From sle-container-updates at lists.suse.com Tue Jun 3 07:07:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:07:54 +0200 (CEST) Subject: SUSE-IU-2025:1478-1: Recommended update of suse/sl-micro/6.1/base-os-container Message-ID: <20250603070754.1835DFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1478-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.40 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.40 Severity : moderate Type : recommended References : 1239623 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 127 Released: Mon Jun 2 11:11:24 2025 Summary: Recommended update for elemental Type: recommended Severity: moderate References: 1239623 This update for elemental fixes the following issues: Update to v2.2.1: * Include an empty /etc/machine-id file (bsc#1239623) * Remove /etc/machine-id from base container The following package changes have been done: - elemental-updater-2.2.1-slfo.1.1_1.1 updated - elemental-2.2.1-slfo.1.1_1.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:08:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:08:16 +0200 (CEST) Subject: SUSE-IU-2025:1479-1: Recommended update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250603070816.30FA4FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1479-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.40 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.40 Severity : moderate Type : recommended References : 1239623 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 127 Released: Mon Jun 2 11:11:24 2025 Summary: Recommended update for elemental Type: recommended Severity: moderate References: 1239623 This update for elemental fixes the following issues: Update to v2.2.1: * Include an empty /etc/machine-id file (bsc#1239623) * Remove /etc/machine-id from base container The following package changes have been done: - elemental-updater-2.2.1-slfo.1.1_1.1 updated - elemental-2.2.1-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.0-4.40 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:08:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:08:40 +0200 (CEST) Subject: SUSE-IU-2025:1480-1: Recommended update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250603070840.79168FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1480-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.47 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.47 Severity : moderate Type : recommended References : 1239623 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 127 Released: Mon Jun 2 11:11:24 2025 Summary: Recommended update for elemental Type: recommended Severity: moderate References: 1239623 This update for elemental fixes the following issues: Update to v2.2.1: * Include an empty /etc/machine-id file (bsc#1239623) * Remove /etc/machine-id from base container The following package changes have been done: - elemental-updater-2.2.1-slfo.1.1_1.1 updated - elemental-2.2.1-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.0-5.9 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:10:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:10:46 +0200 (CEST) Subject: SUSE-CU-2025:4177-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250603071046.51372FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4177-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.88 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.88 , suse/ltss/sle15.3/sle15:latest Container Release : 2.88 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:13:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:13:14 +0200 (CEST) Subject: SUSE-CU-2025:4178-1: Recommended update of bci/openjdk-devel Message-ID: <20250603071314.5CF9AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4178-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-8.8 Container Release : 8.8 Severity : low Type : recommended References : ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:1793-1 Released: Mon Jun 2 10:01:39 2025 Summary: Optional update for java modules Type: optional Severity: low References: This update for java modules and related fixes the following issue: - Rebuild for consistency across products, no source changes: - Packages being rebuilt: apiguardian assertj-core byte-buddy dom4j hamcrest jaxen jdom jopt-simple junit junit5 objectweb-asm open-test-reporting saxpath xom fasterxml-oss-parent The following package changes have been done: - hamcrest-3.0-150200.12.22.1 updated - objectweb-asm-9.7-150200.3.17.1 updated - junit-4.13.2-150200.3.17.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:14:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:14:02 +0200 (CEST) Subject: SUSE-CU-2025:4179-1: Recommended update of bci/openjdk-devel Message-ID: <20250603071402.EBF6AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4179-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-37.6 , bci/openjdk-devel:latest Container Release : 37.6 Severity : low Type : recommended References : ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:1793-1 Released: Mon Jun 2 10:01:39 2025 Summary: Optional update for java modules Type: optional Severity: low References: This update for java modules and related fixes the following issue: - Rebuild for consistency across products, no source changes: - Packages being rebuilt: apiguardian assertj-core byte-buddy dom4j hamcrest jaxen jdom jopt-simple junit junit5 objectweb-asm open-test-reporting saxpath xom fasterxml-oss-parent The following package changes have been done: - hamcrest-3.0-150200.12.22.1 updated - objectweb-asm-9.7-150200.3.17.1 updated - junit-4.13.2-150200.3.17.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:14:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:14:35 +0200 (CEST) Subject: SUSE-CU-2025:4180-1: Recommended update of suse/rmt-server Message-ID: <20250603071435.1B27BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4180-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.22 , suse/rmt-server:2.22-65.7 , suse/rmt-server:latest Container Release : 65.7 Severity : important Type : recommended References : 1236600 1236816 1236836 1237373 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1796-1 Released: Mon Jun 2 13:29:47 2025 Summary: Recommended update for rmt-server Type: recommended Severity: important References: 1236600,1236816,1236836,1237373 This update for rmt-server contains the following fixes: - Version 2.22 * rmt-server-pubcloud: * Add pubcloud_reg_code column to systems table * Add cache directories and their expiration times to the scrubber * Add cache checking to reduce queries to SCC when activating a product * Add cache checking to reduce queries to SCC when upgrading a product * Refactor and move verify_instance from ZypperAuth to InstanceVerification * Add system_token to regsharing to find the system (bsc#1236600) * Add system_token to system without one * Add data_export engine for DataWarehouse telemetry (jsc#PCT-476) * Fix 500 error * Fix routing error * Fix SUMA ARM64 (bsc#1236836) * Fix Migration from Micro 5.5 to Micro 6.X (bsc#1236816) * Add registry optional (bsc#1237373) * Update Puma webserver * rmt-cli: * Disable delta RPM mirroring by default * Add option during 'rmt-cli mirror' to re-validate repodata and packages only when repodata was updated * rmt-server: Add `activejob` and `resque` gems to vendored gemfile, to enable background job support in RMT and all engines. The following package changes have been done: - rmt-server-config-2.22-150500.3.31.1 updated - rmt-server-2.22-150500.3.31.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:16:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:16:32 +0200 (CEST) Subject: SUSE-CU-2025:4181-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250603071632.15B01F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4181-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.41 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.41 Severity : moderate Type : recommended References : 1241624 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1800-1 Released: Mon Jun 2 20:53:40 2025 Summary: Recommended update for python-pyzmq Type: recommended Severity: moderate References: 1241624 This update for python-pyzmq fixes the following issues: - Prevent open files leak by closing sockets on timeout (bsc#1241624) The following package changes have been done: - python3-pyzmq-17.1.2-150000.3.8.1 updated From sle-container-updates at lists.suse.com Wed Jun 4 07:05:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 4 Jun 2025 09:05:57 +0200 (CEST) Subject: SUSE-IU-2025:1490-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250604070557.326C9FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1490-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.44 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.44 Severity : important Type : security References : 1238700 1239335 CVE-2025-22869 CVE-2025-22870 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 130 Released: Tue Jun 3 11:03:45 2025 Summary: Security update for elemental-toolkit Type: security Severity: important References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870 This update for elemental-toolkit fixes the following issues: - Updated to v2.2.3: * Adapted .golangci.yml format to a new version * Simplified podman calls in CI steup * Switched GHA runners to Ubuntu 24.04 * Updated year in headers * Vendored go.mod libraries * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.34 updated - elemental-toolkit-2.2.3-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.37 updated From sle-container-updates at lists.suse.com Wed Jun 4 07:06:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 4 Jun 2025 09:06:34 +0200 (CEST) Subject: SUSE-IU-2025:1491-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250604070634.4DD93FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1491-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.44 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.44 Severity : important Type : security References : 1238700 1239335 CVE-2025-22869 CVE-2025-22870 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 130 Released: Tue Jun 3 11:03:45 2025 Summary: Security update for elemental-toolkit Type: security Severity: important References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870 This update for elemental-toolkit fixes the following issues: - Updated to v2.2.3: * Adapted .golangci.yml format to a new version * Simplified podman calls in CI steup * Switched GHA runners to Ubuntu 24.04 * Updated year in headers * Vendored go.mod libraries * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.34 updated - elemental-toolkit-2.2.3-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.0-4.44 updated From sle-container-updates at lists.suse.com Wed Jun 4 07:07:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 4 Jun 2025 09:07:11 +0200 (CEST) Subject: SUSE-IU-2025:1492-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250604070711.04973FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1492-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.50 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.50 Severity : important Type : security References : 1238700 1239335 CVE-2025-22869 CVE-2025-22870 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 130 Released: Tue Jun 3 11:03:45 2025 Summary: Security update for elemental-toolkit Type: security Severity: important References: 1238700,1239335,CVE-2025-22869,CVE-2025-22870 This update for elemental-toolkit fixes the following issues: - Updated to v2.2.3: * Adapted .golangci.yml format to a new version * Simplified podman calls in CI steup * Switched GHA runners to Ubuntu 24.04 * Updated year in headers * Vendored go.mod libraries * CVE-2025-22870: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238700) * CVE-2025-22869: golang.org/x/crypto/ssh: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239335) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.34 updated - elemental-toolkit-2.2.3-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.0-5.11 updated From sle-container-updates at lists.suse.com Wed Jun 4 07:13:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 4 Jun 2025 09:13:54 +0200 (CEST) Subject: SUSE-CU-2025:4188-1: Recommended update of bci/rust Message-ID: <20250604071354.BA024F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4188-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.1 , bci/rust:oldstable , bci/rust:oldstable-2.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1350-1 Released: Sun Apr 20 19:58:33 2025 Summary: Recommended update for rust, rust1.86 Type: recommended Severity: moderate References: This update for rust, rust1.86 fixes the following issues: Changes in rust1.86: Version 1.86.0 (2025-04-03) ========================== Language -------- - Stabilize upcasting trait objects to supertraits. - Allow safe functions to be marked with the `#[target_feature]` attribute. - The `missing_abi` lint now warns-by-default. - Rust now lints about double negations, to catch cases that might have intended to be a prefix decrement operator (`--x`) as written in other languages. This was previously a clippy lint, `clippy::double_neg`, and is [now available directly in Rust as `double_negations`. - More pointers are now detected as definitely not-null based on their alignment in const eval. - Empty `repr()` attribute applied to invalid items are now correctly rejected. - Inner attributes `#![test]` and `#![rustfmt::skip]` are no longer accepted in more places than intended. Compiler -------- - Debug-assert that raw pointers are non-null on access. - Change `-O` to mean `-C opt-level=3` instead of `-C opt-level=2` to match Cargo's defaults. - Fix emission of `overflowing_literals` under certain macro environments. Platform Support ---------------- - Replace `i686-unknown-redox` target with `i586-unknown-redox`. - Increase baseline CPU of `i686-unknown-hurd-gnu` to Pentium 4. - New tier 3 targets: - `{aarch64-unknown,x86_64-pc}-nto-qnx710_iosock` For supporting Neutrino QNX 7.1 with `io-socket` network stack. - `{aarch64-unknown,x86_64-pc}-nto-qnx800` For supporting Neutrino QNX 8.0 (`no_std`-only). - `{x86_64,i686}-win7-windows-gnu` Intended for backwards compatibility with Windows 7. `{x86_64,i686}-win7-windows-msvc` are the Windows MSVC counterparts that already exist as Tier 3 targets. - `amdgcn-amd-amdhsa` - `x86_64-pc-cygwin` - `{mips,mipsel}-mti-none-elf` Initial bare-metal support. - `m68k-unknown-none-elf` - `armv7a-nuttx-{eabi,eabihf}`, `aarch64-unknown-nuttx`, and `thumbv7a-nuttx-{eabi,eabihf}` Refer to Rust's platform support page for more information on Rust's tiered platform support. Libraries --------- - The type of `FromBytesWithNulError` in `CStr::from_bytes_with_nul(bytes: &[u8]) -> Result<&Self, FromBytesWithNulError>` was changed from an opaque struct to an enum, allowing users to examine why the conversion failed. - Remove `RustcDecodable` and `RustcEncodable`. - Deprecate libtest's `--logfile` option. - On recent versions of Windows, `std::fs::remove_file` will now remove read-only files. Stabilized APIs --------------- - `{float}::next_down` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.next_down - `{float}::next_up` https://doc.rust-lang.org/stable/std/primitive.f64.html#method.next_up - `<[_]>::get_disjoint_mut` https://doc.rust-lang.org/stable/std/primitive.slice.html#method.get_disjoint_mut - `<[_]>::get_disjoint_unchecked_mut` https://doc.rust-lang.org/stable/std/primitive.slice.html#method.get_disjoint_unchecked_mut - `slice::GetDisjointMutError` https://doc.rust-lang.org/stable/std/slice/enum.GetDisjointMutError.html - `HashMap::get_disjoint_mut` https://doc.rust-lang.org/std/collections/hash_map/struct.HashMap.html#method.get_disjoint_mut - `HashMap::get_disjoint_unchecked_mut` https://doc.rust-lang.org/std/collections/hash_map/struct.HashMap.html#method.get_disjoint_unchecked_mut - `NonZero::count_ones` https://doc.rust-lang.org/stable/std/num/struct.NonZero.html#method.count_ones - `Vec::pop_if` https://doc.rust-lang.org/std/vec/struct.Vec.html#method.pop_if - `sync::Once::wait` https://doc.rust-lang.org/stable/std/sync/struct.Once.html#method.wait - `sync::Once::wait_force` https://doc.rust-lang.org/stable/std/sync/struct.Once.html#method.wait_force - `sync::OnceLock::wait` https://doc.rust-lang.org/stable/std/sync/struct.OnceLock.html#method.wait These APIs are now stable in const contexts: - `hint::black_box` https://doc.rust-lang.org/stable/std/hint/fn.black_box.html - `io::Cursor::get_mut` https://doc.rust-lang.org/stable/std/io/struct.Cursor.html#method.get_mut - `io::Cursor::set_position` https://doc.rust-lang.org/stable/std/io/struct.Cursor.html#method.set_position - `str::is_char_boundary` https://doc.rust-lang.org/stable/std/primitive.str.html#method.is_char_boundary - `str::split_at` https://doc.rust-lang.org/stable/std/primitive.str.html#method.split_at - `str::split_at_checked` https://doc.rust-lang.org/stable/std/primitive.str.html#method.split_at_checked - `str::split_at_mut` https://doc.rust-lang.org/stable/std/primitive.str.html#method.split_at_mut - `str::split_at_mut_checked` https://doc.rust-lang.org/stable/std/primitive.str.html#method.split_at_mut_checked Cargo ----- - When merging, replace rather than combine configuration keys that refer to a program path and its arguments. - Error if both `--package` and `--workspace` are passed but the requested package is missing. This was previously silently ignored, which was considered a bug since missing packages should be reported. - Deprecate the token argument in `cargo login` to avoid shell history leaks. - Simplify the implementation of `SourceID` comparisons. This may potentially change behavior if the canonicalized URL compares differently in alternative registries. Rustdoc ----- - Add a sans-serif font setting. Compatibility Notes ------------------- - The `wasm_c_abi` future compatibility warning is now a hard error. Users of `wasm-bindgen` should upgrade to at least version 0.2.89, otherwise compilation will fail. - Remove long-deprecated no-op attributes `#![no_start]` and `#![crate_id]`. - The future incompatibility lint `cenum_impl_drop_cast` has been made into a hard error. This means it is now an error to cast a field-less enum to an integer if the enum implements `Drop`. - SSE2 is now required for 'i686' 32-bit x86 hard-float targets; disabling it causes a warning that will become a hard error eventually. To compile for pre-SSE2 32-bit x86, use a 'i586' target instead. Internal Changes ---------------- These changes do not affect any public interfaces of Rust, but they represent significant improvements to the performance or internals of rustc and related tools. - Build the rustc on AArch64 Linux with ThinLTO + PGO. The ARM 64-bit compiler (AArch64) on Linux is now optimized with ThinLTO and PGO, similar to the optimizations we have already performed for the x86-64 compiler on Linux. This should make it up to 30% faster. The following package changes have been done: - rust1.86-1.86.0-150300.7.5.1 added - cargo1.86-1.86.0-150300.7.5.1 added - cargo1.85-1.85.1-150300.7.6.1 removed - rust1.85-1.85.1-150300.7.6.1 removed From sle-container-updates at lists.suse.com Wed Jun 4 07:14:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 4 Jun 2025 09:14:39 +0200 (CEST) Subject: SUSE-CU-2025:4189-1: Recommended update of bci/rust Message-ID: <20250604071439.2D88FF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4189-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.2.1 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.1 Container Release : 2.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1789-1 Released: Sun Jun 1 22:50:21 2025 Summary: Recommended update for rust, rust1.87 Type: recommended Severity: moderate References: This update for rust, rust1.87 fixes the following issues: Version 1.87.0 (2025-05-15) ========================== Language -------- - Stabilize asm_goto feature - Allow parsing open beginning ranges (..EXPR) after unary operators !, -, and *. - Don't require method impls for methods with Self: Sized bounds in impls for unsized types - Stabilize feature(precise_capturing_in_traits) allowing use<...> bounds on return position impl Trait in traits Compiler -------- - x86: make SSE2 required for i686 targets and use it to pass SIMD types Libraries --------- - Stabilize the anonymous pipe API - Add support for unbounded left/right shift operations - Print pointer metadata in Debug impl of raw pointers - Vec::with_capacity guarantees it allocates with the amount requested, even if Vec::capacity returns a different number. - Most std::arch intrinsics which don't take pointer arguments can now be called from safe code if the caller has the appropriate target features already enabled - Undeprecate env::home_dir - Denote ControlFlow as #[must_use] - Macros such as assert_eq! and vec! now support const {...} expressions Stabilized APIs - Vec::extract_if https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.extract_if - vec::ExtractIf https://doc.rust-lang.org/stable/std/vec/struct.ExtractIf.html) - LinkedList::extract_if https://doc.rust-lang.org/stable/std/collections/struct.LinkedList.html#method.extract_if - linked_list::ExtractIf https://doc.rust-lang.org/stable/std/collections/linked_list/struct.ExtractIf.html - <[T]>::split_off https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off - <[T]>::split_off_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_mut - <[T]>::split_off_first https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_first - <[T]>::split_off_first_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_first_mut - <[T]>::split_off_last https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_last - <[T]>::split_off_last_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.split_off_last_mut - String::extend_from_within https://doc.rust-lang.org/stable/alloc/string/struct.String.html#method.extend_from_within - os_str::Display https://doc.rust-lang.org/stable/std/ffi/os_str/struct.Display.html - OsString::display https://doc.rust-lang.org/stable/std/ffi/struct.OsString.html#method.display - OsStr::display https://doc.rust-lang.org/stable/std/ffi/struct.OsStr.html#method.display - io::pipe https://doc.rust-lang.org/stable/std/io/fn.pipe.html - io::PipeReader https://doc.rust-lang.org/stable/std/io/struct.PipeReader.html - io::PipeWriter https://doc.rust-lang.org/stable/std/io/struct.PipeWriter.html - impl From for OwnedHandle https://doc.rust-lang.org/stable/std/os/windows/io/struct.OwnedHandle.html#impl-From%3CPipeReader%3E-for-OwnedHandle - impl From for OwnedHandle https://doc.rust-lang.org/stable/std/os/windows/io/struct.OwnedHandle.html#impl-From%3CPipeWriter%3E-for-OwnedHandle - impl From for Stdio https://doc.rust-lang.org/stable/std/process/struct.Stdio.html - impl From for Stdio https://doc.rust-lang.org/stable/std/process/struct.Stdio.html#impl-From%3CPipeWriter%3E-for-Stdio - impl From for OwnedFd https://doc.rust-lang.org/stable/std/os/fd/struct.OwnedFd.html#impl-From%3CPipeReader%3E-for-OwnedFd - impl From for OwnedFd https://doc.rust-lang.org/stable/std/os/fd/struct.OwnedFd.html#impl-From%3CPipeWriter%3E-for-OwnedFd - Box>::write https://doc.rust-lang.org/stable/std/boxed/struct.Box.html#method.write - impl TryFrom> for String https://doc.rust-lang.org/stable/std/string/struct.String.html#impl-TryFrom%3CVec%3Cu8%3E%3E-for-String - <*const T>::offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset_from_unsigned - <*const T>::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.byte_offset_from_unsigned - <*mut T>::offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.offset_from_unsigned-1 - <*mut T>::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/primitive.pointer.html#method.byte_offset_from_unsigned-1 - NonNull::offset_from_unsigned https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.offset_from_unsigned - NonNull::byte_offset_from_unsigned https://doc.rust-lang.org/stable/std/ptr/struct.NonNull.html#method.byte_offset_from_unsigned - ::cast_signed https://doc.rust-lang.org/stable/std/primitive.usize.html#method.cast_signed - NonZero::::cast_signed https://doc.rust-lang.org/stable/std/num/struct.NonZero.html#method.cast_signed-5). - ::cast_unsigned https://doc.rust-lang.org/stable/std/primitive.isize.html#method.cast_unsigned). - NonZero::::cast_unsigned https://doc.rust-lang.org/stable/std/num/struct.NonZero.html#method.cast_unsigned-5). - ::is_multiple_of https://doc.rust-lang.org/stable/std/primitive.usize.html#method.is_multiple_of - ::unbounded_shl https://doc.rust-lang.org/stable/std/primitive.usize.html#method.unbounded_shl - ::unbounded_shr https://doc.rust-lang.org/stable/std/primitive.usize.html#method.unbounded_shr - ::unbounded_shl https://doc.rust-lang.org/stable/std/primitive.isize.html#method.unbounded_shl - ::unbounded_shr https://doc.rust-lang.org/stable/std/primitive.isize.html#method.unbounded_shr - ::midpoint https://doc.rust-lang.org/stable/std/primitive.isize.html#method.midpoint - ::from_utf8 https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8 - ::from_utf8_mut https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_mut - ::from_utf8_unchecked https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_unchecked - ::from_utf8_unchecked_mut https://doc.rust-lang.org/stable/std/primitive.str.html#method.from_utf8_unchecked_mut These previously stable APIs are now stable in const contexts: - core::str::from_utf8_mut https://doc.rust-lang.org/stable/std/str/fn.from_utf8_mut.html - <[T]>::copy_from_slice https://doc.rust-lang.org/stable/std/primitive.slice.html#method.copy_from_slice - SocketAddr::set_ip https://doc.rust-lang.org/stable/std/net/enum.SocketAddr.html#method.set_ip - SocketAddr::set_port https://doc.rust-lang.org/stable/std/net/enum.SocketAddr.html#method.set_port - SocketAddrV4::set_ip https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV4.html#method.set_ip - SocketAddrV4::set_port https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV4.html#method.set_port - SocketAddrV6::set_ip https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_ip - SocketAddrV6::set_port https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_port - SocketAddrV6::set_flowinfo https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_flowinfo - SocketAddrV6::set_scope_id https://doc.rust-lang.org/stable/std/net/struct.SocketAddrV6.html#method.set_scope_id - char::is_digit https://doc.rust-lang.org/stable/std/primitive.char.html#method.is_digit - char::is_whitespace https://doc.rust-lang.org/stable/std/primitive.char.html#method.is_whitespace) - <[[T; N]]>::as_flattened https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_flattened - <[[T; N]]>::as_flattened_mut https://doc.rust-lang.org/stable/std/primitive.slice.html#method.as_flattened_mut - String::into_bytes https://doc.rust-lang.org/stable/std/string/struct.String.html#method.into_bytes - String::as_str https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_str - String::capacity https://doc.rust-lang.org/stable/std/string/struct.String.html#method.capacity - String::as_bytes https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_bytes - String::len https://doc.rust-lang.org/stable/std/string/struct.String.html#method.len - String::is_empty https://doc.rust-lang.org/stable/std/string/struct.String.html#method.is_empty - String::as_mut_str https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_mut_str - String::as_mut_vec https://doc.rust-lang.org/stable/std/string/struct.String.html#method.as_mut_vec - Vec::as_ptr https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_ptr - Vec::as_slice https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_slice - Vec::capacity https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.capacity - Vec::len https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.len - Vec::is_empty https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.is_empty - Vec::as_mut_slice https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_mut_slice - Vec::as_mut_ptr https://doc.rust-lang.org/stable/std/vec/struct.Vec.html#method.as_mut_ptr Cargo ----- - Add terminal integration via ANSI OSC 9;4 sequences - chore: bump openssl to v3 - feat(package): add --exclude-lockfile flag Compatibility Notes - Rust now raises an error for macro invocations inside the #![crate_name] attribute - Unstable fields are now always considered to be inhabited - Macro arguments of unary operators followed by open beginning ranges may now be matched differently - Make Debug impl of raw pointers print metadata if present - Warn against function pointers using unsupported ABI strings in dependencies - Associated types on dyn types are no longer deduplicated - Forbid attributes on .. inside of struct patterns (let Struct { #[attribute] .. }) = - Make ptr_cast_add_auto_to_object lint into hard error - Many std::arch intrinsics are now safe to call in some contexts, there may now be new unused_unsafe warnings in existing codebases. - Limit width and precision formatting options to 16 bits on all targets - Turn order dependent trait objects future incompat warning into a hard error - Denote ControlFlow as #[must_use - Windows: The standard library no longer links advapi32, except on win7. Code such as C libraries that were relying on this assumption may need to explicitly link advapi32. - Proc macros can no longer observe expanded cfg(true) attributes. - Start changing the internal representation of pasted tokens. Certain invalid declarative macros that were previously accepted in obscure circumstances are now correctly rejected by the compiler. Use of a tt fragment specifier can often fix these macros. - Don't allow flattened format_args in const. The following package changes have been done: - rust1.87-1.87.0-150300.7.3.1 added - cargo1.87-1.87.0-150300.7.3.1 added - cargo1.86-1.86.0-150300.7.5.1 removed - rust1.86-1.86.0-150300.7.5.1 removed From sle-container-updates at lists.suse.com Thu Jun 5 07:07:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:07:52 +0200 (CEST) Subject: SUSE-CU-2025:4193-1: Security update of bci/kiwi Message-ID: <20250605070752.7490EFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4193-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-25.6 , bci/kiwi:latest Container Release : 25.6 Severity : important Type : security References : 1243313 CVE-2025-47273 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.12.1 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:06:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:06:49 +0200 (CEST) Subject: SUSE-CU-2025:4191-1: Security update of suse/389-ds Message-ID: <20250605070649.665BFFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4191-1 