 13:50:28 2024
Summary:     Recommended update for libssh
Type:        recommended
Severity:    important
References:  1220385
This update for libssh fixes the following issues:

- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:792-1
Released:    Thu Mar  7 09:55:23 2024
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  
This update for timezone fixes the following issues:

- Update to version 2024a
- Kazakhstan unifies on UTC+5
- Palestine springs forward a week later than previously predicted in 2024 and 2025
- Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00
- From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00
- In 1911 Miquelon adopted standard time on June 15, not May 15
- The FROM and TO columns of Rule lines can no longer be 'minimum'
- localtime no longer mishandle some timestamps
- strftime %s now uses tm_gmtoff if available
- Ittoqqortoormiit, Greenland changes time zones on 2024-03-31
- Vostok, Antarctica changed time zones on 2023-12-18
- Casey, Antarctica changed time zones five times since 2020
- Code and data fixes for Palestine timestamps starting in 2072
- A new data file zonenow.tab for timestamps starting now
- Much of Greenland changed its standard time from -03 to -02 on 2023-03-25
- localtime.c no longer mishandles TZif files that contain a single transition into a DST regime
- tzselect no longer creates temporary files
- tzselect no longer mishandles the following:
  * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION.
  * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/
  * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments
  * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension
  * zic no longer mishandles data for Palestine after the year 2075

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:795-1
Released:    Thu Mar  7 10:33:50 2024
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1219026,1220389,CVE-2023-42465
This update for sudo fixes the following issues:

- CVE-2023-42465: Try to make sudo less vulnerable to ROWHAMMER attacks (bsc#1219026).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:802-1
Released:    Thu Mar  7 11:07:48 2024
Summary:     Recommended update for wicked
Type:        recommended
Severity:    moderate
References:  1215692,1218926,1218927,1219265,1219751
This update for wicked fixes the following issues:

- ifreload: VLAN changes require device deletion (bsc#1218927) 
- ifcheck: fix config changed check (bsc#1218926)
- client: fix exit code for no-carrier status (bsc#1219265)
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
- duid: fix comment for v6time
- rtnl: fix peer address parsing for non ptp-interfaces
- system-updater: Parse updater format from XML configuration to ensure install calls can run
- team: add new options like link_watch_policy (jsc#PED-7183)
- Fix memory leaks in dbus variant destroy and fsm free
- xpath: allow underscore in node identifier
- vxlan: don't format unknown rtnl attrs (bsc#1219751)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:833-1
Released:    Mon Mar 11 10:31:14 2024
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:

- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Mon Mar 11 14:15:37 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:838-1
Released:    Tue Mar 12 06:46:28 2024
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1220117
This update for util-linux fixes the following issues:

- Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:849-1
Released:    Tue Mar 12 15:38:34 2024
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    important
References:  1198533,1214169,1218952
This update for cloud-init contains the following fixes:

- Skip tests with empty config.

- Support reboot on package update/upgrade via the cloud-init
 config. (bsc#1198533, bsc#1218952,  jsc#SMO-326)

- Switch build dependency to the generic distribution-release package.

- Move fdupes call back to %install. (bsc#1214169)
  