Container Tags : suse/389-ds:2.2 , suse/389-ds:2.2.10 , suse/389-ds:2.2.10-39.7 , suse/389-ds:latest Container Release : 39.7 Severity : important Type : security References : 1243313 CVE-2025-47273 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.12.1 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:06:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:06:54 +0200 (CEST) Subject: SUSE-CU-2025:4192-1: Security update of suse/kiosk/firefox-esr Message-ID: <20250605070654.A6DFFFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/firefox-esr ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4192-1 Container Tags : suse/kiosk/firefox-esr:128.11 , suse/kiosk/firefox-esr:128.11-46.2 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest Container Release : 46.2 Severity : important Type : security References : 1243353 CVE-2025-5263 CVE-2025-5264 CVE-2025-5265 CVE-2025-5266 CVE-2025-5267 CVE-2025-5268 CVE-2025-5269 ----------------------------------------------------------------- The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1814-1 Released: Wed Jun 4 16:10:17 2025 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1243353,CVE-2025-5263,CVE-2025-5264,CVE-2025-5265,CVE-2025-5266,CVE-2025-5267,CVE-2025-5268,CVE-2025-5269 This update for MozillaFirefox fixes the following issues: Update to Mozilla Firefox ESR 128.11 (MFSA 2025-44, bsc#1243353): - MFSA-TMP-2025-0001: Double-free in libvpx encoder (bmo#1962421) - CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content (bmo#1960745) - CVE-2025-5264: Potential local code execution in 'Copy as cURL' command (bmo#1950001) - CVE-2025-5265: Potential local code execution in 'Copy as cURL' command (bmo#1962301) - CVE-2025-5266: Script element events leaked cross-origin resource status (bmo#1965628) - CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details (bmo#1954137) - CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 (bmo#1950136, bmo#1958121, bmo#1960499, bmo#1962634) - CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11 (bmo#1924108) The following package changes have been done: - MozillaFirefox-128.11.0-150200.152.185.1 updated - container:suse-sle15-15.6-84759d0e92dad1b0d389e88d265e230ef1e487f3a4f10c1be8647883e41a3c8b-0 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:10:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:10:08 +0200 (CEST) Subject: SUSE-CU-2025:4195-1: Recommended update of suse/bind Message-ID: <20250605071008.3562FFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4195-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.3 , suse/bind:9.20.3-9.3 Container Release : 9.3 Severity : important Type : recommended References : ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) The following package changes have been done: - glibc-2.38-150600.14.29.1 updated - container:suse-sle15-15.7-833c78a873e3ed99389a52fb2c047e71d642709e150719ba63fa61072f659b00-0 updated - container:registry.suse.com-bci-bci-micro-15.7-c42d46c3a95e8ebd5d5e4f8b99a19e1c5246dbdf25a5b612541668e6bb0cd833-0 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:11:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:11:32 +0200 (CEST) Subject: SUSE-CU-2025:4200-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250605071132.CDB5DFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4200-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.34 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.34 Severity : important Type : security References : 1243313 CVE-2025-47273 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.12.1 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:08:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:08:47 +0200 (CEST) Subject: SUSE-CU-2025:4194-1: Security update of bci/python Message-ID: <20250605070847.05A5EFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4194-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-64.8 Container Release : 64.8 Severity : important Type : security References : 1243313 CVE-2025-47273 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.12.1 updated From sle-container-updates at lists.suse.com Thu Jun 5 07:12:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 5 Jun 2025 09:12:33 +0200 (CEST) Subject: SUSE-CU-2025:4201-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20250605071233.3A8E1F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4201-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.15 , suse/manager/4.3/proxy-tftpd:4.3.15.9.53.24 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.53.24 Severity : important Type : security References : 1243313 CVE-2025-47273 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.12.1 updated From sle-container-updates at lists.suse.com Mon Jun 9 07:04:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 9 Jun 2025 09:04:18 +0200 (CEST) Subject: SUSE-IU-2025:1497-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250609070418.56AACFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1497-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.38 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.38 Severity : moderate Type : security References : 1237147 1241938 1243106 CVE-2025-22247 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 345 Released: Sun Jun 8 15:23:49 2025 Summary: Security update for open-vm-tools Type: security Severity: moderate References: 1237147,1241938,1243106,CVE-2025-22247 This update for open-vm-tools fixes the following issues: - Updated to 12.5.2: * CVE-2025-22247: Fixed insecure file handling (bsc#1243106) - Fixed gcc15 compile time error (bsc#1241938) The following package changes have been done: - libvmtools0-12.5.2-1.1 updated - open-vm-tools-12.5.2-1.1 updated - container:SL-Micro-base-container-2.1.3-7.7 updated From sle-container-updates at lists.suse.com Mon Jun 9 07:04:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 9 Jun 2025 09:04:49 +0200 (CEST) Subject: SUSE-IU-2025:1498-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250609070449.895E9FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1498-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.7 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.7 Severity : moderate Type : security References : 1242300 CVE-2025-47268 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 346 Released: Sun Jun 8 15:25:40 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation leading to undefined behavior (bsc#1242300) The following package changes have been done: - iputils-20221126-4.1 updated - container:suse-toolbox-image-1.0.0-9.2 updated From sle-container-updates at lists.suse.com Mon Jun 9 07:07:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 9 Jun 2025 09:07:09 +0200 (CEST) Subject: SUSE-CU-2025:4211-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250609070709.0FA0CFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4211-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.2 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.2 Severity : moderate Type : security References : 1242300 CVE-2025-47268 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 346 Released: Sun Jun 8 15:25:40 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation leading to undefined behavior (bsc#1242300) The following package changes have been done: - iputils-20221126-4.1 updated From sle-container-updates at lists.suse.com Tue Jun 10 07:09:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 10 Jun 2025 09:09:12 +0200 (CEST) Subject: SUSE-CU-2025:4221-1: Security update of bci/golang Message-ID: <20250610070912.D2FBCFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4221-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.38.6 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.38.6 Container Release : 38.6 Severity : important Type : security References : 1236217 1242715 1244156 1244157 1244158 CVE-2025-0913 CVE-2025-22873 CVE-2025-22874 CVE-2025-4673 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1846-1 Released: Mon Jun 9 20:33:58 2025 Summary: Security update for go1.24 Type: security Severity: important References: 1236217,1242715,1244156,1244157,1244158,CVE-2025-0913,CVE-2025-22873,CVE-2025-22874,CVE-2025-4673 This update for go1.24 fixes the following issues: go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673) * CVE-2025-22874: crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158) * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157) * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156) * os: Root.Mkdir creates directories with zero permissions on OpenBSD * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/go: add fips140 module selection mechanism * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen * CVE-2025-22873: os: Root permits access to parent directory The following package changes have been done: - go1.24-doc-1.24.4-150000.1.26.1 updated - go1.24-1.24.4-150000.1.26.1 updated - go1.24-race-1.24.4-150000.1.26.1 updated From sle-container-updates at lists.suse.com Tue Jun 10 07:09:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 10 Jun 2025 09:09:51 +0200 (CEST) Subject: SUSE-CU-2025:4222-1: Recommended update of bci/golang Message-ID: <20250610070951.B7F5AFD12@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4222-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-60.7 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-60.7 Container Release : 60.7 Severity : important Type : recommended References : 1243960 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1847-1 Released: Mon Jun 9 20:34:37 2025 Summary: Recommended update for go1.24-openssl Type: recommended Severity: important References: 1243960 This update for go1.24-openssl fixes the following issues: Update to version 1.24.3 cut from the go1.24-fips-release branch at the revision tagged go1.24.3-3-openssl-fips. (jsc#SLE-18320) * Fix GOLANG_FIPS=0 and enable CGO for bin/go Update to version 1.24.3 cut from the go1.24-fips-release branch at the revision tagged go1.24.3-2-openssl-fips. (jsc#SLE-18320 bsc#1243960) * Force fips140tls in boring mode and run http tests * Implement HKDF for TLS (#297) bsc#1243960. This was previously left unimplemented and would panic if invoked. This was not caught because we only run a subset of the TLS tests in FIPS mode. This patch adds the test case which would have caught this into our test script and fixes the panic with an implementation of HKDF label expanding. * Improve documentation (#294) The following package changes have been done: - go1.24-openssl-doc-1.24.3-150600.13.6.1 updated - go1.24-openssl-1.24.3-150600.13.6.1 updated - go1.24-openssl-race-1.24.3-150600.13.6.1 updated From sle-container-updates at lists.suse.com Tue Jun 10 07:08:36 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 10 Jun 2025 09:08:36 +0200 (CEST) Subject: SUSE-CU-2025:4220-1: Security update of bci/golang Message-ID: <20250610070836.2A61DFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4220-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.38.6 , bci/golang:oldstable , bci/golang:oldstable-2.38.6 Container Release : 38.6 Severity : important Type : security References : 1229122 1244156 1244157 CVE-2025-0913 CVE-2025-4673 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1848-1 Released: Mon Jun 9 20:35:15 2025 Summary: Security update for go1.23 Type: security Severity: important References: 1229122,1244156,1244157,CVE-2025-0913,CVE-2025-4673 This update for go1.23 fixes the following issues: go1.23.10 (released 2025-06-05) includes security fixes to the /http and os packages, as well as bug fixes to the linker. (bsc#1229122 go1.23 release tracking CVE-2025-0913 CVE-2025-4673) * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157) * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156) * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen The following package changes have been done: - go1.23-doc-1.23.10-150000.1.34.1 updated - go1.23-1.23.10-150000.1.34.1 updated - go1.23-race-1.23.10-150000.1.34.1 updated From sle-container-updates at lists.suse.com Wed Jun 11 07:04:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 09:04:17 +0200 (CEST) Subject: SUSE-IU-2025:1516-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250611070417.38183FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1516-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.47 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.47 Severity : moderate Type : security References : 1241020 1241078 CVE-2025-29087 CVE-2025-29088 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 141 Released: Tue Jun 10 13:50:09 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088 This update for sqlite3 fixes the following issues: - Update to release 3.49.1: * Improve portability of makefiles and configure scripts. * CVE-2025-29087: Fixed Integer Overflow in SQLite concat Function (bsc#1241020) * CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) - Update to release 3.49.0: * Enhancements to the query planner: - Improve the query-time index optimization so that it works on WITHOUT ROWID tables. - Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum. - When two or more queries have the same estimated cost, use the one with the fewer bytes per row. * Enhance the iif() SQL function so that it can accept any number of arguments greater than or equal to two. * Enhance the session extension so that it works on databases that make use of generated columns. * Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not implemented correctly and never worked right. In its place add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to command-line tools like the CLI only, not to the SQLite core. It causes Win32 APIs to be used for console I/O instead of stdio. This option affects Windows builds only. * Three new options to sqlite3_db_config(). All default 'on'. SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE SQLITE_DBCONFIG_ENABLE_COMMENTS - Re-enable SONAME which got disabled by default in 3.48.0. - Update to release 3.48.0: * Improved EXPLAIN QUERY PLAN output for covering indexes. * Allow a two-argument version of the iif() SQL function. * Also allow if() as an alternative spelling for iif(). * Add the '.dbtotxt' command to the CLI. * Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method of the sqlite3_io_methods object. * Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents warning messages being sent to the error log if the SQL is ill-formed. This allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for validity without polluting the error log with false messages. * Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30. * Added the SQLITE_FCNTL_NULL_IO file control. * Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the insttoken configuration option and the fts5_insttoken() SQL function. * Increase the maximum number of arguments to an SQL function from 127 to 1000. - Update to release 3.47.2: * Fix a problem in text-to-floating-point conversion that affects text values where the first 16 significant digits are '1844674407370955'. This issue was introduced in 3.47.0 and only arises on x64 and i386 hardware. * Other minor bug fixes. - Enable the session extension, because NodeJS 22 needs it. - Update to release 3.47.1: * Fix the makefiles so that they once again honored DESTDIR for the 'install' target. * Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. * Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. * Other minor bug fixes. - Update to release 3.47.0: * Allow arbitrary expressions in the second argument to the RAISE function. * If the RHS of the ->> operator is negative, then access array elements counting from the right. * Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. * FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. * Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. * Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. * Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. * Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. * Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1' only invoke the func() function once per row. * No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. * Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. * Add the 'order-by-subquery' optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. * The 'indexed-subtype-expr' optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. * Miscellaneous coding tweaks for faster runtimes. * Add the experimental sqlite3_rsync program. * Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. * Add the .www dot-command to the CLI. * The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. * The sqldiff utility avoids creating an empty database if its second argument does not exist. * Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. * SQLite no longer makes any use of the 'long double' data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. * The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. * Fix a corruption-causing bug in the JavaScript 'opfs' VFS. Correct 'mode=ro' handling for the 'opfs' VFS. Work around a couple of browser-specific OPFS quirks. * Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. * Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. * Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. - Update to release 3.46.1: * Improved robustness while parsing the tokenize= arguments in FTS5. * Enhancements to covering index prediction in the query planner. * Do not let the number of terms on a VALUES clause be limited by SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that appear to be variables due to double-quoted string literals. * Fix the window function version of group_concat() so that it returns an empty string if it has one or more empty string inputs. * In FTS5 secure-delete mode, fix false-positive integrity-check reports about corrupt indexes. * Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases, they were formerly returning SQLITE_INTERNAL. * Other minor fixes. - Update to release 3.46.0: * Enhance PRAGMA optimize in multiple ways. * Enhancements to the date and time functions. * Add support for underscore ('_') characters between digits in numeric literals. * Add the json_pretty() SQL function. * Query planner improvements. * Allocate additional memory from the heap for the SQL parser stack if that stack overflows, rather than reporting a 'parser stack overflow' error. * Allow ASCII control characters within JSON5 string literals. * Fix the -> and ->> JSON operators so that when the right-hand side operand is a string that looks like an integer it is still treated as a string, because that is what PostgreSQL does. - Update to release 3.45.3: * Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause the 'old.*' values of an UPDATE trigger to be incorrect if that trigger fires in response to an UPSERT. * Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0. The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. - Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream. - Update to release 3.45.2: * Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL functions. * Enhancements to the JSON SQL functions * Add the FTS5 tokendata option to the FTS5 virtual table. * The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. * Query planner improvements * Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. * Enhancements to the CLI * Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. * Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. * Fix issues associated with processing corrupt JSONB inputs. * Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. * Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. * Fix an error in UPSERT, introduced in version 3.35.0. * Reduce the scope of the NOT NULL strength reduction optimization that was added in version 3.35.0. The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.35 updated - libsqlite3-0-3.49.1-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.40 updated From sle-container-updates at lists.suse.com Wed Jun 11 07:04:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 09:04:42 +0200 (CEST) Subject: SUSE-IU-2025:1517-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250611070442.31B8FFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1517-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.46 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.46 Severity : moderate Type : security References : 1241020 1241078 CVE-2025-29087 CVE-2025-29088 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 141 Released: Tue Jun 10 13:50:09 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088 This update for sqlite3 fixes the following issues: - Update to release 3.49.1: * Improve portability of makefiles and configure scripts. * CVE-2025-29087: Fixed Integer Overflow in SQLite concat Function (bsc#1241020) * CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) - Update to release 3.49.0: * Enhancements to the query planner: - Improve the query-time index optimization so that it works on WITHOUT ROWID tables. - Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum. - When two or more queries have the same estimated cost, use the one with the fewer bytes per row. * Enhance the iif() SQL function so that it can accept any number of arguments greater than or equal to two. * Enhance the session extension so that it works on databases that make use of generated columns. * Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not implemented correctly and never worked right. In its place add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to command-line tools like the CLI only, not to the SQLite core. It causes Win32 APIs to be used for console I/O instead of stdio. This option affects Windows builds only. * Three new options to sqlite3_db_config(). All default 'on'. SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE SQLITE_DBCONFIG_ENABLE_COMMENTS - Re-enable SONAME which got disabled by default in 3.48.0. - Update to release 3.48.0: * Improved EXPLAIN QUERY PLAN output for covering indexes. * Allow a two-argument version of the iif() SQL function. * Also allow if() as an alternative spelling for iif(). * Add the '.dbtotxt' command to the CLI. * Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method of the sqlite3_io_methods object. * Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents warning messages being sent to the error log if the SQL is ill-formed. This allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for validity without polluting the error log with false messages. * Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30. * Added the SQLITE_FCNTL_NULL_IO file control. * Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the insttoken configuration option and the fts5_insttoken() SQL function. * Increase the maximum number of arguments to an SQL function from 127 to 1000. - Update to release 3.47.2: * Fix a problem in text-to-floating-point conversion that affects text values where the first 16 significant digits are '1844674407370955'. This issue was introduced in 3.47.0 and only arises on x64 and i386 hardware. * Other minor bug fixes. - Enable the session extension, because NodeJS 22 needs it. - Update to release 3.47.1: * Fix the makefiles so that they once again honored DESTDIR for the 'install' target. * Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. * Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. * Other minor bug fixes. - Update to release 3.47.0: * Allow arbitrary expressions in the second argument to the RAISE function. * If the RHS of the ->> operator is negative, then access array elements counting from the right. * Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. * FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. * Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. * Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. * Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. * Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. * Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1' only invoke the func() function once per row. * No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. * Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. * Add the 'order-by-subquery' optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. * The 'indexed-subtype-expr' optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. * Miscellaneous coding tweaks for faster runtimes. * Add the experimental sqlite3_rsync program. * Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. * Add the .www dot-command to the CLI. * The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. * The sqldiff utility avoids creating an empty database if its second argument does not exist. * Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. * SQLite no longer makes any use of the 'long double' data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. * The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. * Fix a corruption-causing bug in the JavaScript 'opfs' VFS. Correct 'mode=ro' handling for the 'opfs' VFS. Work around a couple of browser-specific OPFS quirks. * Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. * Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. * Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. - Update to release 3.46.1: * Improved robustness while parsing the tokenize= arguments in FTS5. * Enhancements to covering index prediction in the query planner. * Do not let the number of terms on a VALUES clause be limited by SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that appear to be variables due to double-quoted string literals. * Fix the window function version of group_concat() so that it returns an empty string if it has one or more empty string inputs. * In FTS5 secure-delete mode, fix false-positive integrity-check reports about corrupt indexes. * Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases, they were formerly returning SQLITE_INTERNAL. * Other minor fixes. - Update to release 3.46.0: * Enhance PRAGMA optimize in multiple ways. * Enhancements to the date and time functions. * Add support for underscore ('_') characters between digits in numeric literals. * Add the json_pretty() SQL function. * Query planner improvements. * Allocate additional memory from the heap for the SQL parser stack if that stack overflows, rather than reporting a 'parser stack overflow' error. * Allow ASCII control characters within JSON5 string literals. * Fix the -> and ->> JSON operators so that when the right-hand side operand is a string that looks like an integer it is still treated as a string, because that is what PostgreSQL does. - Update to release 3.45.3: * Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause the 'old.*' values of an UPDATE trigger to be incorrect if that trigger fires in response to an UPSERT. * Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0. The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. - Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream. - Update to release 3.45.2: * Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL functions. * Enhancements to the JSON SQL functions * Add the FTS5 tokendata option to the FTS5 virtual table. * The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. * Query planner improvements * Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. * Enhancements to the CLI * Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. * Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. * Fix issues associated with processing corrupt JSONB inputs. * Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. * Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. * Fix an error in UPSERT, introduced in version 3.35.0. * Reduce the scope of the NOT NULL strength reduction optimization that was added in version 3.35.0. The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.35 updated - libsqlite3-0-3.49.1-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.0-4.47 updated From sle-container-updates at lists.suse.com Wed Jun 11 07:05:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 09:05:13 +0200 (CEST) Subject: SUSE-IU-2025:1518-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250611070513.2BD4AFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1518-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.52 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.52 Severity : moderate Type : security References : 1241020 1241078 CVE-2025-29087 CVE-2025-29088 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 141 Released: Tue Jun 10 13:50:09 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088 This update for sqlite3 fixes the following issues: - Update to release 3.49.1: * Improve portability of makefiles and configure scripts. * CVE-2025-29087: Fixed Integer Overflow in SQLite concat Function (bsc#1241020) * CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) - Update to release 3.49.0: * Enhancements to the query planner: - Improve the query-time index optimization so that it works on WITHOUT ROWID tables. - Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum. - When two or more queries have the same estimated cost, use the one with the fewer bytes per row. * Enhance the iif() SQL function so that it can accept any number of arguments greater than or equal to two. * Enhance the session extension so that it works on databases that make use of generated columns. * Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not implemented correctly and never worked right. In its place add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to command-line tools like the CLI only, not to the SQLite core. It causes Win32 APIs to be used for console I/O instead of stdio. This option affects Windows builds only. * Three new options to sqlite3_db_config(). All default 'on'. SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE SQLITE_DBCONFIG_ENABLE_COMMENTS - Re-enable SONAME which got disabled by default in 3.48.0. - Update to release 3.48.0: * Improved EXPLAIN QUERY PLAN output for covering indexes. * Allow a two-argument version of the iif() SQL function. * Also allow if() as an alternative spelling for iif(). * Add the '.dbtotxt' command to the CLI. * Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method of the sqlite3_io_methods object. * Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents warning messages being sent to the error log if the SQL is ill-formed. This allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for validity without polluting the error log with false messages. * Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30. * Added the SQLITE_FCNTL_NULL_IO file control. * Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the insttoken configuration option and the fts5_insttoken() SQL function. * Increase the maximum number of arguments to an SQL function from 127 to 1000. - Update to release 3.47.2: * Fix a problem in text-to-floating-point conversion that affects text values where the first 16 significant digits are '1844674407370955'. This issue was introduced in 3.47.0 and only arises on x64 and i386 hardware. * Other minor bug fixes. - Enable the session extension, because NodeJS 22 needs it. - Update to release 3.47.1: * Fix the makefiles so that they once again honored DESTDIR for the 'install' target. * Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. * Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. * Other minor bug fixes. - Update to release 3.47.0: * Allow arbitrary expressions in the second argument to the RAISE function. * If the RHS of the ->> operator is negative, then access array elements counting from the right. * Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. * FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. * Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. * Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. * Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. * Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. * Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1' only invoke the func() function once per row. * No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. * Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. * Add the 'order-by-subquery' optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. * The 'indexed-subtype-expr' optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. * Miscellaneous coding tweaks for faster runtimes. * Add the experimental sqlite3_rsync program. * Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. * Add the .www dot-command to the CLI. * The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. * The sqldiff utility avoids creating an empty database if its second argument does not exist. * Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. * SQLite no longer makes any use of the 'long double' data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. * The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. * Fix a corruption-causing bug in the JavaScript 'opfs' VFS. Correct 'mode=ro' handling for the 'opfs' VFS. Work around a couple of browser-specific OPFS quirks. * Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. * Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. * Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. - Update to release 3.46.1: * Improved robustness while parsing the tokenize= arguments in FTS5. * Enhancements to covering index prediction in the query planner. * Do not let the number of terms on a VALUES clause be limited by SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that appear to be variables due to double-quoted string literals. * Fix the window function version of group_concat() so that it returns an empty string if it has one or more empty string inputs. * In FTS5 secure-delete mode, fix false-positive integrity-check reports about corrupt indexes. * Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases, they were formerly returning SQLITE_INTERNAL. * Other minor fixes. - Update to release 3.46.0: * Enhance PRAGMA optimize in multiple ways. * Enhancements to the date and time functions. * Add support for underscore ('_') characters between digits in numeric literals. * Add the json_pretty() SQL function. * Query planner improvements. * Allocate additional memory from the heap for the SQL parser stack if that stack overflows, rather than reporting a 'parser stack overflow' error. * Allow ASCII control characters within JSON5 string literals. * Fix the -> and ->> JSON operators so that when the right-hand side operand is a string that looks like an integer it is still treated as a string, because that is what PostgreSQL does. - Update to release 3.45.3: * Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause the 'old.*' values of an UPDATE trigger to be incorrect if that trigger fires in response to an UPSERT. * Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0. The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. - Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream. - Update to release 3.45.2: * Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL functions. * Enhancements to the JSON SQL functions * Add the FTS5 tokendata option to the FTS5 virtual table. * The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. * Query planner improvements * Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. * Enhancements to the CLI * Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. * Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. * Fix issues associated with processing corrupt JSONB inputs. * Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. * Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. * Fix an error in UPSERT, introduced in version 3.35.0. * Reduce the scope of the NOT NULL strength reduction optimization that was added in version 3.35.0. The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.35 updated - libsqlite3-0-3.49.1-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.0-5.13 updated From sle-container-updates at lists.suse.com Wed Jun 11 07:09:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 09:09:54 +0200 (CEST) Subject: SUSE-CU-2025:4234-1: Recommended update of bci/bci-busybox Message-ID: <20250611070954.12AFBFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4234-1 Container Tags : bci/bci-busybox:15.6 , bci/bci-busybox:15.6.33.2 , bci/bci-busybox:latest Container Release : 33.2 Severity : important Type : recommended References : 1243201 ----------------------------------------------------------------- The container bci/bci-busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1867-1 Released: Tue Jun 10 16:19:57 2025 Summary: Recommended update for busybox Type: recommended Severity: important References: 1243201 This update for busybox fixes the following issues: - Enable halt, poweroff, reboot commands (bsc#1243201) The following package changes have been done: - busybox-1.35.0-150500.10.6.1 updated From sle-container-updates at lists.suse.com Wed Jun 11 10:02:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 12:02:55 +0200 (CEST) Subject: SUSE-CU-2025:4238-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250611100255.50041FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4238-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.130 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.130 Severity : moderate Type : security References : 1242844 CVE-2025-4373 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1880-1 Released: Wed Jun 11 07:41:38 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.62.6-150200.3.30.1 updated - libgmodule-2_0-0-2.62.6-150200.3.30.1 updated From sle-container-updates at lists.suse.com Wed Jun 11 10:07:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 11 Jun 2025 12:07:25 +0200 (CEST) Subject: SUSE-CU-2025:4240-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250611100725.31A5FFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4240-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.132 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.132 Severity : moderate Type : security References : 1242844 CVE-2025-4373 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1880-1 Released: Wed Jun 11 07:41:38 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.62.6-150200.3.30.1 updated - libgmodule-2_0-0-2.62.6-150200.3.30.1 updated From sle-container-updates at lists.suse.com Thu Jun 12 07:03:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 09:03:56 +0200 (CEST) Subject: SUSE-IU-2025:1544-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250612070356.15523FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1544-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.48 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.48 Severity : moderate Type : security References : 1239909 CVE-2025-2588 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 143 Released: Wed Jun 11 12:00:25 2025 Summary: Security update for augeas Type: security Severity: moderate References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Fixed NULL pointer dereference when calling re_case_expand in function fa_expand_nocase (bsc#1239909) The following package changes have been done: - libfa1-1.14.1-slfo.1.1_2.1 updated - libaugeas0-1.14.1-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.41 updated From sle-container-updates at lists.suse.com Thu Jun 12 07:07:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 09:07:10 +0200 (CEST) Subject: SUSE-CU-2025:4245-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250612070710.24564FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4245-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.89 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.89 , suse/ltss/sle15.3/sle15:latest Container Release : 2.89 Severity : moderate Type : security References : 1242844 CVE-2025-4373 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1880-1 Released: Wed Jun 11 07:41:38 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1242844,CVE-2025-4373 This update for glib2 fixes the following issues: - CVE-2025-4373: integer overflow in the `g_string_insert_unichar()` function can lead to buffer underwrite and memory corruption (bsc#1242844). The following package changes have been done: - libglib-2_0-0-2.62.6-150200.3.30.1 updated From sle-container-updates at lists.suse.com Thu Jun 12 07:09:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 09:09:52 +0200 (CEST) Subject: SUSE-CU-2025:4246-1: Security update of bci/nodejs Message-ID: <20250612070952.3330DFCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4246-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-35.6 , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-35.6 Container Release : 35.6 Severity : important Type : security References : 1239949 1241050 1243217 1243218 CVE-2025-23165 CVE-2025-23166 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1878-1 Released: Wed Jun 11 07:41:13 2025 Summary: Security update for nodejs22 Type: security Severity: important References: 1239949,1241050,1243217,1243218,CVE-2025-23165,CVE-2025-23166 This update for nodejs22 fixes the following issues: Update to version 22.15.1. Security issues fixed: - CVE-2025-23166: remotely triggerable process crash due to improper error handling in async cryptographic operations (bsc#1243218). - CVE-2025-23165: memory leak and unbounded memory growth due to corrupted pointer in `node::fs::ReadFileUtf8(const FunctionCallbackInfo& args)` when `args[0]` is a string (bsc#1243217). Other changes and issues fixed: - Changes from version 22.15.0 * dns: add TLSA record query and parsing * assert: improve partialDeepStrictEqual * process: add execve * tls: implement tls.getCACertificates() * v8: add v8.getCppHeapStatistics() method - Changes from version 22.14.0 * fs: allow exclude option in globs to accept glob patterns * lib: add typescript support to STDIN eval * module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX * module: add findPackageJSON util * process: add process.ref() and process.unref() methods * sqlite: support TypedArray and DataView in StatementSync * src: add --disable-sigusr1 to prevent signal i/o thread * src,worker: add isInternalWorker * test_runner: add TestContext.prototype.waitFor() * test_runner: add t.assert.fileSnapshot() * test_runner: add assert.register() API * worker: add eval ts input - Build with PIE (bsc#1239949). - Fix builds with OpenSSL 3.5.0 (bsc#1241050). The following package changes have been done: - nodejs22-22.15.1-150600.13.9.1 updated - npm22-22.15.1-150600.13.9.1 updated - libcares2-1.19.1-150000.3.26.1 removed - netcfg-11.6-150000.3.6.1 removed From sle-container-updates at lists.suse.com Thu Jun 12 11:33:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:33:33 +0200 (CEST) Subject: SUSE-IU-2025:1547-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250612113333.037EEFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1547-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.39 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.39 Severity : moderate Type : security References : 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-1.1 updated - libsystemd0-254.25-1.1 updated - SL-Micro-release-6.0-25.29 updated - systemd-254.25-1.1 updated - udev-254.25-1.1 updated - container:SL-Micro-base-container-2.1.3-7.8 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:34:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:34:01 +0200 (CEST) Subject: SUSE-IU-2025:1548-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250612113401.A059CFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1548-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.8 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.8 Severity : moderate Type : security References : 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-1.1 updated - libsystemd0-254.25-1.1 updated - SL-Micro-release-6.0-25.29 updated - systemd-254.25-1.1 updated - udev-254.25-1.1 updated - container:suse-toolbox-image-1.0.0-9.3 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:34:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:34:34 +0200 (CEST) Subject: SUSE-IU-2025:1549-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250612113434.0ED38FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1549-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.35 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.35 Severity : moderate Type : security References : 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-1.1 updated - libsystemd0-254.25-1.1 updated - SL-Micro-release-6.0-25.29 updated - systemd-254.25-1.1 updated - udev-254.25-1.1 updated - container:SL-Micro-base-container-2.1.3-7.8 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:35:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:35:10 +0200 (CEST) Subject: SUSE-IU-2025:1550-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250612113510.D1F66FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1550-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.40 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.40 Severity : moderate Type : security References : 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-1.1 updated - libsystemd0-254.25-1.1 updated - SL-Micro-release-6.0-25.29 updated - systemd-254.25-1.1 updated - udev-254.25-1.1 updated - container:SL-Micro-container-2.1.3-6.39 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:36:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:36:10 +0200 (CEST) Subject: SUSE-CU-2025:4249-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250612113610.5827BFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4249-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.3 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.3 Severity : moderate Type : security References : 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 352 Released: Thu Jun 12 09:16:56 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - SL-Micro-release-6.0-25.29 updated - libsystemd0-254.25-1.1 updated - libudev1-254.25-1.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.28 updated - systemd-254.25-1.1 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:36:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:36:33 +0200 (CEST) Subject: SUSE-IU-2025:1551-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250612113633.52CB4FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1551-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.49 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.49 Severity : moderate Type : security References : 1217538 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 145 Released: Thu Jun 12 09:37:25 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1217538,1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-slfo.1.1_1.1 updated - libsystemd0-254.25-slfo.1.1_1.1 updated - SL-Micro-release-6.1-slfo.1.11.36 updated - systemd-254.25-slfo.1.1_1.1 updated - udev-254.25-slfo.1.1_1.1 updated - container:suse-toolbox-image-1.0.0-4.42 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:36:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:36:56 +0200 (CEST) Subject: SUSE-IU-2025:1552-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250612113656.7F193FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1552-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.48 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.48 Severity : moderate Type : security References : 1217538 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 145 Released: Thu Jun 12 09:37:25 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1217538,1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-slfo.1.1_1.1 updated - libsystemd0-254.25-slfo.1.1_1.1 updated - SL-Micro-release-6.1-slfo.1.11.36 updated - systemd-254.25-slfo.1.1_1.1 updated - udev-254.25-slfo.1.1_1.1 updated - container:SL-Micro-base-container-2.2.0-4.49 updated From sle-container-updates at lists.suse.com Thu Jun 12 11:37:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 12 Jun 2025 13:37:25 +0200 (CEST) Subject: SUSE-IU-2025:1553-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250612113725.3993EFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1553-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.54 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.54 Severity : moderate Type : security References : 1217538 1236177 1237496 1241190 1242938 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 145 Released: Thu Jun 12 09:37:25 2025 Summary: Security update for systemd Type: security Severity: moderate References: 1217538,1236177,1237496,1241190,1242938,CVE-2025-4598 This update for systemd fixes the following issues: - coredump: use %d in kernel core pattern (CVE-2025-4598) - Revert 'macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel' (SUSE specific) - umount: do not move busy network mounts (bsc#1236177) - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) - Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. (bsc#1242938) - This re-adds back the support for the persistent net name rules as well as their generator since predictable naming scheme is still disabled by default on Micro (via the `net.ifnames=0` boot option). (bsc#1241190) The following package changes have been done: - libudev1-254.25-slfo.1.1_1.1 updated - libsystemd0-254.25-slfo.1.1_1.1 updated - SL-Micro-release-6.1-slfo.1.11.36 updated - systemd-254.25-slfo.1.1_1.1 updated - udev-254.25-slfo.1.1_1.1 updated - container:SL-Micro-container-2.2.0-5.15 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:06:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:06:52 +0200 (CEST) Subject: SUSE-CU-2025:4255-1: Recommended update of suse/sle-micro/5.3/toolbox Message-ID: <20250614070652.27E86FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4255-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.140 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.140 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:10:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:10:27 +0200 (CEST) Subject: SUSE-IU-2025:1556-1: Security update of suse/sl-micro/6.0/baremetal-os-container Message-ID: <20250614071027.B17F9FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/baremetal-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1556-1 Image Tags : suse/sl-micro/6.0/baremetal-os-container:2.1.3 , suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.40 , suse/sl-micro/6.0/baremetal-os-container:latest Image Release : 6.40 Severity : moderate Type : security References : 1236136 1240366 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.0/baremetal-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-8.1 updated - SL-Micro-release-6.0-25.30 updated - container:SL-Micro-base-container-2.1.3-7.9 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:11:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:11:01 +0200 (CEST) Subject: SUSE-IU-2025:1557-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250614071101.36319FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1557-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.9 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.9 Severity : moderate Type : security References : 1236136 1240366 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-8.1 updated - SL-Micro-release-6.0-25.30 updated - openssl-3-3.1.4-8.1 updated - container:suse-toolbox-image-1.0.0-9.4 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:12:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:12:21 +0200 (CEST) Subject: SUSE-IU-2025:1559-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250614071221.367D4FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1559-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.41 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.41 Severity : moderate Type : security References : 1236136 1240366 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-8.1 updated - SL-Micro-release-6.0-25.30 updated - container:SL-Micro-container-2.1.3-6.40 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:13:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:13:32 +0200 (CEST) Subject: SUSE-CU-2025:4260-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250614071332.CA237FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4260-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.4 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.4 Severity : moderate Type : security References : 1236136 1240366 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - SL-Micro-release-6.0-25.30 updated - libopenssl3-3.1.4-8.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.29 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:14:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:14:00 +0200 (CEST) Subject: SUSE-IU-2025:1560-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250614071400.9B031FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1560-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.50 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.50 Severity : important Type : security References : 1200528 1217070 1221400 1224323 1228553 1231698 1234812 1240366 CVE-2022-1996 CVE-2023-45142 CVE-2023-45288 CVE-2023-47108 CVE-2024-40896 CVE-2024-9676 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 146 Released: Fri Jun 13 12:48:33 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1231698,1240366,CVE-2024-9676,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366) ----------------------------------------------------------------- Advisory ID: 147 Released: Fri Jun 13 12:50:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1200528,1217070,1221400,1224323,1228553,1234812,CVE-2022-1996,CVE-2023-45142,CVE-2023-45288,CVE-2023-47108,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812) The following package changes have been done: - libxml2-2-2.11.6-slfo.1.1_5.1 updated - libopenssl3-3.1.4-slfo.1.1_5.1 updated - SL-Micro-release-6.1-slfo.1.11.37 updated - openssl-3-3.1.4-slfo.1.1_5.1 updated - container:suse-toolbox-image-1.0.0-4.43 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:14:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:14:28 +0200 (CEST) Subject: SUSE-IU-2025:1561-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250614071428.5B6A2FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1561-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.49 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.49 Severity : important Type : security References : 1200528 1217070 1221400 1224323 1228553 1231698 1234812 1240366 CVE-2022-1996 CVE-2023-45142 CVE-2023-45288 CVE-2023-47108 CVE-2024-40896 CVE-2024-9676 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 146 Released: Fri Jun 13 12:48:33 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1231698,1240366,CVE-2024-9676,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366) ----------------------------------------------------------------- Advisory ID: 147 Released: Fri Jun 13 12:50:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1200528,1217070,1221400,1224323,1228553,1234812,CVE-2022-1996,CVE-2023-45142,CVE-2023-45288,CVE-2023-47108,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812) The following package changes have been done: - libxml2-2-2.11.6-slfo.1.1_5.1 updated - libopenssl3-3.1.4-slfo.1.1_5.1 updated - SL-Micro-release-6.1-slfo.1.11.37 updated - container:SL-Micro-base-container-2.2.0-4.50 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:08:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:08:28 +0200 (CEST) Subject: SUSE-CU-2025:4256-1: Recommended update of suse/sle-micro/5.4/toolbox Message-ID: <20250614070828.D9F0BFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4256-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.140 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.140 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:15:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:15:01 +0200 (CEST) Subject: SUSE-IU-2025:1562-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250614071501.20605FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1562-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.55 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.55 Severity : important Type : security References : 1200528 1217070 1221400 1224323 1228553 1231698 1234812 1240366 CVE-2022-1996 CVE-2023-45142 CVE-2023-45288 CVE-2023-47108 CVE-2024-40896 CVE-2024-9676 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 146 Released: Fri Jun 13 12:48:33 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1231698,1240366,CVE-2024-9676,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 (bsc#1240366) ----------------------------------------------------------------- Advisory ID: 147 Released: Fri Jun 13 12:50:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1200528,1217070,1221400,1224323,1228553,1234812,CVE-2022-1996,CVE-2023-45142,CVE-2023-45288,CVE-2023-47108,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XXE vulnerability (bsc#1234812) The following package changes have been done: - libxml2-2-2.11.6-slfo.1.1_5.1 updated - libopenssl3-3.1.4-slfo.1.1_5.1 updated - SL-Micro-release-6.1-slfo.1.11.37 updated - container:SL-Micro-container-2.2.0-5.16 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:17:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:17:12 +0200 (CEST) Subject: SUSE-CU-2025:4265-1: Security update of suse/ltss/sle15.3/bci-base-fips Message-ID: <20250614071712.1912EFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4265-1 Container Tags : suse/ltss/sle15.3/bci-base-fips:15.3 , suse/ltss/sle15.3/bci-base-fips:15.3-9.42 , suse/ltss/sle15.3/bci-base-fips:latest Container Release : 9.42 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/ltss/sle15.3/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.3.0-2.90 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:17:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:17:58 +0200 (CEST) Subject: SUSE-CU-2025:4266-1: Recommended update of suse/ltss/sle15.3/sle15 Message-ID: <20250614071758.CB811FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4266-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.90 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.90 , suse/ltss/sle15.3/sle15:latest Container Release : 2.90 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:18:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:18:26 +0200 (CEST) Subject: SUSE-CU-2025:4267-1: Security update of suse/ltss/sle15.4/bci-base-fips Message-ID: <20250614071826.F00ABFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4267-1 Container Tags : suse/ltss/sle15.4/bci-base-fips:15.4 , suse/ltss/sle15.4/bci-base-fips:15.4.2.5 , suse/ltss/sle15.4/bci-base-fips:latest Container Release : 2.5 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/ltss/sle15.4/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:19:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:19:15 +0200 (CEST) Subject: SUSE-CU-2025:4268-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250614071915.5DE3CFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4268-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.47 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.47 , suse/ltss/sle15.4/sle15:latest Container Release : 2.47 Severity : important Type : security References : 1234128 1243317 1243960 CVE-2025-4802 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated - glibc-2.31-150300.95.