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- bind-utils-9.16.48-150400.5.40.1 updated
- cloud-init-config-suse-23.3-150100.8.74.7 updated
- cloud-init-23.3-150100.8.74.7 updated
- containerd-ctr-1.7.10-150000.106.1 updated
- containerd-1.7.10-150000.106.1 updated
- cpio-2.13-150400.3.6.1 updated
- curl-8.0.1-150400.5.41.1 updated
- dhcp-client-4.3.6.P1-150000.6.19.1 updated
- dhcp-4.3.6.P1-150000.6.19.1 updated
- docker-24.0.7_ce-150000.193.1 updated
- efibootmgr-17-150400.3.2.2 updated
- grub2-i386-pc-2.06-150400.11.43.2 updated
- grub2-x86_64-efi-2.06-150400.11.43.2 updated
- grub2-2.06-150400.11.43.2 updated
- hwdata-0.378-150000.3.65.1 updated
- kernel-default-5.14.21-150400.24.108.1 updated
- libavahi-client3-0.8-150400.7.13.1 updated
- libavahi-common3-0.8-150400.7.13.1 updated
- libblkid1-2.37.2-150400.8.26.1 updated
- libcrypt1-4.4.15-150300.4.7.1 updated
- libcurl4-8.0.1-150400.5.41.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.191.1 updated
- libfdisk1-2.37.2-150400.8.26.1 updated
- libfstrm0-0.6.1-150300.9.5.1 updated
- libgnutls30-3.7.3-150400.4.41.3 updated
- libmaxminddb0-1.4.3-150000.1.8.1 updated
- libmetalink3-0.1.3-150000.3.2.1 updated
- libmount1-2.37.2-150400.8.26.1 updated
- libncurses6-6.1-150000.5.20.1 updated
- libopenssl1_1-1.1.1l-150400.7.63.1 updated
- libprocps8-3.3.17-150000.7.37.1 added
- libpython3_6m1_0-3.6.15-150300.10.54.1 updated
- libsmartcols1-2.37.2-150400.8.26.1 updated
- libsolv-tools-0.7.28-150400.3.16.2 updated
- libssh-config-0.9.8-150400.3.6.1 updated
- libssh4-0.9.8-150400.3.6.1 updated
- libsystemd0-249.17-150400.8.40.1 updated
- libudev1-249.17-150400.8.40.1 updated
- libuuid1-2.37.2-150400.8.26.1 updated
- libxml2-2-2.9.14-150400.5.28.1 updated
- libzypp-17.31.31-150400.3.52.2 updated
- ncurses-utils-6.1-150000.5.20.1 updated
- netcfg-11.6-150000.3.6.1 updated
- openssh-clients-8.4p1-150300.3.30.1 updated
- openssh-common-8.4p1-150300.3.30.1 updated
- openssh-server-8.4p1-150300.3.30.1 updated
- openssh-8.4p1-150300.3.30.1 updated
- openssl-1_1-1.1.1l-150400.7.63.1 updated
- pam-1.3.0-150000.6.66.1 updated
- procps-3.3.17-150000.7.37.1 updated
- python-instance-billing-flavor-check-0.0.6-150000.1.9.1 updated
- python3-PyJWT-2.4.0-150200.3.8.1 updated
- python3-attrs-19.3.0-150200.3.6.1 updated
- python3-base-3.6.15-150300.10.54.1 updated
- python3-bind-9.16.48-150400.5.40.1 updated
- python3-blinker-1.4-150000.3.6.1 updated
- python3-chardet-3.0.4-150000.5.3.1 updated
- python3-cryptography-3.3.2-150400.23.1 updated
- python3-cssselect-1.0.3-150000.3.5.1 updated
- python3-importlib-metadata-1.5.0-150100.3.5.1 updated
- python3-jsonpatch-1.23-150100.3.5.1 updated
- python3-jsonpointer-1.14-150000.3.2.1 updated
- python3-jsonschema-3.2.0-150200.9.5.1 updated
- python3-lxml-4.7.1-150200.3.12.1 updated
- python3-more-itertools-8.10.0-150400.7.1 updated
- python3-netifaces-0.10.6-150000.3.2.1 updated
- python3-oauthlib-2.0.6-150000.3.6.1 updated
- python3-passlib-1.7.4-150300.3.2.1 added
- python3-pyrsistent-0.14.4-150100.3.4.1 updated
- python3-pyserial-3.4-150000.3.4.1 updated
- python3-zipp-0.6.0-150100.3.5.1 updated
- python3-3.6.15-150300.10.54.1 updated
- rpm-ndb-4.14.3-150400.59.7.1 updated
- rsyslog-module-relp-8.2306.0-150400.5.27.1 updated
- rsyslog-8.2306.0-150400.5.27.1 updated
- runc-1.1.12-150000.61.2 updated
- samba-client-libs-4.15.13+git.710.7032820fcd-150400.3.34.2 updated
- sudo-1.9.9-150400.4.33.1 updated
- supportutils-plugin-suse-public-cloud-1.0.9-150000.3.20.1 updated
- supportutils-3.1.28-150300.7.35.24.1 updated
- suse-build-key-12.0-150000.8.43.1 updated
- suse-module-tools-15.4.19-150400.3.17.1 updated
- suseconnect-ng-1.7.0~git0.5338270-150400.3.25.1 updated
- systemd-sysvinit-249.17-150400.8.40.1 updated
- systemd-249.17-150400.8.40.1 updated
- tar-1.34-150000.3.34.1 updated
- terminfo-base-6.1-150000.5.20.1 updated
- terminfo-6.1-150000.5.20.1 updated
- timezone-2024a-150000.75.28.1 updated
- udev-249.17-150400.8.40.1 updated
- util-linux-systemd-2.37.2-150400.8.26.1 updated
- util-linux-2.37.2-150400.8.26.1 updated
- wget-1.20.3-150000.3.17.1 updated
- wicked-service-0.6.74-150400.3.13.1 updated
- wicked-0.6.74-150400.3.13.1 updated
- xen-libs-4.16.5_12-150400.4.46.1 updated
- zypper-1.14.68-150400.3.40.2 updated
- libprocps7-3.3.15-150000.7.34.1 removed


More information about the sle-container-updates mailing list