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:11:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:11:39 +0200 (CEST) Subject: SUSE-IU-2025:1558-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250614071139.8951DF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1558-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.36 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.36 Severity : moderate Type : security References : 1236136 1240366 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 353 Released: Fri Jun 13 13:05:04 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,1240366,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: Fixed Minerva side channel vulnerability in P-384 on PPC arch (bsc#1240366) - CVE-2024-13176: Fixed timing side-channel in the ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.1.4-8.1 updated - SL-Micro-release-6.0-25.30 updated - container:SL-Micro-base-container-2.1.3-7.9 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:09:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:09:48 +0200 (CEST) Subject: SUSE-CU-2025:4257-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20250614070948.A584FFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4257-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.43 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.43 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:21:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:21:59 +0200 (CEST) Subject: SUSE-CU-2025:4269-1: Recommended update of suse/ltss/sle15.5/sle15 Message-ID: <20250614072159.40525F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4269-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.4 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.4 , suse/ltss/sle15.5/sle15:latest Container Release : 5.4 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:24:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:24:01 +0200 (CEST) Subject: SUSE-CU-2025:4272-1: Security update of bci/dotnet-aspnet Message-ID: <20250614072401.85BDCF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4272-1 Container Tags : bci/dotnet-aspnet:9.0 , bci/dotnet-aspnet:9.0.6 , bci/dotnet-aspnet:9.0.6-11.1 , bci/dotnet-aspnet:latest Container Release : 11.1 Severity : important Type : security References : 1220262 1220523 1220690 1220693 1220696 1221365 1221751 1221752 1221753 1221760 1221786 1221787 1221821 1221822 1221824 1221827 1222899 1223336 1223428 1224388 1225291 1225551 1226463 1227138 1229465 1230698 1230959 1231748 1232326 1236136 1240366 1240607 CVE-2023-50782 CVE-2024-13176 CVE-2024-41996 CVE-2024-4603 CVE-2024-4741 CVE-2024-5535 CVE-2024-6119 CVE-2025-27587 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2066-1 Released: Tue Jun 18 13:16:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741 This update for openssl-3 fixes the following issues: Security issues fixed: - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) Other issues fixed: - Enable livepatching support (bsc#1223428) - Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2635-1 Released: Tue Jul 30 09:14:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1222899,1223336,1226463,1227138,CVE-2024-5535 This update for openssl-3 fixes the following issues: Security fixes: - CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138) Other fixes: - Build with no-afalgeng (bsc#1226463) - Build with enabled sm2 and sm4 support (bsc#1222899) - Fix non-reproducibility issue (bsc#1223336) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3106-1 Released: Tue Sep 3 17:00:40 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119 This update for openssl-3 fixes the following issues: - CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465) Other fixes: - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365). - FIPS: RSA keygen PCT requirements. - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: Block non-Approved Elliptic Curves (bsc#1221786). - FIPS: Service Level Indicator (bsc#1221365). - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751). - FIPS: Add required selftests: (bsc#1221760). - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821). - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827). - FIPS: Zero initialization required (bsc#1221752). - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696). - FIPS: NIST SP 800-56Brev2 (bsc#1221824). - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: NIST SP 800-56Arev3 (bsc#1221822). - FIPS: Error state has to be enforced (bsc#1221753). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3501-1 Released: Tue Oct 1 16:03:34 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1230698,CVE-2024-41996 This update for openssl-3 fixes the following issues: - CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3943-1 Released: Thu Nov 7 11:12:00 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). The following package changes have been done: - libopenssl3-3.1.4-150600.5.27.1 added - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 added - libopenssl1_1-1.1.1w-150600.5.12.2 removed From sle-container-updates at lists.suse.com Sat Jun 14 07:25:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:25:23 +0200 (CEST) Subject: SUSE-CU-2025:4276-1: Security update of bci/dotnet-sdk Message-ID: <20250614072523.D8EF0F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4276-1 Container Tags : bci/dotnet-sdk:9.0 , bci/dotnet-sdk:9.0.6 , bci/dotnet-sdk:9.0.6-13.1 , bci/dotnet-sdk:latest Container Release : 13.1 Severity : important Type : security References : 1220262 1220523 1220690 1220693 1220696 1221365 1221751 1221752 1221753 1221760 1221786 1221787 1221821 1221822 1221824 1221827 1222899 1223336 1223428 1224388 1225291 1225551 1226463 1227138 1229465 1230698 1230959 1231748 1232326 1236136 1240366 1240607 CVE-2023-50782 CVE-2024-13176 CVE-2024-41996 CVE-2024-4603 CVE-2024-4741 CVE-2024-5535 CVE-2024-6119 CVE-2025-27587 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2066-1 Released: Tue Jun 18 13:16:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741 This update for openssl-3 fixes the following issues: Security issues fixed: - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) Other issues fixed: - Enable livepatching support (bsc#1223428) - Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2635-1 Released: Tue Jul 30 09:14:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1222899,1223336,1226463,1227138,CVE-2024-5535 This update for openssl-3 fixes the following issues: Security fixes: - CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138) Other fixes: - Build with no-afalgeng (bsc#1226463) - Build with enabled sm2 and sm4 support (bsc#1222899) - Fix non-reproducibility issue (bsc#1223336) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3106-1 Released: Tue Sep 3 17:00:40 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119 This update for openssl-3 fixes the following issues: - CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465) Other fixes: - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365). - FIPS: RSA keygen PCT requirements. - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: Block non-Approved Elliptic Curves (bsc#1221786). - FIPS: Service Level Indicator (bsc#1221365). - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751). - FIPS: Add required selftests: (bsc#1221760). - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821). - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827). - FIPS: Zero initialization required (bsc#1221752). - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696). - FIPS: NIST SP 800-56Brev2 (bsc#1221824). - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: NIST SP 800-56Arev3 (bsc#1221822). - FIPS: Error state has to be enforced (bsc#1221753). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3501-1 Released: Tue Oct 1 16:03:34 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1230698,CVE-2024-41996 This update for openssl-3 fixes the following issues: - CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3943-1 Released: Thu Nov 7 11:12:00 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). The following package changes have been done: - libopenssl3-3.1.4-150600.5.27.1 added - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 added - libopenssl1_1-1.1.1w-150600.5.12.2 removed From sle-container-updates at lists.suse.com Sat Jun 14 07:26:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:26:32 +0200 (CEST) Subject: SUSE-CU-2025:4279-1: Security update of bci/dotnet-runtime Message-ID: <20250614072632.3F5A2F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4279-1 Container Tags : bci/dotnet-runtime:9.0 , bci/dotnet-runtime:9.0.6 , bci/dotnet-runtime:9.0.6-11.1 , bci/dotnet-runtime:latest Container Release : 11.1 Severity : important Type : security References : 1220262 1220523 1220690 1220693 1220696 1221365 1221751 1221752 1221753 1221760 1221786 1221787 1221821 1221822 1221824 1221827 1222899 1223336 1223428 1224388 1225291 1225551 1226463 1227138 1229465 1230698 1230959 1231748 1232326 1236136 1240366 1240607 CVE-2023-50782 CVE-2024-13176 CVE-2024-41996 CVE-2024-4603 CVE-2024-4741 CVE-2024-5535 CVE-2024-6119 CVE-2025-27587 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2066-1 Released: Tue Jun 18 13:16:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741 This update for openssl-3 fixes the following issues: Security issues fixed: - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) Other issues fixed: - Enable livepatching support (bsc#1223428) - Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2635-1 Released: Tue Jul 30 09:14:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1222899,1223336,1226463,1227138,CVE-2024-5535 This update for openssl-3 fixes the following issues: Security fixes: - CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138) Other fixes: - Build with no-afalgeng (bsc#1226463) - Build with enabled sm2 and sm4 support (bsc#1222899) - Fix non-reproducibility issue (bsc#1223336) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3106-1 Released: Tue Sep 3 17:00:40 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119 This update for openssl-3 fixes the following issues: - CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465) Other fixes: - FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365). - FIPS: RSA keygen PCT requirements. - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: Block non-Approved Elliptic Curves (bsc#1221786). - FIPS: Service Level Indicator (bsc#1221365). - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751). - FIPS: Add required selftests: (bsc#1221760). - FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821). - FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827). - FIPS: Zero initialization required (bsc#1221752). - FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696). - FIPS: NIST SP 800-56Brev2 (bsc#1221824). - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787). - FIPS: Port openssl to use jitterentropy (bsc#1220523). - FIPS: NIST SP 800-56Arev3 (bsc#1221822). - FIPS: Error state has to be enforced (bsc#1221753). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3501-1 Released: Tue Oct 1 16:03:34 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1230698,CVE-2024-41996 This update for openssl-3 fixes the following issues: - CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3943-1 Released: Thu Nov 7 11:12:00 2024 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1220262,CVE-2023-50782 This update for openssl-3 fixes the following issues: - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). The following package changes have been done: - libopenssl3-3.1.4-150600.5.27.1 added - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 added - libopenssl1_1-1.1.1w-150600.5.12.2 removed From sle-container-updates at lists.suse.com Sat Jun 14 07:30:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:30:31 +0200 (CEST) Subject: SUSE-CU-2025:4286-1: Recommended update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250614073031.7F699F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4286-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.58 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.58 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sat Jun 14 07:32:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 14 Jun 2025 09:32:17 +0200 (CEST) Subject: SUSE-CU-2025:4289-1: Security update of suse/kubectl Message-ID: <20250614073217.D09A2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4289-1 Container Tags : suse/kubectl:1.31 , suse/kubectl:1.31.9 , suse/kubectl:1.31.9-1.39.7 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.39.7 Container Release : 39.7 Severity : moderate Type : security References : 1241781 CVE-2025-22872 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1945-1 Released: Fri Jun 13 12:16:34 2025 Summary: Security update for kubernetes-old Type: security Severity: moderate References: 1241781,CVE-2025-22872 This update for kubernetes-old fixes the following issues: - CVE-2025-22872: Fixed golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241781) This update to version 1.31.9 (jsc#PED-11105) * Find full changelog https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md#v1319 The following package changes have been done: - kubernetes1.31-client-1.31.9-150600.13.10.1 updated - kubernetes1.31-client-common-1.31.9-150600.13.10.1 updated - container:suse-sle15-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:06:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:06:16 +0200 (CEST) Subject: SUSE-CU-2025:4289-1: Security update of suse/kubectl Message-ID: <20250615070616.53CE0FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4289-1 Container Tags : suse/kubectl:1.31 , suse/kubectl:1.31.9 , suse/kubectl:1.31.9-1.39.7 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.39.7 Container Release : 39.7 Severity : moderate Type : security References : 1241781 CVE-2025-22872 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1945-1 Released: Fri Jun 13 12:16:34 2025 Summary: Security update for kubernetes-old Type: security Severity: moderate References: 1241781,CVE-2025-22872 This update for kubernetes-old fixes the following issues: - CVE-2025-22872: Fixed golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241781) This update to version 1.31.9 (jsc#PED-11105) * Find full changelog https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md#v1319 The following package changes have been done: - kubernetes1.31-client-1.31.9-150600.13.10.1 updated - kubernetes1.31-client-common-1.31.9-150600.13.10.1 updated - container:suse-sle15-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:13:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:13:32 +0200 (CEST) Subject: SUSE-CU-2025:4301-1: Recommended update of suse/rmt-server Message-ID: <20250615071332.D8C43FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4301-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.22 , suse/rmt-server:2.22-65.8 , suse/rmt-server:latest Container Release : 65.8 Severity : important Type : recommended References : 1236177 1237496 1242938 1243259 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) The following package changes have been done: - libudev1-254.24-150600.4.33.1 updated - container:registry.suse.com-bci-bci-base-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:18:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:18:02 +0200 (CEST) Subject: SUSE-CU-2025:4306-1: Recommended update of suse/sle15 Message-ID: <20250615071802.8E0CEFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4306-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.2 , suse/sle15:15.6 , suse/sle15:15.6.47.23.2 Container Release : 47.23.2 Severity : important Type : recommended References : 1173375 1236177 1237496 1242938 1243259 1243360 1243960 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1577-1 Released: Mon May 19 10:24:04 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1173375 This update for container-suseconnect fixes the following issues: - update to 2.5.1: * Bump github.com/mssola/capture from 1.0.0 to 1.1.0 * Log everything to stderr * Code formatting * Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 * Also allow optionally to pass down the system_token * Various golangci-lint v2.1x warnings fixed * Remove use of urfave/cli and replace it with flag - remove unnecessary packaging buildrequires ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1736-1 Released: Thu May 29 11:34:51 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243360 This update for container-suseconnect fixes the following issues: - Version update v2.5.3 (bsc#1243360): - only handle command line options for the default - parse and ignore the previously removed log-credentials-errors - Restore usage output on unhandled command line options - Switch to go stable and update mod to 1.24.0 - Various golangci-lint v2.1x warnings fixed - Also allow optionally to pass down the system_token - Log everything to stderr - Code formatting - remove unnecessary packaging buildrequires ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated - libudev1-254.24-150600.4.33.1 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:20:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:20:41 +0200 (CEST) Subject: SUSE-CU-2025:4315-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250615072041.9EA31FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4315-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.35 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.35 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:21:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:21:31 +0200 (CEST) Subject: SUSE-CU-2025:4316-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250615072131.C2F72FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4316-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.43 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.43 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:22:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:22:16 +0200 (CEST) Subject: SUSE-CU-2025:4317-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250615072216.47B6AFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4317-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.24 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.24 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:23:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:23:08 +0200 (CEST) Subject: SUSE-CU-2025:4318-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20250615072308.49671FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4318-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.15 , suse/manager/4.3/proxy-ssh:4.3.15.9.53.24 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.53.24 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:24:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:24:01 +0200 (CEST) Subject: SUSE-CU-2025:4319-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20250615072401.083B3FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4319-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.15 , suse/manager/4.3/proxy-tftpd:4.3.15.9.53.25 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.53.25 Severity : important Type : security References : 1234128 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1784-1 Released: Fri May 30 18:09:16 2025 Summary: Security update for glibc Type: security Severity: important References: 1234128,1243317,CVE-2025-4802 This update for glibc fixes the following issues: Security issues fixed: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). Other issues fixed: - Multi-threaded application hang due to deadlock when `pthread_cond_signal` fails to wake up `pthread_cond_wait` as a consequence of a bug related to stealing of signals (bsc#1234128). The following package changes have been done: - glibc-2.31-150300.95.1 updated - container:sles15-ltss-image-15.4.0-2.47 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:25:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:25:26 +0200 (CEST) Subject: SUSE-CU-2025:4320-1: Recommended update of suse/sle-micro/5.1/toolbox Message-ID: <20250615072526.7F655FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4320-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.131 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.131 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Sun Jun 15 07:26:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 15 Jun 2025 09:26:55 +0200 (CEST) Subject: SUSE-CU-2025:4321-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20250615072655.8F87BFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4321-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.133 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.133 Severity : moderate Type : recommended References : 1243960 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated From sle-container-updates at lists.suse.com Tue Jun 3 07:07:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 3 Jun 2025 09:07:31 +0200 (CEST) Subject: SUSE-CU-2025:4176-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250603070731.1348AFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4176-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.1 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.1 Severity : critical Type : security References : 1007273 1010996 1174091 1174414 1175678 1194818 1199079 1210638 1213291 1218171 1218609 1219004 1219559 1219559 1219561 1219666 1220082 1220117 1220262 1220338 1220763 1221289 1221525 1221831 1221854 1221963 1222021 1222086 1222398 1222650 1222896 1223094 1223107 1223430 1223596 1223605 1223766 1224771 1225267 1225451 1225598 1225660 1226014 1226030 1226128 1226447 1226448 1226493 1227127 1227205 1227378 1227625 1227793 1227999 1228138 1228165 1228206 1228208 1228216 1228265 1228420 1228647 1228780 1228787 1229003 1229014 1229228 1229238 1229596 1229596 1229685 1229704 1229704 1229822 1229930 1229931 1229932 1230078 1230145 1230227 1230227 1230229 1230267 1230371 1230698 1230906 1230912 1231043 1231048 1231373 1231396 1231423 1231472 1231795 1231833 1231838 1232227 1232241 1232528 1232579 1232579 1232601 1232844 1233078 1233282 1233393 1233699 1233726 1233752 1234015 1234015 1234068 1234128 1234304 1234313 1234665 1234765 1234798 1234812 1234996 1235088 1235151 1235695 1235751 1236151 1236282 1236588 1236590 1236619 1236705 1236705 1236779 1236842 1236878 1236886 1237137 1237294 1237363 1237370 1237418 1238450 1239119 1239210 1239618 1239883 1239909 1240009 1240343 1240897 1241020 1241067 1241078 1241083 1241453 1241551 1243317 222971 441356 831629 CVE-2013-0340 CVE-2019-15903 CVE-2019-20907 CVE-2019-2708 CVE-2019-9947 CVE-2020-15523 CVE-2020-15801 CVE-2022-25236 CVE-2023-27043 CVE-2023-4016 CVE-2023-50782 CVE-2023-52425 CVE-2023-52425 CVE-2023-52426 CVE-2023-6597 CVE-2024-0397 CVE-2024-0450 CVE-2024-10963 CVE-2024-11053 CVE-2024-12133 CVE-2024-28085 CVE-2024-28757 CVE-2024-4030 CVE-2024-4032 CVE-2024-40896 CVE-2024-41996 CVE-2024-43374 CVE-2024-43790 CVE-2024-43802 CVE-2024-45306 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-47814 CVE-2024-50602 CVE-2024-50602 CVE-2024-52533 CVE-2024-56171 CVE-2024-56406 CVE-2024-6232 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-7592 CVE-2024-8088 CVE-2024-8088 CVE-2024-8176 CVE-2024-9287 CVE-2024-9681 CVE-2025-0167 CVE-2025-0395 CVE-2025-0725 CVE-2025-0938 CVE-2025-0938 CVE-2025-1215 CVE-2025-1795 CVE-2025-22134 CVE-2025-24014 CVE-2025-24528 CVE-2025-24928 CVE-2025-2588 CVE-2025-27113 CVE-2025-29087 CVE-2025-29088 CVE-2025-30258 CVE-2025-32414 CVE-2025-32415 CVE-2025-3360 CVE-2025-4802 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 117 Released: Mon Feb 3 09:46:07 2025 Summary: Security update for util-linux Type: security Severity: important References: 1218609,1220117,1221831,1223605,1225598,CVE-2024-28085 This update for util-linux fixes the following issues: Security issue fixed: - CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831) Non-security issues fixed: - Fix hang of lscpu -e (bsc#1225598) - lscpu: Add more ARM cores (bsc#1223605) - Document that chcpu -g is not supported on IBM z/VM (bsc#1218609) - Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117) ----------------------------------------------------------------- Advisory ID: 82 Released: Mon Feb 3 09:50:59 2025 Summary: Recommended update for suseconnect-ng, zypp-plugin, libsolv, zypper, libzypp Type: recommended Severity: important References: 1007273,1175678,1218171,1219004,1221525,1221963,1222086,1222398,1223094,1223107,1223430,1223766,1224771,1225267,1226014,1226030,1226128,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228647,1228787,1229014,1230229,1230267,1230912,1231043,222971 This update for suseconnect-ng, zypp-plugin, libsolv, zypper, libzypp fixes the following issues: libsolv version 0.7.30: - removed dependency on external find program in the repo2solv tool - bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - add a conflict to older libsolv-tools to libsolv-tools-base - report unsupported compression in solv_xfopen() with errno - fix return value of repodata.add_solv() in the bindings - fix SHA-224 oid in solv_pgpvrfy - improve updating of installed multiversion packages - fix decision introspection going into an endless loop in some cases - added experimental lua bindings - split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - removed dependency on external find program in the repo2solv tool - bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - add a conflict to older libsolv-tools to libsolv-tools-base - report unsupported compression in solv_xfopen() with errno - fix return value of repodata.add_solv() in the bindings - fix SHA-224 oid in solv_pgpvrfy - improve updating of installed multiversion packages - fix decision introspection going into an endless loop in some cases - added experimental lua bindings - split libsolv-tools into libsolv-tools-base [jsc#PED-8153] libzypp update to 17.35.12: - PluginFrame: Send unescaped colons in header values (bsc#1231043) According to the STOMP protocol it would be correct to escape a colon in a header-value, but it breaks plugin receivers which do not expect this. The first colon separates header-name from header-value, so escaping in the header-value is not needed anyway. Escaping in the header-value affects especially the urlresolver plugins. The input URL is passed in a header, but sent back as raw data in the frames body. If the plugin receiver does not correctly unescape the URL we may get back a 'https\c//' which is not usable. - Do not ignore return value of std::remove_if in MediaSyncFacade (fixes #579) - Fix hang in curl code with no network connection (bsc#1230912) - Deprecate librpmDb::db_const_iterator default ctor (bsc#1230267) It's preferred to explicitly tell the root directory of the system whose database you want to query. - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - Conflicts: zypper <= 1.14.76 - single_rpmtrans: fix installation of .src.rpms (bsc#1228647) - Make sure not to statically linked installed tools (bsc#1228787) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - Export CredentialManager for legacy YAST versions (bsc#1228420) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - Translation: updated .pot file. - Conflict with python zypp-plugin < 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - Install zypp/APIConfig.h legacy include (fixes #557) - Update soname due to RepoManager refactoring and cleanup. - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - zypp-tui: Make sure translated texts use the correct textdomain (fixes #551) - Skip libproxy1 requires for tumbleweed. - don't require libproxy1 on tumbleweed, it is optional now - Fix versioning scheme - add one more missing export for libyui-qt-pkg - Revert eintrSafeCall behavior to setting errno to 0. - fix up requires_eq usage for libsolv-tools-base - add one more missing export for PackageKit - switch to reduced size libsolv-tools-base (jsc#PED-8153) - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - Fix download from gpgkey URL (bsc#1223430, fixes openSUSE/zypper#546) - Don't try to refresh volatile media as long as raw metadata are present (bsc#1223094) - Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398) Some install workflows in YAST may lead to too restrictive (0700) raw cache directories in case of newly created repos. Later commands running with user privileges may not be able to access these repos. - Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086) - TmpFile: Don't call chmod if makeSibling failed. - Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) Fixed the name of the keyword to 'support_superseded' as it was agreed on in jsc#OBS-301. - Add resolver option 'removeUnneeded' to file weak remove jobs for unneeded packages (bsc#1175678) - Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525) - New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - Tests: fix vsftpd.conf where SUSE and Fedora use different defaults (fixes #522) - Add default stripe minimum (#529) - Don't expose std::optional where YAST/PK explicitly use c++11. - Digest: Avoid using the deprecated OPENSSL_config. - ProblemSolution::skipsPatchesOnly overload to handout the patches. - Remove https->http redirection exceptions for download.opensuse.org. suseconnect-ng updated to 1.12: - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014) - Added uname as collector - Added SAP workload detection - Added detection of container runtimes - Multiple fixes on ARM64 detection - Use `read_values` for the CPU collector on Z - Fixed data collection for ppc64le - Grab the home directory from /etc/passwd if needed (bsc#1226128) - Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary - Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) - Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens. (bsc#1219004) - Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report. (jsc#PED-7982) (jsc#PED-8018) - Add support for third party packages in SUSEConnect - Refactor existing system information collection implementation - Fix certificate import for Yast when using a registration proxy with self-signed SSL certificate (bsc#1223107) zypp-plugin updated to 0.6.4: - Fix stomp header regex to include '-' (bsc#1227793) zypper updated to 1.14.77: - API refactoring. Prevent zypper from using now private libzypp symbols (bsc#1230267) - BuildRequires: libzypp-devel >= 17.35.10. - Fix wrong numbers used in CommitSummary skipped/failed messages. - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - BuildRequires: libzypp-devel >= 17.33.0. - Delay zypp lock until command options are parsed (bsc#1223766) - Unify message format(fixes #485) - switch cmake build type to RelWithDebInfo - modernize spec file (remove Authors section, use proper macros, remove redundant clean section, don't mark man pages as doc) - switch to -O2 -fvisibility=hidden -fpie: * PIC is not needed as no shared lib is built * fstack-protector-strong is default on modern dists and would be downgraded by fstack-protector * default visibility hidden allows better optimisation * O2 is reducing inlining bloat -> 18% reduced binary size - remove procps requires (was only for ZMD which is dropped) (jsc#PED-8153) - Do not try to refresh repo metadata as non-root user (bsc#1222086) Instead show refresh stats and hint how to update them. - man: Explain how to protect orphaned packages by collecting them in a plaindir repo. - packages: Add --autoinstalled and --userinstalled options to list them. - Don't print 'reboot required' message if download-only or dry-run (fixes #529) Instead point out that a reboot would be required if the option was not used. - Resepect zypper.conf option `showAlias` search commands (bsc#1221963) Repository::asUserString (or Repository::label) respects the zypper.conf option, while name/alias return the property. - dup: New option --remove-orphaned to remove all orphaned packages in dup (bsc#1221525) - info,summary: Support VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - BuildRequires: libzypp-devel >= 17.32.0. API cleanup and changes for VendorSupportSuperseded. - Show active dry-run/download-only at the commit propmpt. - patch: Add --skip-not-applicable-patches option (closes #514) - Fix printing detailed solver problem description. The problem description() is one rule out possibly many in completeProblemInfo() the solver has chosen to represent the problem. So either description or completeProblemInfo should be printed, but not both. - Fix bash-completion to work with right adjusted numbers in the 1st column too (closes #505) - Set libzypp shutdown request signal on Ctrl+C (fixes #522) - lr REPO: In the detailed view show all baseurls not just the first one (bsc#1218171) ----------------------------------------------------------------- Advisory ID: 87 Released: Mon Feb 3 10:01:09 2025 Summary: Security update for python311 Type: security Severity: important References: 1229596,1229704,1230227,CVE-2024-6232,CVE-2024-7592,CVE-2024-8088 This update for python311 fixes the following issues: - CVE-2024-8088: Fixed a denial of service in zipfile (bsc#1229704) - CVE-2024-6232: Fixed a ReDos via excessive backtracking while parsing header values (bsc#1230227) - CVE-2024-7592: Fixed a denial of service in the http.cookies module (bsc#1229596) ----------------------------------------------------------------- Advisory ID: 118 Released: Mon Feb 3 10:01:29 2025 Summary: Security update for libdb-4_8 Type: security Severity: moderate References: 1174414,CVE-2019-2708 This update for libdb-4_8 fixes the following issues: CVE-2019-2708: Fixed data store execution leading to partial DoS (bsc#1174414) Changes: * libdb: Data store execution leads to partial DoS * Backport the upsteam commits: - Fixed several possible crashes when running db_verify on a corrupted database. [#27864] - Fixed several possible hangs when running db_verify on a corrupted database. [#27864] - Added a warning message when attempting to verify a queue database which has many extent files. Verification will take a long time if there are many extent files. [#27864] ----------------------------------------------------------------- Advisory ID: 119 Released: Mon Feb 3 10:05:40 2025 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1231833 This update for gcc13 fixes the following issues: - Fix for parsing tzdata 2024b [gcc#116657] ----------------------------------------------------------------- Advisory ID: 94 Released: Mon Feb 3 10:05:41 2025 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1194818 This update for pam fixes the following issue: - Prevent cursor escape from the login prompt (bsc#1194818) ----------------------------------------------------------------- Advisory ID: 201 Released: Mon Feb 3 10:06:00 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1220262,1230698,CVE-2023-50782,CVE-2024-41996 This update for openssl-3 fixes the following issues: - CVE-2024-41996: Fixed a denial of service in the Diffie-Hellman Key Agreement Protocol (bsc#1230698). - CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262) ----------------------------------------------------------------- Advisory ID: 138 Released: Mon Feb 3 10:07:41 2025 Summary: Security update for curl Type: security Severity: moderate References: 1232528,CVE-2024-9681 This update for curl fixes the following issues: - CVE-2024-9681: Fixed HSTS subdomain overwrites parent cache entry (bsc#1232528) ----------------------------------------------------------------- Advisory ID: 120 Released: Mon Feb 3 10:09:12 2025 Summary: Security update for expat Type: security Severity: moderate References: 1232579,CVE-2024-50602 This update for expat fixes the following issues: - CVE-2024-50602: Fixed possible denial-of-service vulnerability inside XML_ResumeParser (bsc#1232579). ----------------------------------------------------------------- Advisory ID: 140 Released: Mon Feb 3 10:13:17 2025 Summary: Security update for glib2 Type: security Severity: important References: 1233282,CVE-2024-52533 This update for glib2 fixes the following issues: - CVE-2024-52533: Fix a single byte buffer overflow (bsc#1233282). ----------------------------------------------------------------- Advisory ID: 164 Released: Mon Feb 3 10:17:47 2025 Summary: Security update for pam Type: security Severity: moderate References: 1233078,CVE-2024-10963 This update for pam fixes the following issues: - CVE-2024-10963: Fixed improper hostname interpretation in pam_access that could lead to access control bypass (bsc#1233078). ----------------------------------------------------------------- Advisory ID: 166 Released: Mon Feb 3 10:18:10 2025 Summary: Security update for curl Type: security Severity: moderate References: 1234068,CVE-2024-11053 This update for curl fixes the following issues: - CVE-2024-11053: Fixed password leak used for the first host to the followed-to host under certain circumstances (bsc#1234068) ----------------------------------------------------------------- Advisory ID: 158 Released: Mon Feb 3 10:19:18 2025 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1225451,1233393,1234304 This update for libzypp fixes the following issues: Version.35.15 (35) - Url query part: `=` is a safe char in value (bsc#1234304) - RpmDb: Recognize rpmdb.sqlite as database file (#593) - The 20MB download limit must not apply to non-metadata files like package URLs provided via the CLI (bsc#1233393). - BuildCache: Don't try to retrieve missing raw metadata if no permission to write the cache (bsc#1225451) - RepoManager: throw RepoNoPermissionException if the user has no permission to update(write) the caches (bsc#1225451) ----------------------------------------------------------------- Advisory ID: 188 Released: Mon Feb 3 10:21:01 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1234812,CVE-2024-40896 This update for libxml2 fixes the following issues: - CVE-2024-40896: Fixed XML external entity vulnerability (bsc#1234812) ----------------------------------------------------------------- Advisory ID: 190 Released: Mon Feb 3 10:24:20 2025 Summary: Recommended update for iptables Type: recommended Severity: moderate References: 1234996,1235088 This update for iptables fixes the following issues: * Fixes checking existence of rules. Fixes issues with rule creation with podman/netavark. (bsc#1235088, bsc#1234996) ----------------------------------------------------------------- Advisory ID: 217 Released: Tue Feb 25 14:12:31 2025 Summary: Security update for vim Type: security Severity: important References: 1220763,1229238,1229685,1229822,1230078,1231373,1235695,1236151,1237137,CVE-2024-43374,CVE-2024-43790,CVE-2024-43802,CVE-2024-45306,CVE-2024-47814,CVE-2025-1215,CVE-2025-22134,CVE-2025-24014 This update for vim fixes the following issues: vim was updated to 9.1.1101: - CVE-2024-43374: Fixed use-after-free in alist_add() (bsc#1229238) - CVE-2024-43790: Fixed Out of bounds read when performing a search command (bsc#1229685) - CVE-2024-43802: Fixed heap-buffer-overflow in ins_typebuf() (bsc#1229822) - CVE-2024-45306: Fixed heap-buffer-overflow in Vim (bsc#1230078) - CVE-2024-47814: Fixed use-after-free when closing buffers in Vim (bsc#1231373) - CVE-2025-1215: Fixed manipulation of the argument --log leads to memory corruption (bsc#1237137) - CVE-2025-22134: Fixed heap-buffer-overflow in Vim < 9.1.1003 (bsc#1235695) - CVE-2025-24014: Fixed segmentation fault in win_line() in Vim < 9.1.1043 (bsc#1236151) Update to 9.1.1101: * insexpand.c hard to read * tests: Test_log_nonexistent only works on Linux * Update base-syntax, improve variable matching * Vim9: import with extends may crash * leaking memory with completing multi lines * --log with non-existent path causes a crash * if_perl: Perl 5.38 adds new symbols causing link failure * tests: matchparen plugin test wrongly named * Vim9: problem finding implemented method in type hierarchy * runtime(qf): Update syntax file, match second delimiter * tests: output of test ...win32_ctrl_z depends on python version * tests: fix expected return code for python 3.13 on Windows * tests: timeout might be a bit too small * tests: test_terminwscroll_topline2 unreliable * tests: No check when tests are run under Github actions * tests: plugin tests are named inconsistently * Vim9: import with extends may crash * completion doesn't work with multi lines * filetype: cmmt files are not recognized * Unable to persistently ignore events in a window and its buffers * improve syntax highlighting * setreg() doesn't correctly handle mbyte chars in blockwise mode * unexpected DCS responses may cause out of bounds reads * has('bsd') is true for GNU/Hurd * filetype: Mill files are not recognized * GUI late startup leads to uninitialized scrollbars * Add support for lz4 to tar & gzip plugin * Terminal ansi colors off by one after tgc reset * included syntax items do not understand contains=TOP * vim_strnchr() is strange and unnecessary * Vim9: len variable not used in compile_load() * runtime(vim): Update base-syntax, match :debuggreedy count prefix * Strange error when heredoc marker starts with 'trim' * tests: test_compiler fails on Windows without Maven * 'diffopt' 'linematch' cannot be used with {n} less than 10 * args missing after failing to redefine a function * Cannot control cursor positioning of getchar() * preinsert text completions not deleted with / * getchar() can't distinguish between C-I and Tab * tests: Test_termwinscroll_topline2 fails on MacOS * heap-use-after-free and stack-use-after-scope with :14verbose * no digraph for 'Approaches the limit' * not possible to use plural forms with gettext() * too many strlen() calls in userfunc.c * terminal: E315 when dragging the terminal with the mouse * runtime(openPlugin): fix unclosed parenthesis in GetWordUnderCursor() * runtime(doc): Tweak documentation style a bit * tests: test_glvs fails when unarchiver not available * Vim always enables 'termguicolors' in a terminal * completion: input text deleted with preinsert when adding leader * translation(sr): Missing Serbian translation for the tutor * Superfluous cleanup steps in test_ins_complete.vim * runtime(netrw): correct wrong version check * Vim doesn't highlight to be inserted text when completing * runtime(netrw): upstream snapshot of v176 * runtime(dist/vim9): fix regressions in dist#vim9#Open * runtime(hyprlang): fix string recognition * make install fails because of a missing dependency * runtime(asm): add byte directives to syntax script * Vim doesn't work well with TERM=xterm-direct * runtime(filetype): commit 99181205c5f8284a3 breaks V lang detection * runtime: decouple Open and Launch commands and gx mapping from netrw * 'nosort' enables fuzzy filtering even if 'fuzzy' isn't in 'completeopt' * runtime(just): fix typo in syntax file * runtime(filetype): Improve Verilog detection by checking for modules definition * tests: off-by-one error in CheckCWD in test_debugger.vim * tests: no support for env variables when running Vim in terminal * too many strlen() calls in os_unix.c * insert-completed items are always sorted * crash after scrolling and pasting in silent Ex mode * Makefiles uses non-portable syntax * fuzzymatching doesn't prefer matching camelcase * filetype: N-Tripels and TriG files are not recognized * Vim9: Patch 9.1.1014 causes regressions * translation(sr): Update Serbian messages translation Update to 9.1.1043: * [security]: segfault in win_line() * update helptags * filetype: just files are not recognized * Update base-syntax, match ternary and falsy operators * Vim9: out-of-bound access when echoing an enum * Vim9: imported type cannot be used as func return type * runtime(kconfig): updated ftplugin and syntax script * runtime(doc): rename last t_BG reference to t_RB * Vim9: comments are outdated * tests: test_channel.py fails with IPv6 * runtime(vim): Update base-syntax, fix is/isnot operator matching * Vim9: confusing error when using abstract method via super * make install fails when using shadowdir * Vim9: memory leak with blob2str() * runtime(tex): add texEmphStyle to texMatchGroup in syntax script * runtime(netrw): upstream snapshot of v175 * Vim9: compiling abstract method fails without return * runtime(c): add new constexpr keyword to syntax file (C23) * tests: shaderslang was removed from test_filetype erroneously * link error when FEAT_SPELL not defined * Coverity complains about insecure data handling * runtime(sh): update syntax script * runtime(c): Add missing syntax test files * filetype: setting bash filetype is backwards incompatible * runtime(c): Update syntax and ftplugin files * the installer can be improved * too many strlen() calls in screen.c * no sanitize check when running linematch * filetype: swc configuration files are not recognized * runtime(netrw): change netrw maintainer * wrong return type of blob2str() * blob2str/str2blob() do not support list of strings * runtime(doc): fix typo in usr_02.txt * Coverity complains about dereferencing NULL pointer * linematch option value not completed * string might be used without a trailing NUL * no way to get current selected item in a async context * filetype: fd ignore files are not recognized * v9.1.0743 causes regression with diff mode * runtime(doc): fix base64 encode/decode examples * Vim9: Patch 9.1.1013 causes a few problems * Not possible to convert string2blob and blob2string * Coverity complains about dereferencing NULL value * Vim9: variable not found in transitive import * runtime(colors): Update colorschemes, include new unokai colorscheme * runtime(lyrics): support milliseconds in syntax script * runtime(vim): Split Vim legacy and Vim9 script indent tests * Vim9: class interface inheritance not correctly working * popupmenu internal error with some abbr in completion item * filetype: VisualCode setting file not recognized * diff feature can be improved * filetype: various ignore are not recognized * tests: Load screendump files with 'git vimdumps' * PmenuMatch completion highlight can be combined * completion text is highlighted even with no pattern found * tests: a few termdebug tests are flaky * [security]: heap-buffer-overflow with visual mode * runtime(doc): add package- helptags for included packages * Vim9: unknown func error with interface declaring func var * runtime(filetype): don't detect string interpolation as angular * ComplMatchIns highlight hard to read on light background * runtime(vim): Update base-syntax, highlight literal string quote escape * runtime(editorconfig): set omnifunc to syntaxcomplete func * tests: ruby tests fail with Ruby 3.4 * Vim9: leaking finished exception * runtime(tiasm): use correct syntax name tiasm in syntax script * filetype: TI assembly files are not recognized * too many strlen() calls in drawscreen.c * runtime(xf86conf): add section name OutputClass to syntax script * ComplMatchIns may highlight wrong text * runtime(vim): Update base-syntax, improve ex-bang matching * runtime(doc): clarify buffer deletion on popup_close() * filetype: shaderslang files are not detected * Vim9: not able to use comment after opening curly brace Update to 9.1.0993: * 9.1.0993: New 'cmdheight' behavior may be surprising * runtime(sh): fix typo in Last Change header * 9.1.0992: Vim9: double-free after v9.1.0988 * 9.1.0991: v:stacktrace has wrong type in Vim9 script * runtime(sh): add PS0 to bashSpecialVariables in syntax script * runtime(vim): Remove trailing comma from match_words * runtime(zsh): sync syntax script with upstream repo * runtime(doc): Capitalise the mnemonic 'Zero' for the 'z' flag of search() * 9.1.0990: Inconsistent behavior when changing cmdheight * 9.1.0989: Vim9: Whitespace after the final enum value causes a syntax error * runtime(java): Quietly opt out for unsupported markdown.vim versions * runtime(vim): fix failing vim syntax test * 9.1.0988: Vim9: no error when using uninitialized var in new() * runtime(doc): update index.txt * 9.1.0987: filetype: cake files are not recognized * 9.1.0986: filetype: 'jj' filetype is a bit imprecise * runtime(jj): Support diffs in jj syntax * runtime(vim): Update matchit pattern, no Vim9 short names * 9.1.0985: Vim9: some ex commands can be shortened * 9.1.0984: exception handling can be improved * runtime(doc): update doc for :horizontal * runtime(doc): update index.txt, windows.txt and version9.txt * runtime(doc): Tweak documentation about base64 function * runtime(chordpro): update syntax script * 9.1.0983: not able to get the displayed items in complete_info() * runtime(doc): use standard SGR format at :h xterm-true-color * 9.1.0982: TI linker files are not recognized * runtime(vim): update vim generator syntax script * 9.1.0981: tests: typo in test_filetype.vim * 9.1.0980: no support for base64 en-/decoding functions in Vim Script * syntax(sh): Improve the recognition of bracket expressions * runtime(doc): mention how NUL bytes are handled * 9.1.0979: VMS: type warning with $XDG_VIMRC_FILE * 9.1.0978: GUI tests sometimes fail when setting 'scroll' options * 9.1.0977: filetype: msbuild filetypes are not recognized * 9.1.0976: Vim9: missing return statement with throw * 9.1.0975: Vim9: interpolated string expr not working in object methods * 9.1.0974: typo in change of commit v9.1.0873 * 9.1.0973: too many strlen() calls in fileio.c * runtime(sh): set shellcheck as the compiler for supported shells * runtime(doc): Fix enum example syntax * 9.1.0972: filetype: TI linker map files are not recognized * runtime(vim): Improve syntax script generator for Vim Script * 9.1.0971: filetype: SLNX files are not recognized * 9.1.0970: VMS: build errors on VMS architecture * runtime(doc): Fix documentation typos * runtime(doc): update for new keyprotocol option value (after v9.1.0969) * 9.1.0969: ghostty not using kitty protocol by default * 9.1.0968: tests: GetFileNameChecks() isn't fully sorted by filetype name * runtime(doc): update version9.txt for bash filetype * runtime(netrw): update last change header for #16265 * runtime(doc): fix doc error in :r behaviour * 9.1.0967: SpotBugs compiler setup can be further improved * 9.1.0966: Vim9: :enum command can be shortened * runtime(compiler): include a basic bash syntax checker compiler * 9.1.0965: filetype: sh filetype set when detecting the use of bash * runtime(doc): clarify ARCH value for 32-bit in INSTALLpc.txt * 9.1.0963: fuzzy-matching does not prefer full match * 9.1.0962: filetype: bun.lock file is not recognized * runtime(vim): update indentation plugin for Vim script * runtime(doc): tweak documentation style in helphelp.txt * runtime(vim): Update base-syntax, allow parens in default arguments * runtime(doc): mention auto-format using clang-format for sound.c/sign.c * runtime(help): fix typo s/additional/arbitrary/ * runtime(help): Add better support for language annotation highlighting * 9.1.0961: filetype: TI gel files are not recognized * 9.1.0960: filetype: hy history files are not recognized * translation(fi): Fix typoes in Finish menu translation * 9.1.0959: Coverity complains about type conversion * runtime(vim): Use supported syntax in indent tests * 9.1.0958: filetype: supertux2 config files detected as lisp * 9.1.0956: completion may crash, completion highlight wrong with preview window * 9.1.0955: Vim9: vim9compile.c can be further improved * runtime(doc): move help tag E1182 * runtime(graphql): contribute vim-graphql to Vim core * 9.1.0954: popupmenu.c can be improved * 9.1.0953: filetype: APKBUILD files not correctly detected * 9.1.0952: Vim9: missing type checking for any type assignment * 9.1.0951: filetype: jshell files are not recognized * runtime(dockerfile): do not set commentstring in syntax script * 9.1.0950: filetype: fennelrc files are not recognized * runtime(netrw): do not double escape Vim special characters * git: ignore reformatting change of netrw plugin * runtime(netrw): more reformating #16248 * runtime(doc): Add a note about handling symbolic links in starting.txt * 9.1.0949: popups inconsistently shifted to the left * git: ignore reformatting change of netrw plugin * runtime(netrw): change indent size from 1 to 2 * 9.1.0948: Missing cmdline completion for :pbuffer * runtime(tutor): Reformat tutor1 * 9.1.0947: short-description * 9.1.0946: cross-compiling fails on osx-arm64 * 9.1.0945: ComplMatchIns highlight doesn't end after inserted text * translation(sv): re-include the change from #16240 * 9.1.0944: tests: test_registers fails when not run under X11 * 9.1.0943: Vim9: vim9compile.c can be further improved * runtime(doc): Update README and mention make check to verify * translation(sv): partly revert commit 98874dca6d0b60ccd6fc3a140b3ec * runtime(vim): update base-syntax after v9.1.0936 * 9.1.0942: a few typos were found * 9.1.0941: ComplMatchIns doesn't work after multibyte chars * runtime(doc): Fix style in fold.txt * translation(sv): Fix typo in Swedish translation * 9.1.0940: Wrong cursor shape with 'gq' and 'indentexpr' executes :normal * runtime(doc): fix some small errors * 9.1.0939: make installtutor fails * 9.1.0938: exclusive selection not respected when re-selecting block mode * 9.1.0937: test_undolist() is flaky * 9.1.0936: cannot highlight completed text * 9.1.0935: SpotBugs compiler can be improved * 9.1.0934: hard to view an existing buffer in the preview window * runtime(doc): document how to minimize fold computation costs * 9.1.0933: Vim9: vim9compile.c can be further improved * 9.1.0932: new Italian tutor not installed * runtime(doc): fix a few minor errors from the last doc updates * translation(it): add Italian translation for the interactive tutor * runtime(doc): update the change.txt help file * runtime(help): Add Vim lang annotation support for codeblocks * 9.1.0931: ml_get error in terminal buffer * 9.1.0930: tests: test_terminal2 may hang in GUI mode * 9.1.0929: filetype: lalrpop files are not recognized * 9.1.0928: tests: test_popupwin fails because the filter command fails * editorconfig: set trim_trailing_whitespace = false for src/testdir/test*.vim * 9.1.0927: style issues in insexpand.c * 9.1.0926: filetype: Pixi lock files are not recognized * runtime(doc): Add a reference to |++opt| and |+cmd| at `:h :pedit` * runtime(doc): add a note about inclusive motions and exclusive selection * 9.1.0925: Vim9: expression compiled when not necessary * 9.1.0923: too many strlen() calls in filepath.c * 9.1.0923: wrong MIN macro in popupmenu.c * 9.1.0921: popupmenu logic is a bit convoluted * 9.1.0920: Vim9: compile_assignment() too long * 9.1.0919: filetype: some assembler files are not recognized * runtime(netrw): do not pollute search history with symlinks * 9.1.0918: tiny Vim crashes with fuzzy buffer completion * 9.1.0917: various vartabstop and shiftround bugs when shifting lines * runtime(typst): add definition lists to formatlistpat, update maintainer * 9.1.0916: messages.c is exceeding 80 columns * runtime(proto): include filetype plugin for protobuf * 9.1.0915: GVim: default font size a bit too small * 9.1.0914: Vim9: compile_assignment() is too long * 9.1.0913: no error check for neg values for 'messagesopt' * runtime(netrw): only check first arg of netrw_browsex_viewer for being executable * 9.1.0912: xxd: integer overflow with sparse files and -autoskip * 9.1.0911: Variable name for 'messagesopt' doesn't match short name * 9.1.0910: 'messagesopt' does not check max wait time * runtime(doc): update wrong Vietnamese localization tag * 9.1.0909: Vim9: crash when calling instance method Update to 9.1.0908: * 9.1.0908: not possible to configure :messages * 9.1.0907: printoptions:portrait does not change postscript Orientation * runtime(doc): Add vietnamese.txt to helps main TOC * 9.1.0906: filetype: Nvidia PTX files are not recognized * runtime(doc): updated version9.txt with changes from v9.1.0905 * 9.1.0905: Missing information in CompleteDone event * 9.1.0904: Vim9: copy-paste error in class_defining_member() * 9.1.0903: potential overflow in spell_soundfold_wsal() * runtime(netrw): do not detach when launching external programs in gvim * runtime(doc): make tag alignment more consistent in filetype.txt * runtime(doc): fix wrong syntax and style of vietnamese.txt * translation(it): update Italian manpage for vimtutor * runtime(lua): add optional lua function folding * Filelist: include translations for Chapter 2 tutor * translation(vi): Update Vietnamese translation * runtime(doc): include vietnamese.txt * runtime(tutor): fix another typo in tutor2 * runtime(doc): fix typo in vimtutor manpage * translation(it): update Italian manpage for vimtutor * translation(it): include Italian version of tutor chapter 2 * runtime(tutor): regenerated some translated tutor1 files * runtime(tutor): fix typo in Chapter 2 * 9.1.0902: filetype: Conda configuration files are not recognized * runtime(doc): Tweak documentation style a bit * runtime(tutor): update the tutor files and re-number the chapters * runtime(tutor): Update the makefiles for tutor1 and tutor2 files * 9.1.0901: MS-Windows: vimtutor batch script can be improved * runtime(doc): remove buffer-local completeopt todo item * 9.1.0900: Vim9: digraph_getlist() does not accept bool arg * runtime(typst): provide a formatlistpat in ftplugin * runtime(doc): Update documentation for 'noselect' in 'completeopt' * 9.1.0899: default for 'backspace' can be set in C code * runtime(helptoc): reload cached g:helptoc.shell_prompt when starting toc * translation(ru): Updated messages translation * 9.1.0898: runtime(compiler): pytest compiler not included * 9.1.0897: filetype: pyrex files are not detected * runtime(compiler): update eslint compiler * 9.1.0896: completion list wrong after v9.1.0891 * runtime(doc): document changed default value for 'history' * 9.1.0895: default history value is too small * 9.1.0894: No test for what the spotbug compiler parses * 9.1.0893: No test that undofile format does not regress * translation(de): update German manpages * runtime(compiler): include spotbugs Java linter * 9.1.0892: the max value of 'tabheight' is limited by other tabpages * runtime(po): remove poDiffOld/New, add po-format flags to syntax file * 9.1.0891: building the completion list array is inefficient * patch 9.1.0890: %! item not allowed for 'rulerformat' * runtime(gzip): load undofile if there exists one * 9.1.0889: Possible unnecessary redraw after adding/deleting lines * 9.1.0888: leftcol property not available in getwininfo() * 9.1.0887: Wrong expression in sign.c * 9.1.0886: filetype: debian control file not detected * runtime(c3): include c3 filetype plugin * 9.1.0885: style of sign.c can be improved * 9.1.0884: gcc warns about uninitialized variable * runtime(apache): Update syntax directives for apache server 2.4.62 * translation(ru): updated vimtutor translation, update MAINTAINERS file * 9.1.0883: message history cleanup is missing some tests * runtime(doc): Expand docs on :! vs. :term * runtime(netrw): Fixing powershell execution issues on Windows * 9.1.0882: too many strlen() calls in insexpand.c * 9.1.0881: GUI: message dialog may not get focus * runtime(netrw): update netrw's decompress logic * runtime(apache): Update syntax keyword definition * runtime(misc): add Italian LICENSE and (top-level) README file * 9.1.0880: filetype: C3 files are not recognized * runtime(doc): add helptag for :HelpToc command * 9.1.0879: source is not consistently formatted * Add clang-format config file * runtime(compiler): fix escaping of arguments passed to :CompilerSet * 9.1.0878: termdebug: cannot enable DEBUG mode * 9.1.0877: tests: missing test for termdebug + decimal signs * 9.1.0876: filetype: openCL files are not recognized * 9.1.0875: filetype: hyprlang detection can be improved * 9.1.0874: filetype: karel files are not detected * 9.1.0873: filetype: Vivado files are not recognized * 9.1.0872: No test for W23 message * 9.1.0871: getcellpixels() can be further improved * 9.1.0870: too many strlen() calls in eval.c * 9.1.0869: Problem: curswant not set on gm in folded line * 9.1.0868: the warning about missing clipboard can be improved * runtime(doc): Makefile does not clean up all temporary files * 9.1.0867: ins_compl_add() has too many args * editorconfig: don't trim trailing whitespaces in runtime/doc * translation(am): Remove duplicate keys in desktop files * runtime(doc): update helptags * runtime(filetype): remove duplicated *.org file pattern * runtime(cfg): only consider leading // as starting a comment * 9.1.0866: filetype: LLVM IR files are not recognized * 9.1.0865: filetype: org files are not recognized * 9.1.0864: message history is fixed to 200 * 9.1.0863: getcellpixels() can be further improved * runtime(sh): better function support for bash/zsh in indent script * runtime(netrw): small fixes to netrw#BrowseX * 9.1.0862: 'wildmenu' not enabled by default in nocp mode * runtime(doc): update how to report issues for mac Vim * runtime(doc): mention option-backslash at :h CompilerSet * runtime(compiler): include a Java Maven compiler plugin * runtime(racket): update Racket runtime files * runtime(doc): improve indentation in examples for netrw-handler * runtime(doc): improve examples for netrw-handler functions * runtime(idris2): include filetype,indent+syntax plugins for (L)Idris2 + ipkg * runtime(doc): clarify the use of filters and external commands * 9.1.0861: Vim9: no runtime check for object member access of any var * runtime(compiler): update pylint linter * 9.1.0860: tests: mouse_shape tests use hard code sleep value * 9.1.0859: several problems with the GLVS plugin * 9.1.0858: Coverity complains about dead code * runtime(tar): Update tar.vim to support permissions * 9.1.0857: xxd: --- is incorrectly recognized as end-of-options * 9.1.0851: too many strlen() calls in getchar.c * 9.1.0850: Vim9: cannot access nested object inside objects * runtime(tex): extra Number highlighting causes issues * runtime(vim): Fix indent after :silent! function * 9.1.0849: there are a few typos in the source * runtime(netrw): directory symlink not resolved in tree view * runtime(doc): add a table of supported Operating Systems * runtime(tex): update Last Change header in syntax script * runtime(doc): fix typo in g:termdebug_config * runtime(vim): Update base-syntax, improve :normal highlighting * runtime(tex): add Number highlighting to syntax file * runtime(doc): Tweak documentation style a bit * 9.1.0848: if_lua: v:false/v:true are not evaluated to boolean * runtime(dune): use :setl instead of :set in ftplugin * runtime(termdebug): allow to use decimal signs * translation(it): Updated Italian vimtutor * runtime(compiler): improve cppcheck * git: git-blame-ignore-revs shown as an error on Github * 9.1.0847: tests: test_popupwin fails because of updated help file * 9.1.0846: debug symbols for xxd are not cleaned in Makefile * runtime(structurizr): Update structurizr syntax * runtime(8th): updated 8th syntax * runtime(doc): Add pi_tutor.txt to help TOC * runtime(compiler): add mypy and ruff compiler; update pylint linter * runtime(netrw): fix several bugs in netrw tree listing * runtime(netrw): prevent polluting the search history * 9.1.0845: vimtutor shell script can be improved * 9.1.0844: if_python: no way to pass local vars to python * 9.1.0843: too many strlen() calls in undo.c * runtime(doc): update default value for fillchars option * runtime(compiler): fix typo in cppcheck compiler plugin * runtime(doc): simplify vimtutor manpage a bit more * runtime(matchparen): Add matchparen_disable_cursor_hl config option * 9.1.0842: not checking for the sync() systemcall * 9.1.0841: tests: still preferring python2 over python3 * 9.1.0840: filetype: idris2 files are not recognized * 9.1.0839: filetype: leo files are not recognized * runtime(cook): include cook filetype plugin * runtime(debversions): Update Debian versions * patch 9.1.0838: vimtutor is bash-specific * runtime(doc): add help specific modeline to pi_tutor.txt * Filelist: vimtutor chapter 2 is missing in Filelist * 9.1.0837: cross-compiling has some issues * runtime(vimtutor): Add a second chapter - update to 9.1.0836 * 9.1.0836: The vimtutor can be improved * 9.1.0835: :setglobal doesn't work properly for 'ffu' and 'tsrfu' * 9.1.0834: tests: 2html test fails * 9.1.0833: CI: recent ASAN changes do not work for indent tests * 9.1.0832: :set doesn't work for 'cot' and 'bkc' after :setlocal * runtime(doc): update help-toc description * runtime(2html): Make links use color scheme colors in TOhtml * 9.1.0831: 'findexpr' can't be used as lambad or Funcref * Filelist: include helptoc package * runtime(doc): include a TOC Vim9 plugin * Filelist: ignore .git-blame-ignore-revs * 9.1.0830: using wrong highlight group for spaces for popupmenu * runtime(typst): synchronize updates from the upstream typst.vim * git: ignore reformatting commit for git-blame (after v9.1.0829) * 9.1.0829: Vim source code uses a mix of tabs and spaces * 9.1.0828: string_T struct could be used more often * 9.1.0827: CI: tests can be improved * runtime(doc): remove stray sentence in pi_netrw.txt * 9.1.0826: filetype: sway files are not recognized * runtime(doc): Include netrw-gp in TOC * runtime(doc): mention 'iskeyword' at :h charclass() * runtime(doc): update help tags * 9.1.0825: compile error for non-diff builds * runtime(netrw): fix E874 when browsing remote directory which contains `~` character * runtime(doc): update coding style documentation * runtime(debversions): Add plucky (25.04) as Ubuntu release name * 9.1.0824: too many strlen() calls in register.c * 9.1.0823: filetype: Zephyr overlay files not recognized * runtime(doc): Clean up minor formatting issues for builtin functions * runtime(netrw): make :Launch/Open autoloadable * runtime(netrw): fix regression with x mapping on Cygwin * runtime(netrw): fix filetype detection for remote files * 9.1.0822: topline might be changed in diff mode unexpectedly * CI: huge linux builds should also run syntax & indent tests * 9.1.0821: 'findexpr' completion doesn't set v:fname to cmdline argument * 9.1.0820: tests: Mac OS tests are too flaky * runtime(awk): Highlight more awk comments in syntax script * runtime(netrw): add missing change for s:redir() * 9.1.0819: tests: using findexpr and imported func not tested * runtime(netrw): improve netrw's open-handling further * runtime(netrw): fix syntax error in netrwPlugin.vim * runtime(netrw): simplify gx file handling * 9.1.0818: some global functions are only used in single files * 9.1.0817: termdebug: cannot evaluate expr in a popup * runtime(defaults): Detect putty terminal and switch to dark background * 9.1.0816: tests: not clear what tests cause asan failures * runtime(doc): Remove some completed items from todo.txt * 9.1.0815: 'above' virtual text causes wrong 'colorcolumn' position * runtime(syntax-tests): tiny vim fails because of line-continuation * 9.1.0814: mapset() may remove unrelated mapping * 9.1.0813: no error handling with setglobal and number types * 9.1.0812: Coverity warns about dereferencing NULL ptr * 9.1.0811: :find expansion does not consider 'findexpr' * 9.1.0810: cannot easily adjust the |:find| command * 9.1.0809: filetype: petalinux config files not recognized * 9.1.0808: Terminal scrollback doesn't shrink when decreasing 'termwinscroll' * 9.1.0807: tests: having 'nolist' in modelines isn't always desired * 9.1.0806: tests: no error check when setting global 'briopt' * 9.1.0805: tests: minor issues in gen_opt_test.vim * 9.1.0804: tests: no error check when setting global 'cc' * 9.1.0803: tests: no error check when setting global 'isk' * 9.1.0802: tests: no error check when setting global 'fdm' to empty value * 9.1.0801: tests: no error check when setting global 'termwinkey' * 9.1.0800: tests: no error check when setting global 'termwinsize' * runtime(doc): :ownsyntax also resets 'spelloptions' * 9.1.0799: tests: gettwinvar()/gettabwinvar() tests are not comprehensive * runtime(doc): Fix wrong Mac default options * 9.1.0798: too many strlen() calls in cmdhist.c * 9.1.0797: testing of options can be further improved * 9.1.0796: filetype: libtool files are not recognized * (typst): add folding to typst ftplugin * runtime(netrw): deprecate and remove netrwFileHandlers#Invoke() * 9.1.0795: filetype: Vivado memory info file are not recognized * 9.1.0794: tests: tests may fail on Windows environment * runtime(doc): improve the :colorscheme documentation * 9.1.0793: xxd: -e does add one extra space * 9.1.0792: tests: Test_set_values() is not comprehensive enough * runtime(swayconfig): add flag for bindsym/bindcode to syntax script * 9.1.0791: tests: errors in gen_opt_test.vim are not shown * runtime(compiler): check for compile_commands in build dirs for cppcheck * 9.1.0790: Amiga: AmigaOS4 build should use default runtime (newlib) * runtime(help): Update help syntax * runtime(help): fix end of sentence highlight in code examples * runtime(jinja): Support jinja syntax as secondary filetype * 9.1.0789: tests: ':resize + 5' has invalid space after '+' * 9.1.0788: 27;u is not decoded to literal Escape in kitty/foot * 9.1.0787: cursor position changed when using hidden terminal * 9.1.0786: tests: quickfix update test does not test location list * runtime(doc): add some docs for file-watcher programs * CI: uploading failed screendumps still fails on Cirrus CI * 9.1.0785: cannot preserve error position when setting quickfix list * 9.1.0784: there are several problems with python 3.13 * 9.1.0783: 'spell' option setting has problems * 9.1.0782: tests: using wrong neomuttlog file name * runtime(doc): add preview flag to statusline example * 9.1.0781: tests: test_filetype fails * 9.1.0780: MS-Windows: incorrect Win32 error checking * 9.1.0779: filetype: neomuttlog files are not recognized * 9.1.0778: filetype: lf config files are not recognized * runtime(comment): fix commment toggle with mixed tabs & spaces * runtime(misc): Use consistent 'Vim script' spelling * runtime(gleam): add ftplugin for gleam files * runtime(doc): link help-writing from write-local-help * 9.1.0777: filetype: Some upstream php files are not recognized * runtime(java): Define javaBlockStart and javaBlockOtherStart hl groups * runtime(doc): mention conversion rules for remote_expr() * runtime(tutor): Fix missing :s command in spanish translation section 4.4 * 9.1.0776: test_strftime may fail because of missing TZ data * translation(am): Add Armenian language translation * 9.1.0775: tests: not enough tests for setting options * 9.1.0774: 'shellcmdline' doesn't work with getcompletion() * 9.1.0773: filetype: some Apache files are not recognized * 9.1.0772: some missing changes from v9.1.0771 * 9.1.0771: completion attribute hl_group is confusing * 9.1.0770: current command line completion is a bit limited * 9.1.0769: filetype: MLIR files are not recognized * 9.1.0768: MS-Windows: incorrect cursor position when restoring screen * runtime(nasm): Update nasm syntax script * 9.1.0767: A condition is always true in ex_getln.c * runtime(skill): Update syntax file to fix string escapes * runtime(help): highlight CTRL- correctly * runtime(doc): add missing usr_52 entry to toc * 9.1.0766: too many strlen() calls in ex_getln.c * runtime(doc): correct `vi` registers 1-9 documentation error * 9.1.0765: No test for patches 6.2.418 and 7.3.489 * runtime(spec): set comments and commentstring options * NSIS: Include libgcc_s_sjlj-1.dll again * runtime(doc): clarify the effect of 'startofline' option * 9.1.0764: [security]: use-after-free when closing a buffer * runtime(vim): Update base-syntax file, improve class, enum and interface highlighting * 9.1.0763: tests: cannot run single syntax tests * 9.1.0762: 'cedit', 'termwinkey' and 'wildchar' may not be parsed correctly * 9.1.0761: :cd completion fails on Windows with backslash in path * 9.1.0760: tests: no error reported, if gen_opt_test.vim fails * 9.1.0759: screenpos() may return invalid position * runtime(misc): unset compiler in various ftplugins * runtime(doc): update formatting and syntax * runtime(compiler): add cppcheck linter compiler plugin * runtime(doc): Fix style in documents * runtime(doc): Fix to two-space convention in user manual * runtime(comment): consider &tabstop in lines after whitespace indent * 9.1.0758: it's possible to set an invalid key to 'wildcharm' * runtime(java): Manage circularity for every :syn-included syntax file * 9.1.0757: tests: messages files contains ANSI escape sequences * 9.1.0756: missing change from patch v9.1.0754 * 9.1.0755: quickfix list does not handle hardlinks well * runtime(doc): 'filetype', 'syntax' and 'keymap' only allow alphanumeric + some characters * runtime(systemd): small fixes to &keywordprg in ftplugin * CI: macos-12 runner is being sunset, switch to 13 * 9.1.0754: fixed order of items in insert-mode completion menu * runtime(comment): commenting might be off by one column * 9.1.0753: Wrong display when typing in diff mode with 'smoothscroll' * 9.1.0752: can set 'cedit' to an invalid value * runtime(doc): add `usr` tag to usr_toc.txt * 9.1.0751: Error callback for term_start() not used * 9.1.0750: there are some Win9x legacy references * runtime(java): Recognise the CommonMark form (///) of Javadoc comments * 9.1.0749: filetype: http files not recognized * runtime(comment): fix syntax error * CI: uploading failed screendump tests does not work Cirrus * 9.1.0748: :keep* commmands are sometimes misidentified as :k * runtime(indent): allow matching negative numbers for gnu indent config file * runtime(comment): add gC mapping to (un)comment rest of line * 9.1.0747: various typos in repo found * 9.1.0746: tests: Test_halfpage_longline() fails on large terminals * runtime(doc): reformat gnat example * runtime(doc): reformat ada_standard_types section * 9.1.0745: filetype: bun and deno history files not recognized * runtime(glvs): Correct the tag name of glvs-autoinstal * runtime(doc): include short form for :earlier/:later * runtime(doc): remove completed TODO * 9.1.0744: filetype: notmuch configs are not recognised * 9.1.0743: diff mode does not handle overlapping diffs correctly * runtime(glvs): fix a few issues * runtime(doc): Fix typo in :help :command-modifiers * 9.1.0742: getcmdprompt() implementation can be improved * runtime(docs): update `:set?` command behavior table * runtime(doc): update vim90 to vim91 in docs * runtime(doc): fix typo in :h dos-colors * 9.1.0741: No way to get prompt for input()/confirm() * runtime(doc): fix typo in version9.txt nrformat -> nrformats * runtime(rmd,rrst): 'fex' option not properly restored * runtime(netrw): remove extraneous closing bracket * 9.1.0740: incorrect internal diff with empty file * 9.1.0739: [security]: use-after-free in ex_getln.c * runtime(filetype): tests: Test_filetype_detection() fails * runtime(dist): do not output a message if executable is not found * 9.1.0738: filetype: rapid files are not recognized * runtime(modconf): remove erroneous :endif in ftplugin * runtime(lyrics): support multiple timestamps in syntax script * runtime(java): Optionally recognise _module_ import declarations * runtime(vim): Update base-syntax, improve folding function matches * CI: upload failed screendump tests also for Cirrus * 9.1.0737: tests: screendump tests may require a bit more time * runtime(misc): simplify keywordprg in various ftplugins * runtime(java): Optionally recognise all primitive constants in _switch-case_ labels * runtime(zsh,sh): set and unset compiler in ftplugin * runtime(netrw): using inefficient highlight pattern for 'mf' * 9.1.0736: Unicode tables are outdated * 9.1.0735: filetype: salt files are not recognized * 9.1.0734: filetype: jinja files are not recognized * runtime(zathurarc): add double-click-follow to syntax script * translation(ru): Updated messages translation * translation(it): updated xxd man page * translation(ru): updated xxd man page * 9.1.0733: keyword completion does not work with fuzzy * 9.1.0732: xxd: cannot use -b and -i together * runtime(java): Highlight javaConceptKind modifiers with StorageClass * runtime(doc): reword and reformat how to use defaults.vim * 9.1.0731: inconsistent case sensitive extension matching * runtime(vim): Update base-syntax, match Vim9 bool/null literal args to :if/:while/:return * runtime(netrw): delete confirmation not strict enough * 9.1.0730: Crash with cursor-screenline and narrow window * 9.1.0729: Wrong cursor-screenline when resizing window * 9.1.0728: [security]: heap-use-after-free in garbage collection with location list user data * runtime(doc): clarify the effect of the timeout for search()-functions * runtime(idlang): update syntax script * runtime(spec): Recognize epoch when making spec changelog in ftplugin * runtime(spec): add file triggers to syntax script * 9.1.0727: too many strlen() calls in option.c * runtime(make): add compiler/make.vim to reset compiler plugin settings * runtime(java): Recognise all available standard doclet tags * 9.1.0726: not using correct python3 API with dynamic linking * runtime(dosini): Update syntax script, spellcheck comments only * runtime(doc): Revert outdated comment in completeopt's fuzzy documentation * 9.1.0725: filetype: swiftinterface files are not recognized * runtime(pandoc): Update compiler plugin to use actual 'spelllang' * runtime(groff): Add compiler plugin for groff * 9.1.0724: if_python: link error with python 3.13 and stable ABI * 9.1.0723: if_python: dynamic linking fails with python3 >= 3.13 * 9.1.0722: crash with large id in text_prop interface * 9.1.0721: tests: test_mksession does not consider XDG_CONFIG_HOME * runtime(glvs): update GetLatestVimScripts plugin * runtime(doc): Fix typo in :help :hide text * runtime(doc): buffers can be re-used * 9.1.0720: Wrong breakindentopt=list:-1 with multibyte or TABs * 9.1.0719: Resetting cell widths can make 'listchars' or 'fillchars' invalid * runtime(doc): Update version9.txt and mention $MYVIMDIR - Update to 9.1.0718: * v9.1.0718: hard to know the users personal Vim Runtime Directory * v9.1.0717: Unnecessary nextcmd NULL checks in parse_command_modifiers() Maintainers: fix typo in author name * v9.1.0716: resetting setcellwidth( doesn't update the screen runtime(hcl,terraform): Add runtime files for HCL and Terraform runtime(tmux): Update syntax script * v9.1.0715: Not correctly parsing color names (after v9.1.0709) * v9.1.0714: GuiEnter_Turkish test may fail * v9.1.0713: Newline causes E749 in Ex mode * v9.1.0712: missing dependency of Test_gettext_makefile * v9.1.0711: test_xxd may file when using different xxd * v9.1.0710: popup window may hide part of Command line runtime(vim): Update syntax, improve user-command matching * v9.1.0709: GUIEnter event not found in Turkish locale runtime(sudoers): improve recognized Runas_Spec and Tag_Spec items * v9.1.0708: Recursive window update does not account for reset skipcol runtime(nu): include filetype plugin * v9.1.0707: invalid cursor position may cause a crash * v9.1.0706: test_gettext fails when using shadow dir CI: Install locales-all package * v9.1.0705: Sorting of fuzzy filename completion is not stable translation(pt): update Portuguese/Brazilian menu translation runtime(vim): Update base-syntax, match bracket mark ranges runtime(doc): Update :help :command-complete list * v9.1.0704: inserting with a count is inefficient runtime(doc): use mkdir -p to save a command * v9.1.0703: crash with 2byte encoding and glob2regpat() runtime(hollywood): update syn highlight for If-Then statements and For-In-Loops * v9.1.0702: Patch 9.1.0700 broke CI * v9.1.0701: crash with NFA regex engine when searching for composing chars * v9.1.0700: crash with 2byte encoding and glob2regpat() * v9.1.0699: 'dvgo' is not always an inclusive motion runtime(java): Provide support for syntax preview features * v9.1.0698: 'Untitled' file not removed when running Test_crash1_3 alone * v9.1.0697: heap-buffer-overflow in ins_typebuf * v9.1.0696: installing runtime files fails when using SHADOWDIR runtime(doc): fix typo * v9.1.0695: test_crash leaves Untitled file around translation(br): Update Brazilian translation translation(pt): Update menu_pt_br * v9.1.0694: matchparen is slow on a long line * v9.1.0693: Configure doesn't show result when not using python3 stable abi * v9.1.0692: Wrong patlen value in ex_substitute() * v9.1.0691: stable-abi may cause segfault on Python 3.11 runtime(vim): Update base-syntax, match :loadkeymap after colon and bar runtime(mane): Improve ManBS mapping * v9.1.0690: cannot set special highlight kind in popupmenu translation(pt): Revert and fix wrong Portuguese menu translation files translation(pt): revert Portuguese menu translation translation(br): Update Brazilian translations runtime(vim): Update base-syntax, improve :let-heredoc highlighting * v9.1.0689: buffer-overflow in do_search( with 'rightleft' runtime(vim): Improve heredoc handling for all embedded scripts * v9.1.0688: dereferences NULL pointer in check_type_is_value() * v9.1.0687: Makefile may not install desktop files runtime(man): Fix ManBS runtime(java): Make the bundled &foldtext function optional runtime(netrw): Change line on `mx` if command output exists runtime(netrw): Fix `mf`-selected entry highlighting runtime(htmlangular): add html syntax highlighting translation(it): Fix filemode of Italian manpages runtime(doc): Update outdated man.vim plugin information runtime(zip): simplify condition to detect MS-Windows * v9.1.0686: zip-plugin has problems with special characters runtime(pandoc): escape quotes in &errorformat for pandoc translation(it): updated Italian manpage * v9.1.0685: too many strlen( calls in usercmd.c runtime(doc): fix grammar in :h :keeppatterns runtime(pandoc): refine pandoc compiler settings * v9.1.0684: completion is inserted on Enter with 'noselect' translation(ru): update man pages * v9.1.0683: mode( returns wrong value with mapping runtime(doc): remove trailing whitespace in cmdline.txt * v9.1.0682: Segfault with uninitialized funcref * v9.1.0681: Analyzing failed screendumps is hard runtime(doc): more clarification for the :keeppatterns needed * v9.1.0680: VMS does not have defined uintptr_t runtime(doc): improve typedchar documentation for KeyInputPre autocmd runtime(dist): verify that executable is in $PATH translation(it): update Italian manpages runtime(doc): clarify the effect of :keeppatterns after * v9.1.0677 runtime(doc): update Makefile and make it portable between GNU and BSD * v9.1.0679: Rename from w_closing to w_locked is incomplete runtime(colors): update colorschemes runtime(vim): Update base-syntax, improve :let-heredoc highlighting runtime(doc): Updating the examples in the xxd manpage translation(ru): Updated uganda.rux runtime(yaml): do not re-indent when commenting out lines * v9.1.0678: use-after-free in alist_add() * v9.1.0677 :keepp does not retain the substitute pattern translation(ja): Update Japanese translations to latest release runtime(netrw): Drop committed trace lines runtime(netrw): Error popup not always used runtime(netrw): ErrorMsg( may throw E121 runtime(tutor): update Makefile and make it portable between GNU and BSD translation: improve the po/cleanup.vim script runtime(lang): update Makefile and make it portable between GNU and BSD * v9.1.0676: style issues with man pages * v9.1.0675: Patch v9.1.0674 causes problems runtime(dosbatch): Show %%i as an argument in syntax file runtime(dosbatch): Add syn-sync to syntax file runtime(sql, mysql): fix E169: Command too recursive with sql_type_default = 'mysql' * v9.1.0674: compiling abstract method fails because of missing return runtime(javascript): fix a few issues with syntax higlighting runtime(mediawiki): fix typo in doc, test for b:did_ftplugin var runtime(termdebug): Fix wrong test for balloon feature runtime(doc): Remove mentioning of the voting feature runtime(doc): add help tags for json + markdown global variables * v9.1.0673: too recursive func calls when calling super-class method runtime(syntax-tests): Facilitate the viewing of rendered screendumps runtime(doc): fix a few style issues * v9.1.0672: marker folds may get corrupted on undo * v9.1.0671 Problem: crash with WinNewPre autocommand * v9.1.0670: po file encoding fails on *BSD during make translation(it): Update Italian translation translation: Stop using msgconv * v9.1.0669: stable python ABI not used by default Update .gitignore and .hgignore files * v9.1.0668: build-error with python3.12 and stable ABI translations: Update generated po files * v9.1.0667: Some other options reset curswant unnecessarily when set * v9.1.0666: assert_equal( doesn't show multibyte string correctly runtime(doc): clarify directory of Vim's executable vs CWD * v9.1.0665 :for loop runtime(proto): Add indent script for protobuf filetype * v9.1.0664: console vim did not switch back to main screen on exit runtime(zip): zip plugin does not work with Vim 9.0 * v9.1.0663: zip test still resets 'shellslash' option runtime(zip): use defer to restore old settings runtime(zip): add a generic Message function runtime(zip): increment base version of zip plugin runtime(zip): raise minimum Vim version to * v9.0 runtime(zip): refactor save and restore of options runtime(zip): remove test for fnameescape runtime(zip): use :echomsg instead of :echo runtime(zip): clean up and remove comments * v9.1.0662: filecopy( may return wrong value when readlink( fails * v9.1.0661: the zip plugin is not tested. runtime(zip): Fix for FreeBSD's unzip command runtime(doc): capitalize correctly * v9.1.0660: Shift-Insert does work on old conhost translation(it): update Italian manpage runtime(lua): add/subtract a 'shiftwidth' after '('/')' in indentexpr runtime(zip): escape '[' on Unix as well * v9.1.0659: MSVC Makefile is a bit hard to read runtime(doc): fix typo in syntax.txt runtime(doc): -x is only available when compiled with crypt feature * v9.1.0658: Coverity warns about dereferencing NULL pointer. runtime(colors): update Todo highlight in habamax colorscheme * v9.1.0657: MSVC build time can be optimized * v9.1.0656: MSVC Makefile CPU handling can be improved * v9.1.0655: goaccess config file not recognized CI: update clang compiler to version 20 runtime(netrw): honor `g:netrw_alt{o,v}` for `:{S,H,V}explore` * v9.1.0654: completion does not respect completeslash with fuzzy * v9.1.0653: Patch v9.1.0648 not completely right * v9.1.0652: too many strlen( calls in syntax.c * v9.1.0651 :append * v9.1.0650: Coverity warning in cstrncmp() * v9.1.0649: Wrong comment for 'len' argument of call_simple_func() * v9.1.0648: [security] double-free in dialog_changed() * v9.1.0647: [security] use-after-free in tagstack_clear_entry runtime(doc): re-format tag example lines, mention ctags --list-kinds * v9.1.0646: imported function may not be found runtime(java): Document 'g:java_space_errors' and 'g:java_comment_strings' runtime(java): Cluster optional group definitions and their group links runtime(java): Tidy up the syntax file runtime(java): Tidy up the documentation for 'ft-java-syntax' runtime(colors): update habamax scheme - tweak diff/search/todo colors runtime(nohlsearch): add missing loaded_hlsearch guard runtime(kivy): Updated maintainer info for syntax script Maintainers: Add maintainer for ondir ftplugin + syntax files runtime(netrw): removing trailing slash when copying files in same directory * v9.1.0645: wrong match when searching multi-byte char case-insensitive runtime(html): update syntax script to sync by 250 minlines by default * v9.1.0644: Unnecessary STRLEN( when applying mapping runtime(zip): Opening a remote zipfile don't work runtime(cuda): source c and cpp ftplugins * v9.1.0643: cursor may end up on invalid position * v9.1.0642: Check that mapping rhs starts with lhs fails if not simplified * v9.1.0641: OLE enabled in console version runtime(thrift): add ftplugin, indent and syntax scripts * v9.1.0640: Makefile can be improved * v9.1.0639: channel timeout may wrap around * v9.1.0638: E1510 may happen when formatting a message for smsg() * v9.1.0637: Style issues in MSVC Makefile - Update apparmor.vim to latest version (from AppArmor 4.0.2) - add support for 'all' and 'userns' rules, and new profile flags - Update to 9.1.0636: * 9.1.0636: filetype: ziggy files are not recognized * 9.1.0635: filetype: SuperHTML template files not recognized * 9.1.0634: Ctrl-P not working by default * 9.1.0633: Compilation warnings with `-Wunused-parameter` * 9.1.0632: MS-Windows: Compiler Warnings Add support for Files-Included in syntax script tweak documentation style a bit * 9.1.0631: wrong completion list displayed with non-existing dir + fuzzy completion * 9.1.0630: MS-Windows: build fails with VIMDLL and mzscheme * 9.1.0629: Rename of pum hl_group is incomplete * 9.1.0628: MinGW: coverage files are not cleaned up * 9.1.0627: MinGW: build-error when COVERAGE is enabled * 9.1.0626: Vim9: need more tests with null objects include initial filetype plugin * 9.1.0625: tests: test output all translated messages for all translations * 9.1.0624: ex command modifiers not found * 9.1.0623: Mingw: errors when trying to delete non-existing files * 9.1.0622: MS-Windows: mingw-build can be optimized * 9.1.0621: MS-Windows: startup code can be improved * 9.1.0620: Vim9: segfauls with null objects * 9.1.0619: tests: test_popup fails * 9.1.0618: cannot mark deprecated attributes in completion menu * 9.1.0617: Cursor moves beyond first line of folded end of buffer * 9.1.0616: filetype: Make syntax highlighting off for MS Makefiles * 9.1.0615: Unnecessary STRLEN() in make_percent_swname() Add single-line comment syntax Add syntax test for comments Update maintainer info * 9.1.0614: tests: screendump tests fail due to recent syntax changes * 9.1.0613: tests: termdebug test may fail and leave file around Update base-syntax, improve :set highlighting Optionally highlight the :: token for method references * 9.1.0612: filetype: deno.lock file not recognized Use delete() for deleting directory escape filename before trying to delete it * 9.1.0611: ambiguous mappings not correctly resolved with modifyOtherKeys correctly extract file from zip browser * 9.1.0610: filetype: OpenGL Shading Language files are not detected Fix endless recursion in netrw#Explore() * 9.1.0609: outdated comments in Makefile update syntax script Fix flow mapping key detection Remove orphaned YAML syntax dump files * 9.1.0608: Coverity warns about a few potential issues Update syntax script and remove syn sync * 9.1.0607: termdebug: uses inconsistent style * 9.1.0606: tests: generated files may cause failure in test_codestyle * 9.1.0605: internal error with fuzzy completion * 9.1.0604: popup_filter during Press Enter prompt seems to hang translation: Update Serbian messages translation * 9.1.0603: filetype: use correct extension for Dracula * 9.1.0602: filetype: Prolog detection can be improved fix more inconsistencies in assert function docs * 9.1.0601: Wrong cursor position with 'breakindent' when wide char doesn't fit Update base-syntax, improve :map highlighting * 9.1.0600: Unused function and unused error constants * 9.1.0599: Termdebug: still get E1023 when specifying arguments correct wrong comment options fix typo 'a xterm' -> 'an xterm' * 9.1.0598: fuzzy completion does not work with default completion * 9.1.0597: KeyInputPre cannot get the (unmapped typed) key * 9.1.0596: filetype: devscripts config files are not recognized gdb file/folder check is now performed only in CWD. quote filename arguments using double quotes update syntax to SDC-standard 2.1 minor updates. Cleanup :match and :loadkeymap syntax test files Update base-syntax, match types in Vim9 variable declarations * 9.1.0595: make errors out with the po Makefile * 9.1.0594: Unnecessary redraw when setting 'winfixbuf' using wrong highlight for UTF-8 include simple syntax plugin * 9.1.0593: filetype: Asymptote files are not recognized add recommended indent options to ftplugin add recommended indent options to ftplugin add recommended indent options to ftplugin * 9.1.0592: filetype: Mediawiki files are not recognized * 9.1.0591: filetype: *.wl files are not recognized * 9.1.0590: Vim9: crash when accessing getregionpos() return value 'cpoptions': Include 'z' in the documented default * 9.1.0589: vi: d{motion} and cw work differently than expected update included colorschemes grammar fixes in options.txt - Update to 9.1.0588: * 9.1.0588: The maze program no longer compiles on newer clang runtime(typst): Add typst runtime files * 9.1.0587: tests: Test_gui_lowlevel_keyevent is still flaky * 9.1.0586: ocaml runtime files are outdated runtime(termdebug): fix a few issues * 9.1.0585: tests: test_cpoptions leaves swapfiles around * 9.1.0584: Warning about redeclaring f_id() non-static runtime(doc): Add hint how to load termdebug from vimrc runtime(doc): document global insert behavior * 9.1.0583: filetype: *.pdf_tex files are not recognized * 9.1.0582: Printed line doesn't overwrite colon when pressing Enter in Ex mode * 9.1.0581: Various lines are indented inconsistently * 9.1.0580: :lmap mapping for keypad key not applied when typed in Select mode * 9.1.0579: Ex command is still executed after giving E1247 * 9.1.0578: no tests for :Tohtml * 9.1.0577: Unnecessary checks for v:sizeoflong in test_put.vim * 9.1.0576: tests: still an issue with test_gettext_make * 9.1.0575: Wrong comments in alt_tabpage() * 9.1.0574: ex: wrong handling of commands after bar runtime(doc): add a note for netrw bug reports * 9.1.0573: ex: no implicit print for single addresses runtime(vim): make &indentexpr available from the outside * 9.1.0572: cannot specify tab page closing behaviour runtime(doc): remove obsolete Ex insert behavior * 9.1.0571: tests: Test_gui_lowlevel_keyevent is flaky runtime(logindefs): update syntax with new keywords * 9.1.0570: tests: test_gettext_make can be improved runtime(filetype): Fix Prolog file detection regex * 9.1.0569: fnamemodify() treats '..' and '../' differently runtime(mojo): include mojo ftplugin and indent script * 9.1.0568: Cannot expand paths from 'cdpath' setting * 9.1.0567: Cannot use relative paths as findfile() stop directories * 9.1.0566: Stop dir in findfile() doesn't work properly w/o trailing slash * 9.1.0565: Stop directory doesn't work properly in 'tags' * 9.1.0564: id() can be faster * 9.1.0563: Cannot process any Key event * 9.1.0562: tests: inconsistency in test_findfile.vim runtime(fstab): Add missing keywords to fstab syntax * 9.1.0561: netbeans: variable used un-initialized (Coverity) * 9.1.0560: bindtextdomain() does not indicate an error * 9.1.0559: translation of vim scripts can be improved * 9.1.0558: filetype: prolog detection can be improved * 9.1.0557: moving in the buffer list doesn't work as documented runtime(doc): fix inconsistencies in :h file-searching * 9.1.0556: :bwipe doesn't remove file from jumplist of other tabpages runtime(htmlangular): correct comment * 9.1.0555: filetype: angular ft detection is still problematic * 9.1.0554: :bw leaves jumplist and tagstack data around * 9.1.0553: filetype: *.mcmeta files are not recognized * 9.1.0552: No test for antlr4 filetype * 9.1.0551: filetype: htmlangular files are not properly detected * 9.1.0550: filetype: antlr4 files are not recognized * 9.1.0549: fuzzycollect regex based completion not working as expected runtime(doc): autocmd_add() accepts a list not a dict * 9.1.0548: it's not possible to get a unique id for some vars runtime(tmux): Update syntax script * 9.1.0547: No way to get the arity of a Vim function * 9.1.0546: vim-tiny fails on CTRL-X/CTRL-A runtime(hlsplaylist): include hlsplaylist ftplugin file runtime(doc): fix typo in :h ft-csv-syntax runtime(doc): Correct shell command to get $VIMRUNTIME into shell * 9.1.0545: MSVC conversion warning * 9.1.0544: filetype: ldapconf files are not recognized runtime(cmakecache): include cmakecache ftplugin file runtime(lex): include lex ftplugin file runtime(yacc): include yacc ftplugin file runtime(squirrel): include squirrel ftplugin file runtime(objcpp): include objcpp ftplugin file runtime(tf): include tf ftplugin file runtime(mysql): include mysql ftplugin file runtime(javacc): include javacc ftplugin file runtime(cabal): include cabal ftplugin file runtime(cuda): include CUDA ftplugin file runtime(editorconfig): include editorconfig ftplugin file runtime(kivy): update kivy syntax, include ftplugin runtime(syntax-tests): Stop generating redundant '*_* 99.dump' files * 9.1.0543: Behavior of CursorMovedC is strange runtime(vim): Update base-syntax, improve :match command highlighting * 9.1.0542: Vim9: confusing string() output for object functions * 9.1.0541: failing test with Vim configured without channel * 9.1.0540: Unused assignment in sign_define_cmd() runtime(doc): add page-scrolling keys to index.txt runtime(doc): add reference to xterm-focus-event from FocusGained/Lost * 9.1.0539: Not enough tests for what v9.1.0535 fixed runtime(doc): clarify how to re-init csv syntax file * 9.1.0538: not possible to assign priority when defining a sign * 9.1.0537: signed number detection for CTRL-X/A can be improved * 9.1.0536: filetype: zone files are not recognized * 9.1.0535: newline escape wrong in ex mode runtime(man): honor cmd modifiers before `g:ft_man_open_mode` runtime(man): use `nnoremap` to map to Ex commands * 9.1.0534: completion wrong with fuzzy when cycling back to original runtime(syntax-tests): Abort and report failed cursor progress runtime(syntax-tests): Introduce self tests for screen dumping runtime(syntax-tests): Clear and redraw the ruler line with the shell info runtime(syntax-tests): Allow for folded and wrapped lines in syntax test files * 9.1.0533: Vim9: need more tests for nested objects equality CI: Pre-v* 9.0.0110 versions generate bogus documentation tag entries runtime(doc): Remove wrong help tag CTRL-SHIFT-CR * 9.1.0532: filetype: Cedar files not recognized runtime(doc): document further keys that scroll page up/down * 9.1.0531: resource leak in mch_get_random() runtime(tutor): Fix wrong spanish translation runtime(netrw): fix remaining case of register clobber * 9.1.0530: xxd: MSVC warning about non-ASCII character * 9.1.0529: silent! causes following try/catch to not work runtime(rust): use shiftwidth() in indent script * 9.1.0528: spell completion message still wrong in translations * 9.1.0527: inconsistent parameter in Makefiles for Vim executable * 9.1.0526: Unwanted cursor movement with pagescroll at start of buffer runtime(doc): mention $XDG_CONFIG_HOME instead of $HOME/.config * 9.1.0525: Right release selects immediately when pum is truncated. * 9.1.0524: the recursive parameter in the *_equal functions can be removed runtime(termdebug): Add Deprecation warnings * 9.1.0523: Vim9: cannot downcast an object * 9.1.0522: Vim9: string(object) hangs for recursive references * 9.1.0521: if_py: _PyObject_CallFunction_SizeT is dropped in Python 3.13 * 9.1.0520: Vim9: incorrect type checking for modifying lists runtime(manpager): avoid readonly prompt * 9.1.0519: MS-Windows: libvterm compilation can be optimized * 9.1.0518: initialize the random buffer can be improved * 9.1.0517: MS-Windows: too long lines in Make_mvc.mak runtime(terraform): Add filetype plugin for terraform runtime(dockerfile): enable spellchecking of comments in syntax script runtime(doc): rename variable for pandoc markdown support runtime(doc): In builtin overview use {buf} as param for appendbufline/setbufline runtime(doc): clarify, that register 1-* 9 will always be shifted runtime(netrw): save and restore register 0-* 9, a and unnamed runtime(termdebug): Refactored StartDebug_term and EndDebug functions runtime(java): Compose 'g:java_highlight_signature' and 'g:java_highlight_functions' * 9.1.0516: need more tests for nested dicts and list comparision * 9.1.0515: Vim9: segfault in object_equal() * 9.1.0514: Vim9: issue with comparing objects recursively runtime(termdebug): Change some variables to Enums runtime(vim): Update base-syntax, fix function tail comments * 9.1.0513: Vim9: segfault with object comparison - Update to 9.1.0512: * Mode message for spell completion doesn't match allowed keys * CursorMovedC triggered wrongly with setcmdpos() * update runtime files * CI: test_gettext fails on MacOS14 + MSVC Win * not possible to translate Vim script messages * termdebug plugin can be further improved * add gomod filetype plugin * hard to detect cursor movement in the command line * Optionally highlight parameterised types * filetype: .envrc & .prettierignore not recognized * filetype: Faust files are not recognized * inner-tag textobject confused about '>' in attributes * cannot use fuzzy keyword completion * Remove the group exclusion list from @javaTop * wrong return type for execute() function * MS-Windows: too much legacy code * too complicated mapping restore in termdebug * simplify mapping * cannot switch buffer in a popup * MS-Windows: doesn't handle symlinks properly * getcmdcompltype() interferes with cmdline completion * termdebug can be further improved * update htmldjango detection * Improve Turkish documentation * include a simple csv filetype and syntax plugin * include the the simple nohlsearch package * matched text is highlighted case-sensitively * Matched text isn't highlighted in cmdline pum * Fix typos in several documents * clarify when text properties are cleared * improve the vim-shebang example * revert unintended formatting changes for termdebug * Add a config variable for commonly used compiler options * Wrong matched text highlighted in pum with 'rightleft' * bump length of character references in syntax script * properly check mapping variables using null_dict * fix KdlIndent and kdlComment in indent script * Test for patch 9.1.0489 doesn't fail without the fix * Fold multi-line comments with the syntax kind of &fdm * using wrong type for PlaceSign() * filetype: Vim-script files not detected by shebang line * revert unintended change to zip#Write() * add another tag for vim-shebang feature * Cmdline pum doesn't work properly with 'rightleft' * minor style problems with patch 9.1.0487 * default completion may break with fuzzy * Wrong padding for pum 'kind' with 'rightleft' * Update base-syntax, match shebang lines * MS-Windows: handle files with spaces properly * Restore HTML syntax file tests * completed item not update on fuzzy completion * filetype: Snakemake files are not recognized * make TermDebugSendCommand() a global function again * close all buffers in the same way * Matched text shouldn't be highlighted in 'kind' and 'menu' * fix wrong helptag for :defer * Update base-syntax, match :sleep arg * include Georgian keymap * Sorting of completeopt+=fuzzy is not stable * correctly test for windows in NetrwGlob() * glob() on windows fails with [] in directory name * rewrite mkdir() doc and simplify {flags} meaning * glob() not sufficiently tested * update return type for job_info() * termdebug plugin needs more love * correct return types for job_start() and job_status() * Update base-syntax, match :catch and :throw args * Include element values in non-marker annotations * Vim9: term_getjob() throws an exception on error * fuzzy string matching executed when not needed * fuzzy_match_str_with_pos() does unnecessary list operations * restore description of '$' in col() and virtcol() * deduplicate getpos(), line(), col(), virtcol() * Update g:vimsyn_comment_strings dump file tests * Use string interpolation instead of string concat * potential deref of NULL pointer in fuzzy_match_str_with_pos * block_editing errors out when using * Update base-syntax, configurable comment string highlighting * fix typos in syntax.txt * Cannot see matched text in popup menu * Update base-syntax, match multiline continued comments * clarify documentation for 'v' position at line() * cmod_split modifier is always reset in term_start() * remove line-continuation characters * use shiftwidth() instead of &tabstop in indent script * Remove orphaned screen dump files * include syntax, indent and ftplugin files * CI: Test_ColonEight() fails on github runners * add missing Enabled field in syntax script * basic svelte ftplugin file * term_start() does not clear vertical modifier * fix mousemodel restoration by comparing against null_string * Added definitions of Vim scripts and plugins * Exclude lambda expressions from _when_ _switch-case_ label clauses * Fix saved_mousemodel check * Inconsistencies between functions for option flags * Crash when using autocmd_get() after removing event inside autocmd * Fix small style issues * add return type info for Vim function descriptions * Update Italian Vim manpage * disable the q mapping * Change 'cms' for C++ to '// %s' * fix type mismatch error * Fix wrong email address * convert termdebug plugin to Vim9 script - Update to 9.1.0470: * tests Test_ColonEight_MultiByte() fails sporadically * Cannot have buffer-local value for 'completeopt' * GvimExt does not consult HKEY_CURRENT_USER * typos in some comments * runtime(vim): Update base-syntax, allow whitespace before :substitute pattern * Missing comments for fuzzy completion * runtime(man): update Vim manpage * runtime(comment): clarify the usage of 'commentstring' option value * runtime(doc): clarify how fuzzy 'completeopt' should work * runtime(netrw): prevent accidental data loss * missing filecopy() function * no whitespace padding in commentstring option in ftplugins * no fuzzy-matching support for insert-completion * eval5() and eval7 are too complex * too many strlen() calls in drawline.c * filetype lintstagedrc files are not recognized * Vim9 import autoload does not work with symlink * Coverity complains about division by zero * tests test_gui fails on Wayland * Left shift is incorrect with vartabstop and shiftwidth=0 * runtime(doc): clarify 'shortmess' flag 'S' * MS-Windows compiler warning for size_t to int conversion * runtime(doc): include some vim9 script examples in the help * minor issues in test_filetype with rasi test * filetype rasi files are not recognized * runtime(java): Improve the matching of lambda expressions * Configure checks for libelf unnecessarily * No test for escaping '<' with shellescape() * check.vim complains about overlong comment lines * translation(it): Update Italian translation * evalc. code too complex * MS-Windows Compiler warnings - Update to 9.1.0448: * compiler warning in eval.c * remove remaining css code * Add ft_hare.txt to Reference Manual TOC * re-generate vim syntax from generator * fix syntax vim bug * completion may be wrong when deleting all chars * getregionpos() inconsistent for partly-selected multibyte char * fix highlighting nested and escaped quotes in string props * remove the indent plugin since it has too many issues * update Debian runtime files * Coverity warning after 9.1.0440 * Not enough tests for getregion() with multibyte chars * Can't use blockwise selection with width for getregion() * update outdated syntax files * fix floating_modifier highlight * hare runtime files outdated * getregionpos() can't properly indicate positions beyond eol * function get_lval() is too long * Cannot filter the history * Wrong Ex command executed when :g uses '?' as delimiter * support floating_modifier none; revert broken highlighting * Motif requires non-const char pointer for XPM data * Crash when using '?' as separator for :s * filetype: cygport files are not recognized * make errors trying to access autoload/zig * Wrong yanking with exclusive selection and ve=all * add missing help tags file * Ancient XPM preprocessor hack may cause build errors * include basic rescript ftplugin file * eval.c is too long * getregionpos() doesn't handle one char selection * check for gdb file/dir before using as buffer name * refactor zig ftplugin, remove auto format * Coverity complains about eval.c refactor * Tag guessing leaves wrong search history with very short names * some issues with termdebug mapping test * update matchit plugin to v1.20 * too many strlen() calls in search.c * set commentstring option * update vb indent plugin as vim9script * filetype: purescript files are not recognized * filetype: slint files are not recognized * basic nim ftplugin file for comments * Add Arduino ftplugin and indent files * include basic typst ftplugin file * include basic prisma ftplugin file * include basic v ftplugin for comment support * getregionpos() wrong with blockwise mode and multibyte * function echo_string_core() is too long * hyprlang files are not recognized * add basic dart ftplugin file * basic ftplugin file for graphql * mention comment plugin at :h 'commentstring' * set commentstring for sql files in ftplugin * :browse oldfiles prompts even with single entry * eval.c not sufficiently tested * clarify why E195 is returned * clarify temporary file clean up * fix :NoMatchParen not working * Cannot move to previous/next rare word * add basic ftplugin file for sshdconfig * if_py: find_module has been removed in Python 3.12.0a7 * some screen dump tests can be improved * Some functions are not tested * clarify instal instructions for comment package * Unable to leave long line with 'smoothscroll' and 'scrolloff' * fix typo in vim9script help file * Remove trailing spaces * clarify {special} argument for shellescape() update to 9.1.0413: * smoothscroll may cause infinite loop * add missing entries for the keys CTRL-W g and * update vi_diff.txt: add default value for 'flash' * typo in regexp_bt.c in DEBUG code * allow indented commands * Fix wrong define regex in ftplugin * Filter out non-Latin-1 characters for syntax tests * prefer scp over pscp * fix typo in usr_52.txt * too long functions in eval.c * warning about uninitialized variable * too many strlen() calls in the regexp engine * E16 fix, async keyword support for define * Stuck with long line and half-page scrolling * Divide by zero with getmousepos() and 'smoothscroll' * update and remove some invalid links * update translation of xxd manpage * Recursively delete directories by default with netrw delete command * Strive to remain compatible for at least Vim 7.0 * tests: xxd buffer overflow fails on 32-bit * Stop handpicking syntax groups for @javaTop * [security] xxd: buffer-overflow with specific flags * Vim9: not able to import file from start dir * filetype: mdd files detected as zsh filetype * filetype: zsh module files are not recognized * Remove hardcoded private.ppk logic from netrw * Vim9: confusing error message for unknown type * block_editing errors out when using del * add new items to scripts section in syntax plugin * Vim9: imported vars are not properly type checked * Wrong display with 'smoothscroll' when changing quickfix list * filetype: jj files are not recognized * getregionpos() may leak memory on error * The CODEOWNERS File is not useful * Remove and cleanup Win9x legacy from netrw * add MsgArea to 'highlight' option description * Cannot get a list of positions describing a region * Fix digit separator in syntax script for octals and floats * Update link to Wikipedia Vi page * clear $MANPAGER in ftplugin before shelling out * Fix typos in help documents * 'viewdir' not respecting $XDG_CONFIG_HOME * tests: Vim9 debug tests may be flaky * correct getscriptinfo() example * Vim9: could improve testing * test_sound fails on macos-12 * update Serbian menu * update Slovak menu * update Slovenian menu * update Portuguese menu * update Dutch menu * update Korean menu * update Icelandic menu * update Czech menu * update Afrikaans menu * update German menu * filetype: inko files are not recognized * filetype: templ files are not recognized * cursor() and getregion() don't handle v:maxcol well * Vim9: null value tests not sufficient * update Catalan menu * filetype: stylus files not recognized * update spanish menu localization * regenerate helptags * Vim9: crash with null_class and null_object * Add tags about lazyloading of menu * tests: vt420 terminfo entry may not be found * filetype: .out files recognized as tex files * filetype: Kbuild files are not recognized * cbuffer and similar commands don't accept a range * Improve the recognition of the 'indent' method declarations * Fix a typo in usr_30.txt * remove undefined var s:save_cpoptions and add include setting * missing setlocal in indent plugin * Calculating line height for unnecessary amount of lines * improve syntax file performance * There are a few typos * Vim9: no comments allowed after class vars * CI: remove trailing white space in documentation * Formatting text wrong when 'breakindent' is set * Add oracular (24.10) as Ubuntu release name * Vim9: Trailing commands after class/enum keywords ignored * tests: 1-second delay after Test_BufEnter_botline() * update helptags for jq syntax * include syntax, ftplugin and compiler plugin * fix typo synconcealend -> synconcealed * include a simple comment toggling plugin * wrong botline in BufEnter * clarify syntax vs matching mechanism * fix undefined variable in indent plugin * ops.c code uses too many strlen() calls * Calling CLEAR_FIELD() on the same struct twice * Vim9: compile_def_function() still too long * Update Serbian messages * clarify the effect of setting the shell to powershell * Improve the recognition of the 'style' method declarations * Vim9: problem when importing autoloaded scripts * compile_def_function is too long * filetype: ondir files are not recognized * Crash when typing many keys with D- modifier * tests: test_vim9_builtin is a bit slow * update documentation * change the download URL of 'libsodium' * tests: test_winfixbuf is a bit slow * Add filetype, syntax and indent plugin for Astro * expanding rc config files does not work well * Vim9: vim9type.c is too complicated * Vim9: does not handle autoloaded variables well * minor spell fix in starting.txt * wrong drawing in GUI with setcellwidth() * Add include and suffixesadd * Page scrolling should place cursor at window boundaries * align command line table * minor fixes to starting.txt * fix comment definition in filetype plugin * filetype: flake.lock files are not recognized * runtime(uci): No support for uci file types * Support 'g:ftplugin_java_source_path' with archived files * tests: Test_autoload_import_relative_compiled fails on Windows * Finding cmd modifiers and cmdline-specials is inefficient * No test that completing a partial mapping clears 'showcmd' * tests: test_vim9_dissamble may fail * Vim9: need static type for typealias * X11 does not ignore smooth scroll event * A few typos in test_xdg when testing gvimrc * Patch v9.1.0338 fixed sourcing a script with import * Problem: gvimrc not sourced from XDG_CONFIG_HOME * Cursor wrong after using setcellwidth() in terminal * 'showcmd' wrong for partial mapping with multibyte * tests: test_taglist fails when 'helplang' contains non-english * Problem: a few memory leaks are found * Problem: Error with matchaddpos() and empty list * tests: xdg test uses screen dumps * Vim9: import through symlinks not correctly handled * Missing entry for XDG vimrc file in :version * tests: typo in test_xdg * runtime(i3config/swayconfig): update syntax scripts * document pandoc compiler and enable configuring arguments * String interpolation fails for List type * No test for highlight behavior with 'ambiwidth' * tests: test_xdg fails on the appimage repo * tests: some assert_equal() calls have wrong order of args * make install does not install all files * runtime(doc): fix typos in starting.txt - Updated to version 9.1 with patch level 0330, fixes the following problems * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 For the complete list of changes see https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 ----------------------------------------------------------------- Advisory ID: 224 Released: Wed Mar 5 17:35:03 2025 Summary: Security update for glibc Type: security Severity: important References: 1233699,1234665,1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282). Other fixes: - Fix underallocation of abort_msg_s struct - Correctly determine livepatching support - Remove nss-systemd from default nsswitch.conf (bsc#1233699) ----------------------------------------------------------------- Advisory ID: 229 Released: Mon Mar 10 14:39:19 2025 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1223596,1230145 This update for e2fsprogs fixes the following issues: - resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145) - EA Inode handling fixes * e2fsck: Add more checks for EA inode consistency (bsc#1223596) * e2fsck: Fix golden output of several tests (bsc#1223596) ----------------------------------------------------------------- Advisory ID: 227 Released: Mon Mar 10 14:39:19 2025 Summary: Recommended update for strace Type: recommended Severity: moderate References: 1228216 This update for strace fixes the following issues: - Change the license to the correct LGPL-2.1-or-later (bsc#1228216). ----------------------------------------------------------------- Advisory ID: 230 Released: Tue Mar 11 11:01:13 2025 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1220338,1229228,1231048,1232227,1232844,1233752,1234015,1234313,1234765 This update for systemd fixes the following issues: - Fixed agetty fails to open credentials directory (bsc#1229228) - hwdb: comment out the entry for Logitech MX Keys for Mac - test: answer 2nd mdadm --create question for compat with new version - core/unit-serialize: fix serialization of markers - locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged - core: fix assert when AddDependencyUnitFiles is called with invalid parameter - Fix systemd-network recommending libidn2-devel (bsc#1234765) - tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313) - add a allow/denylist for reading sysfs attributes (bsc#1234015) - udev: add new builtin net_driver - udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard() - udev-builtin-net_id: split-out get_pci_slot_specifiers() - udev-builtin-net_id: introduce get_port_specifier() helper function - udev-builtin-net_id: split out get_dev_port() and make its failure critical - udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address() - udev-builtin-net_id: return earlier when hotplug slot is not found - udev-builtin-net_id: skip non-directory entry earlier - udev-builtin-net_id: make names_xen() self-contained - udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim - udev-builtin-net_id: make names_netdevsim() self-contained - udev-builtin-net_id: make names_platform() self-contained - udev-builtin-net_id: make names_vio() self-contained - udev-builtin-net_id: make names_ccw() self-contained - udev-builtin-net_id: make dev_devicetree_onboard() self-contained - udev-builtin-net_id: make names_mac() self-contained - udev-builtin-net_id: split out get_ifname_prefix() - udev-builtin-net_id: swap arguments for streq() and friends - udev-builtin-net_id: drop unused value from NetNameType - drop efifar SystemdOptions (bsc#1220338) Upstream deprecated it and plan to drop it in the future. - pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) - udev: skipping empty udev rules file while collecting the stats (bsc#1232844) - Clean up some remnants from when homed was in the experimental sub-package (bsc#1231048) - restore some legacy symlinks Given that SLE16 will be based on SLFO, we have no choice but to continue supporting these compat symlinks. This compatibility code is no longer maintained in the Git repository though, as we primarily backport upstream commits these days. Additionally, the compat code rarely changes and often causes conflicts when merged into recent versions of systemd. ----------------------------------------------------------------- Advisory ID: 239 Released: Wed Mar 12 11:47:54 2025 Summary: Security update for curl Type: security Severity: moderate References: 1235151,1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: Security issues fixed: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) Other issues fixed: - Make sure the TLS handshake after a successful STARTTLS command is fully done before further sending/receiving on the connection. (bsc#1235151) ----------------------------------------------------------------- Advisory ID: 244 Released: Fri Mar 14 12:51:07 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issues: - do not crash when file system loop was encountered (bsc#1231472) - added patches - modified patches ----------------------------------------------------------------- Advisory ID: 251 Released: Wed Mar 19 11:42:10 2025 Summary: Security update for krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for krb5 fixes the following issues: - CVE-2025-24528: Prevent overflow when calculating ulog block size. An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash (bsc#1236619). ----------------------------------------------------------------- Advisory ID: 253 Released: Wed Mar 19 12:31:40 2025 Summary: Security update for python311 Type: security Severity: important References: 1174091,1210638,1219559,1219666,1221854,1225660,1226447,1226448,1227378,1227999,1228165,1228780,1229596,1229704,1230227,1230906,1231795,1232241,1236705,1238450,1239210,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2022-25236,CVE-2023-27043,CVE-2023-52425,CVE-2023-6597,CVE-2024-0397,CVE-2024-0450,CVE-2024-4030,CVE-2024-4032,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592,CVE-2024-8088,CVE-2024-9287,CVE-2025-0938,CVE-2025-1795 This update for python311 fixes the following issues: - Skip PGO with %want_reproducible_builds (bsc#1239210) - CVE-2025-0938: Disallows square brackets ([ and ]) in domain names for parsed URLs (bsc#1236705). - Configure externally_managed with a bcond (bsc#1228165). - Update to 3.11.11: - Tools/Demos - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15 and multissltests to use 3.0.15, 3.1.7, and 3.2.3. - Tests - gh-125041: Re-enable skipped tests for zlib on the s390x architecture: only skip checks of the compressed bytes, which can be different between zlib???s software implementation and the hardware-accelerated implementation. - Security - gh-126623: Upgrade libexpat to 2.6.4 - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. - Library - gh-124651: Properly quote template strings in venv activation scripts (bsc#1232241, CVE-2024-9287). - Remove -IVendor/ from python-config (bsc#1231795) - CVE-2024-9287: Properly quote path names provided when creating a virtual environment (bsc#1232241) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith and Seth Larson . Reported by Ellie - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``'``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704). - Make pip and modern tools install directly in /usr/local when used by the user. (bsc#1225660). - CVE-2024-4032: Fix rearranging definition of private v global IP addresses (bsc#1226448). - Update to 3.11.9: * Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-115243: Fix possible crashes in collections.deque.index() when the deque is concurrently modified. - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447, CVE-2024-0397). * Core and Builtins - gh-116296: Fix possible refleak in object.__reduce__() internal error handling. - gh-116034: Fix location of the error on a failed assertion. - gh-115823: Properly calculate error ranges in the parser when raising SyntaxError exceptions caused by invalid byte sequences. Patch by Pablo Galindo - gh-112087: For an empty reverse iterator for list will be reduced to reversed(). Patch by Donghee Na. - gh-115011: Setters for members with an unsigned integer type now support the same range of valid values for objects that has a __index__() method as for int. - gh-96497: Fix incorrect resolution of mangled class variables used in assignment expressions in comprehensions. * Library - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered crash in ssl when creating a new _ssl._SSLContext if CPython was built implausibly such that the default cipher list is empty or the SSL library it was linked against reports a failure from its C SSL_CTX_set_cipher_list() API. - gh-117178: Fix regression in lazy loading of self-referential modules, introduced in gh-114781. - gh-117084: Fix zipfile extraction for directory entries with the name containing backslashes on Windows. - gh-117110: Fix a bug that prevents subclasses of typing.Any to be instantiated with arguments. Patch by Chris Fu. - gh-90872: On Windows, subprocess.Popen.wait() no longer calls WaitForSingleObject() with a negative timeout: pass 0 ms if the timeout is negative. Patch by Victor Stinner. - gh-116957: configparser: Don???t leave ConfigParser values in an invalid state (stored as a list instead of a str) after an earlier read raised DuplicateSectionError or DuplicateOptionError. - gh-90095: Ignore empty lines and comments in .pdbrc - gh-116764: Restore support of None and other false values in urllib.parse functions parse_qs() and parse_qsl(). Also, they now raise a TypeError for non-zero integers and non-empty sequences. - gh-116811: In PathFinder.invalidate_caches, delegate to MetadataPathFinder.invalidate_caches. - gh-116600: Fix repr() for global Flag members. - gh-116484: Change automatically generated tkinter.Checkbutton widget names to avoid collisions with automatically generated tkinter.ttk.Checkbutton widget names within the same parent widget. - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on opening named pipe. - gh-116143: Fix a race in pydoc _start_server, eliminating a window in which _start_server can return a thread that is ???serving??? but without a docserver set. - gh-116325: typing: raise SyntaxError instead of AttributeError on forward references as empty strings. - gh-90535: Fix support of interval values > 1 in logging.TimedRotatingFileHandler for when='MIDNIGHT' and when='Wx'. - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on WASI. - Under wasmtime for WASI 0.2, these functions don???t pass test_posix (https://github.com/bytecodealliance/wasmtime/issues/7830). - gh-88352: Fix the computation of the next rollover time in the logging.TimedRotatingFileHandler handler. computeRollover() now always returns a timestamp larger than the specified time and works correctly during the DST change. doRollover() no longer overwrite the already rolled over file, saving from data loss when run at midnight or during repeated time at the DST change. - gh-87115: Set __main__.__spec__ to None when running a script with pdb - gh-76511: Fix UnicodeEncodeError in email.Message.as_string() that results when a message that claims to be in the ascii character set actually has non-ascii characters. Non-ascii characters are now replaced with the U+FFFD replacement character, like in the replace error handler. - gh-75988: Fixed unittest.mock.create_autospec() to pass the call through to the wrapped object to return the real result. - gh-115881: Fix issue where ast.parse() would incorrectly flag conditional context managers (such as with (x() if y else z()): ...) as invalid syntax if feature_version=(3, 8) was passed. This reverts changes to the grammar made as part of gh-94949. - gh-115886: Fix silent truncation of the name with an embedded null character in multiprocessing.shared_memory.SharedMemory. - gh-115809: Improve algorithm for computing which rolled-over log files to delete in logging.TimedRotatingFileHandler. It is now reliable for handlers without namer and with arbitrary deterministic namer that leaves the datetime part in the file name unmodified. - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now support bytes arguments containing raw and percent-encoded non-ASCII data. - gh-67044: csv.writer() now always quotes or escapes '\r' and '\n', regardless of lineterminator value. - gh-115712: csv.writer() now quotes empty fields if delimiter is a space and skipinitialspace is true and raises exception if quoting is not possible. - gh-115618: Fix improper decreasing the reference count for None argument in property methods getter(), setter() and deleter(). - gh-115570: A DeprecationWarning is no longer omitted on access to the __doc__ attributes of the deprecated typing.io and typing.re pseudo-modules. - gh-112006: Fix inspect.unwrap() for types with the __wrapper__ data descriptor. - gh-101293: Support callables with the __call__() method and types with __new__() and __init__() methods set to class methods, static methods, bound methods, partial functions, and other types of methods and descriptors in inspect.Signature.from_callable(). - gh-115392: Fix a bug in doctest where incorrect line numbers would be reported for decorated functions. - gh-114563: Fix several format() bugs when using the C implementation of Decimal: * memory leak in some rare cases when using the z format option (coerce negative 0) * incorrect output when applying the z format option to type F (fixed-point with capital NAN / INF) * incorrect output when applying the # format option (alternate form) - gh-115197: urllib.request no longer resolves the hostname before checking it against the system???s proxy bypass list on macOS and Windows. - gh-115198: Fix support of Docutils >= 0.19 in distutils. - gh-115165: Most exceptions are now ignored when attempting to set the __orig_class__ attribute on objects returned when calling typing generic aliases (including generic aliases created using typing.Annotated). Previously only AttributeError was ignored. Patch by Dave Shawley. - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. - gh-115059: io.BufferedRandom.read1() now flushes the underlying write buffer. - gh-79382: Trailing ** no longer allows to match files and non-existing paths in recursive glob(). - gh-114763: Protect modules loaded with importlib.util.LazyLoader from race conditions when multiple threads try to access attributes before the loading is complete. - gh-97959: Fix rendering class methods, bound methods, method and function aliases in pydoc. Class methods no longer have ???method of builtins.type instance??? note. Corresponding notes are now added for class and unbound methods. Method and function aliases now have references to the module or the class where the origin was defined if it differs from the current. Bound methods are now listed in the static methods section. Methods of builtin classes are now supported as well as methods of Python classes. - gh-112281: Allow creating union of types for typing.Annotated with unhashable metadata. - gh-111775: Fix importlib.resources.simple.ResourceHandle.open() for text mode, added missed stream argument. - gh-90095: Make .pdbrc and -c work with any valid pdb commands. - gh-107155: Fix incorrect output of help(x) where x is a lambda function, which has an __annotations__ dictionary attribute with a 'return' key. - gh-105866: Fixed _get_slots bug which caused error when defining dataclasses with slots and a weakref_slot. - gh-60346: Fix ArgumentParser inconsistent with parse_known_args. - gh-100985: Update HTTPSConnection to consistently wrap IPv6 Addresses when using a proxy. - gh-100884: email: fix misfolding of comma in address-lists over multiple lines in combination with unicode encoding (bsc#1238450 CVE-2025-1795) - gh-95782: Fix io.BufferedReader.tell(), io.BufferedReader.seek(), _pyio.BufferedReader.tell(), io.BufferedRandom.tell(), io.BufferedRandom.seek() and _pyio.BufferedRandom.tell() being able to return negative offsets. - gh-96310: Fix a traceback in argparse when all options in a mutually exclusive group are suppressed. - gh-93205: Fixed a bug in logging.handlers.TimedRotatingFileHandler where multiple rotating handler instances pointing to files with the same name but different extensions would conflict and not delete the correct files. - bpo-44865: Add missing call to localization function in argparse. - bpo-43952: Fix multiprocessing.connection.Listener.accept() to accept empty bytes as authkey. Not accepting empty bytes as key causes it to hang indefinitely. - bpo-42125: linecache: get module name from __spec__ if available. This allows getting source code for the __main__ module when a custom loader is used. - gh-66543: Make mimetypes.guess_type() properly parsing of URLs with only a host name, URLs containing fragment or query, and filenames with only a UNC sharepoint on Windows. Based on patch by Dong-hee Na. - bpo-33775: Add ???default??? and ???version??? help text for localization in argparse. * Documentation - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under ???XML vulnerabilities???. - gh-115233: Fix an example for LoggerAdapter in the Logging Cookbook. * Tests - gh-83434: Disable JUnit XML output (--junit-xml=FILE command line option) in regrtest when hunting for reference leaks (-R option). Patch by Victor Stinner. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - gh-115979: Update test_importlib so that it passes under WASI SDK 21. - gh-116307: Added import helper isolated_modules as CleanImport does not remove modules imported during the context. - gh-115720: Leak tests (-R, --huntrleaks) now show a summary of the number of leaks found in each iteration. - gh-115122: Add --bisect option to regrtest test runner: run failed tests with test.bisect_cmd to identify failing tests. Patch by Victor Stinner. - gh-115596: Fix ProgramPriorityTests in test_os permanently changing the process priority. - gh-115198: Fix test_check_metadata_deprecate in distutils tests with a newer Docutils. * Build - gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI 0.2/preview2 primitives. - gh-115167: Avoid vendoring vcruntime140_threads.dll when building with Visual Studio 2022 version 17.8. * Windows - gh-116773: Fix instances of <_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash. - gh-91227: Fix the asyncio ProactorEventLoop implementation so that sending a datagram to an address that is not listening does not prevent receiving any more datagrams. - gh-115554: The installer now has more strict rules about updating the Python Launcher for Windows. In general, most users only have a single launcher installed and will see no difference. When multiple launchers have been installed, the option to install the launcher is disabled until all but one have been removed. Downgrading the launcher (which was never allowed) is now more obviously blocked. - gh-115543: Python Launcher for Windows can now detect Python 3.13 when installed from the Microsoft Store, and will install Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set. - gh-115009: Update Windows installer to use SQLite 3.45.1. * IDLE - gh-88516: On macOS show a proxy icon in the title bar of editor windows to match platform behaviour. * Tools/Demos - gh-113516: Don???t set LDSHARED when building for WASI. * C API - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows 64-bit platforms. - Add reference to CVE-2024-0450 (bsc#1221854) to changelog. ----------------------------------------------------------------- Advisory ID: 261 Released: Tue Mar 25 10:24:41 2025 Summary: Recommended update for supportutils Type: recommended Severity: important References: 1213291,1220082,1222021,1222896,1227127,1228265,1231396,1231423,1233726 This update for supportutils fixes the following issues: - Changes to version 3.2.9 + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291,jsc#PED-8221) + Supportconfig available in current distro (PED-7131) + Corrected display issues (bsc#1231396) + NFS takes too long, showmount times out (bsc#1231423) + Merged sle15 and master branches (bsc#1233726, jsc#PED-11669) - Changes to version 3.2.8 + Update supportconfig get pam.d sorted + yast_files: Exclude .zcat + Sanitize grub bootloader (bsc#1227127) + Sanitize regcodes + Improve product detection + Add read_values for s390x (bsc#1228265,) + hardware_info: Remove old alsa ver check + drbd_info: Fix incorrect escape of quotes - Changes in version 3.1.30 + Added -V key:value pair option (bsc#1222021,jsc#PED-8211) + Avoid getting duplicate kernel verifications in boot.text + Suppress file descriptor leak warnings from lvm commands (bsc#1220082) + Includes container log timestamps ----------------------------------------------------------------- Advisory ID: 266 Released: Tue Apr 1 12:11:15 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1236878,CVE-2024-12133 This update for libtasn1 fixes the following issues: - CVE-2024-12133: Fixed potential DoS in handling of numerous SEQUENCE OF or SET OF elements (bsc#1236878). ----------------------------------------------------------------- Advisory ID: 272 Released: Fri Apr 4 15:07:10 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: Fixed use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363). - CVE-2025-24928: Fixed stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370). - CVE-2025-27113: Fixed NULL Pointer Dereference in xmlPatMatch (bsc#1237418). ----------------------------------------------------------------- Advisory ID: 279 Released: Tue Apr 8 10:00:26 2025 Summary: Security update for procps Type: security Severity: moderate References: 1236842,CVE-2023-4016 This update for procps fixes the following issues: - Fixed regression introduced with the CVE-2023-4016 fix. The ps command segfaults when pid argument has a leading space (bsc#1236842). ----------------------------------------------------------------- Advisory ID: 282 Released: Tue Apr 8 10:48:04 2025 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1236779,1237294 This update for suse-build-key fixes the following issues: - changed RPM/repo signing keys to use SHA256 UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted ----------------------------------------------------------------- Advisory ID: 283 Released: Tue Apr 8 10:50:47 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: Update to 2025b: * New zone for Ays??n Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 Update to 2025a: * Paraguay adopts permanent -03 starting spring 2024 * Improve pre-1991 data for the Philippines * Etc/Unknown is now reserved Update to 2024b: * Improve historical data for Mexico, Mongolia, and Portugal. * System V names are now obsolescent. * The main data form now uses %z. * The code now conforms to RFC 8536 for early timestamps. * Support POSIX.1-2024, which removes asctime_r and ctime_r. * Assume POSIX.2-1992 or later for shell scripts. * SUPPORT_C89 now defaults to 1. Update to 2024a: * Kazakhstan unifies on UTC+5. This affects Asia/Almaty and Asia/Qostanay which together represent the eastern portion of the country that will transition from UTC+6 on 2024-03-01 at 00:00 to join the western portion. (Thanks to Zhanbolat Raimbekov.) * Palestine springs forward a week later than previously predicted in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward predictions to the second Saturday after Ramadan, not the first; this also affects other predictions starting in 2039. * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00. (Thanks to ??o??n Tr???n C??ng Danh.) * From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00. (Thanks to Chris Walton.) * In 1911 Miquelon adopted standard time on June 15, not May 15. * The FROM and TO columns of Rule lines can no longer be 'minimum' or an abbreviation of 'minimum', because TZif files do not support DST rules that extend into the indefinite past - although these rules were supported when TZif files had only 32-bit data, this stopped working when 64-bit TZif files were introduced in 1995. This should not be a problem for realistic data, since DST was first used in the 20th century. As a transition aid, FROM columns like 'minimum' are now diagnosed and then treated as if they were the year 1900; this should suffice for TZif files on old systems with only 32-bit time_t, and it is more compatible with bugs in 2023c-and-earlier localtime.c. (Problem reported by Yoshito Umaoka.) * localtime and related functions no longer mishandle some timestamps that occur about 400 years after a switch to a time zone with a DST schedule. In 2023d data this problem was visible for some timestamps in November 2422, November 2822, etc. in America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.) * strftime %s now uses tm_gmtoff if available. (Problem and draft patch reported by Dag-Erling Sm??rgrav.) * The strftime man page documents which struct tm members affect which conversion specs, and that tzset is called. (Problems reported by Robert Elz and Steve Summit.) Update to 2023d: * Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. * Vostok, Antarctica changed time zones on 2023-12-18. * Casey, Antarctica changed time zones five times since 2020. * Code and data fixes for Palestine timestamps starting in 2072. * A new data file zonenow.tab for timestamps starting now. * Fix predictions for DST transitions in Palestine in 2072-2075, correcting a typo introduced in 2023a. * Vostok, Antarctica changed to +05 on 2023-12-18. It had been at +07 (not +06) for years. * Change data for Casey, Antarctica to agree with timeanddate.com, by adding five time zone changes since 2020. Casey is now at +08 instead of +11. * Much of Greenland, represented by America/Nuuk, changed its standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. * localtime.c no longer mishandles TZif files that contain a single transition into a DST regime. Previously, it incorrectly assumed DST was in effect before the transition too. * tzselect no longer creates temporary files. * tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/. * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments. * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension. * zic no longer mishandles data for Palestine after the year 2075. ----------------------------------------------------------------- Advisory ID: 299 Released: Wed Apr 23 16:13:01 2025 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1234015,1236886 This update for systemd fixes the following issues: - Maintain the network device naming scheme used on SLE15 (jsc#PED-12317) This shouldn't cause problems as predictable naming schemes are disabled on SLMicro-6.1 (net.ifnames=0 is set on the kernel command line by default). - allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) ----------------------------------------------------------------- Advisory ID: 304 Released: Tue Apr 29 13:07:45 2025 Summary: Security update for expat Type: security Severity: important References: 1219559,1219561,1221289,1229930,1229931,1229932,1232579,1232601,1239618,CVE-2013-0340,CVE-2019-15903,CVE-2023-52425,CVE-2023-52426,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-50602,CVE-2024-8176 This update for expat fixes the following issues: Version update to 2.7.1: * Bug fixes: * Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext * Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives Version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: * CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('&g1;') - general entities in attribute values ('') - parameter entities ('%p1;') Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: * Document changes since the previous release * Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do Version update to 2.6.4: * Security fixes: [bsc#1232601][bsc#1232579] * CVE-2024-50602 -- Fix crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754 * Other changes: * Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do Update to 2.6.3: * Security fixes: - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with len < 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the fix, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. * Other changes: - Version info bumped from 10:2:9 (libexpat*.so.1.9.2) to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ for what these numbers do Update to 2.6.2: * CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (bsc#1221289) * Reject direct parameter entity recursion and avoid the related undefined behavior Update to 2.6.1: * Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0 * Make tests independent of CPU speed, and thus more robust Update to 2.6.0: * Security fixes: - CVE-2023-52425 (bsc#1219559) Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. - CVE-2023-52426 (bsc#1219561) Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). * Bug fixes: - Fix parse-size-dependent 'invalid token' error for external entities that start with a byte order mark - Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined - Protect against closing entities out of order * Other changes: - Improve support for arc4random/arc4random_buf - Improve buffer growth in XML_GetBuffer and XML_Parse - xmlwf: Support --help and --version - xmlwf: Support custom buffer size for XML_GetBuffer and read - xmlwf: Improve language and URL clickability in help output - examples: Add new example 'element_declarations.c' - Be stricter about macro XML_CONTEXT_BYTES at build time - Make inclusion to expat_config.h consistent - Autotools: configure.ac: Support --disable-maintainer-mode - Autotools: Sync CMake templates with CMake 3.26 - Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section 'Cflags.private' in order to fix compilation against static libexpat using pkg-config on Windows - Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) - Autotools|CMake: Fix PACKAGE_BUGREPORT variable - Autotools|CMake: Make test suite require a C++11 compiler - CMake: Require CMake >=3.5.0 - CMake: Lowercase off_t and size_t to help a bug in Meson - CMake: Sort xmlwf sources alphabetically - CMake|Windows: Fix generation of DLL file version info - CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON - docs: Document the importance of isFinal + adjust tests accordingly - docs: Improve use of 'NULL' and 'null' - docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) - docs: reference.html: Promote function XML_ParseBuffer more - docs: reference.html: Add HTML anchors to XML_* macros - docs: reference.html: Upgrade to OK.css 1.2.0 - docs: Fix typos - docs|CI: Use HTTPS URLs instead of HTTP at various places - Address compiler warnings - Address clang-tidy warnings - Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: 306 Released: Tue Apr 29 13:11:44 2025 Summary: Security update for gpg2 Type: security Severity: low References: 1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed DoS due to a malicious subkey in the keyring (bsc#1239119) ----------------------------------------------------------------- Advisory ID: 314 Released: Mon May 12 11:55:56 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897). ----------------------------------------------------------------- Advisory ID: 322 Released: Fri May 16 08:44:23 2025 Summary: Recommended update for vim Type: recommended Severity: important References: 1235751 This update for vim fixes the following issues: - Introduce patch to fix bsc#1235751 (regression). - Update to 9.1.1176. Changes: * 9.1.1176: wrong indent when expanding multiple lines * 9.1.1175: inconsistent behaviour with exclusive selection and motion commands * 9.1.1174: tests: Test_complete_cmdline() may fail * 9.1.1173: filetype: ABNF files are not detected * 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file * 9.1.1171: tests: wrong arguments passed to assert_equal() * 9.1.1170: wildmenu highlighting in popup can be improved * 9.1.1169: using global variable for get_insert()/get_lambda_name() * 9.1.1168: wrong flags passed down to nextwild() * 9.1.1167: mark '] wrong after copying text object * 9.1.1166: command-line auto-completion hard with wildmenu * 9.1.1165: diff: regression with multi-file diff blocks * 9.1.1164: [security]: code execution with tar.vim and special crafted tar files * 9.1.1163: $MYVIMDIR is set too late * 9.1.1162: completion popup not cleared in cmdline * 9.1.1161: preinsert requires bot 'menu' and 'menuone' to be set * 9.1.1160: Ctrl-Y does not work well with 'preinsert' when completing items * 9.1.1159: $MYVIMDIR may not always be set * 9.1.1158: :verbose set has wrong file name with :compiler! * 9.1.1157: command completion wrong for input() * 9.1.1156: tests: No test for what patch 9.1.1152 fixes * 9.1.1155: Mode message not cleared after :silent message * 9.1.1154: Vim9: not able to use autoload class accross scripts * 9.1.1153: build error on Haiku * 9.1.1152: Patch v9.1.1151 causes problems * 9.1.1151: too many strlen() calls in getchar.c * 9.1.1150: :hi completion may complete to wrong value * 9.1.1149: Unix Makefile does not support Brazilian lang for the installer * 9.1.1148: Vim9: finding imported scripts can be further improved * 9.1.1147: preview-window does not scroll correctly * 9.1.1146: Vim9: wrong context being used when evaluating class member * 9.1.1145: multi-line completion has wrong indentation for last line * 9.1.1144: no way to create raw strings from a blob * 9.1.1143: illegal memory access when putting a register * 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined * 9.1.1141: Misplaced comment in readfile() * 9.1.1140: filetype: m17ndb files are not detected * 9.1.1139: [fifo] is not displayed when editing a fifo * 9.1.1138: cmdline completion for :hi is too simplistic * 9.1.1137: ins_str() is inefficient by calling STRLEN() * 9.1.1136: Match highlighting marks a buffer region as changed * 9.1.1135: 'suffixesadd' doesn't work with multiple items * 9.1.1134: filetype: Guile init file not recognized * 9.1.1133: filetype: xkb files not recognized everywhere * 9.1.1132: Mark positions wrong after triggering multiline completion * 9.1.1131: potential out-of-memory issue in search.c * 9.1.1130: 'listchars' 'precedes' is not drawn on Tabs. * 9.1.1129: missing out-of-memory test in buf_write() * 9.1.1128: patch 9.1.1119 caused a regression with imports * 9.1.1127: preinsert text is not cleaned up correctly * 9.1.1126: patch 9.1.1121 used a wrong way to handle enter * 9.1.1125: cannot loop through pum menu with multiline items * 9.1.1124: No test for 'listchars' 'precedes' with double-width char * 9.1.1123: popup hi groups not falling back to defaults * 9.1.1122: too many strlen() calls in findfile.c * 9.1.1121: Enter does not insert newline with 'noselect' * 9.1.1120: tests: Test_registers fails * 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script * 9.1.1118: tests: test_termcodes fails * 9.1.1117: there are a few minor style issues * 9.1.1116: Vim9: super not supported in lambda expressions * 9.1.1115: [security]: use-after-free in str_to_reg() * 9.1.1114: enabling termguicolors automatically confuses users * 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds * 9.1.1112: Inconsistencies in get_next_or_prev_match() * 9.1.1111: Vim9: variable not found in transitive import * 9.1.1110: Vim tests are slow and flaky * 9.1.1109: cmdexpand.c hard to read * 9.1.1108: 'smoothscroll' gets stuck with 'listchars' 'eol' * 9.1.1107: cannot loop through completion menu with fuzzy * 9.1.1106: tests: Test_log_nonexistent() causes asan failure * 9.1.1105: Vim9: no support for protected new() method * 9.1.1104: CI: using Ubuntu 22.04 Github runners * 9.1.1103: if_perl: still some compile errors with Perl 5.38 * 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename ----------------------------------------------------------------- Advisory ID: 325 Released: Fri May 16 14:45:12 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,CVE-2025-29087,CVE-2025-29088 This update for sqlite3 fixes the following issues: - Update to release 3.49.1: * Improve portability of makefiles and configure scripts. * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could lead to a memory error if the separator string is very large (hundreds of megabytes). * CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against misuse. - Update to release 3.49.0: * Enhancements to the query planner: - Improve the query-time index optimization so that it works on WITHOUT ROWID tables. - Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum. - When two or more queries have the same estimated cost, use the one with the fewer bytes per row. * Enhance the iif() SQL function so that it can accept any number of arguments greater than or equal to two. * Enhance the session extension so that it works on databases that make use of generated columns. * Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not implemented correctly and never worked right. In its place add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to command-line tools like the CLI only, not to the SQLite core. It causes Win32 APIs to be used for console I/O instead of stdio. This option affects Windows builds only. * Three new options to sqlite3_db_config(). All default 'on'. SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE SQLITE_DBCONFIG_ENABLE_COMMENTS - Re-enable SONAME which got disabled by default in 3.48.0. * https://www.sqlite.org/src/forumpost/5a3b44f510df8ded * https://sqlite.org/forum/forumpost/ab8f15697a - Update to release 3.48.0: * Improved EXPLAIN QUERY PLAN output for covering indexes. * Allow a two-argument version of the iif() SQL function. * Also allow if() as an alternative spelling for iif(). * Add the '.dbtotxt' command to the CLI. * Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method of the sqlite3_io_methods object. * Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents warning messages being sent to the error log if the SQL is ill-formed. This allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for validity without polluting the error log with false messages. * Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30. * Added the SQLITE_FCNTL_NULL_IO file control. * Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the insttoken configuration option and the fts5_insttoken() SQL function. * Increase the maximum number of arguments to an SQL function from 127 to 1000. - Update to release 3.47.2: * Fix a problem in text-to-floating-point conversion that affects text values where the first 16 significant digits are '1844674407370955'. This issue was introduced in 3.47.0 and only arises on x64 and i386 hardware. * Other minor bug fixes. - Enable the session extension, because NodeJS 22 needs it. - Update to release 3.47.1: * Fix the makefiles so that they once again honored DESTDIR for the 'install' target. * Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. * Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. * Other minor bug fixes. - Update to release 3.47.0: * Allow arbitrary expressions in the second argument to the RAISE function. * If the RHS of the ->> operator is negative, then access array elements counting from the right. * Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. * FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. * Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. * Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. * Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. * Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. * Ensure that queries like 'SELECT func(a) FROM tab GROUP BY 1' only invoke the func() function once per row. * No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. * Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. * Add the 'order-by-subquery' optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. * The 'indexed-subtype-expr' optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. * Miscellaneous coding tweaks for faster runtimes. * Add the experimental sqlite3_rsync program. * Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. * Add the .www dot-command to the CLI. * The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. * The sqldiff utility avoids creating an empty database if its second argument does not exist. * Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. * SQLite no longer makes any use of the 'long double' data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. * The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. * Fix a corruption-causing bug in the JavaScript 'opfs' VFS. Correct 'mode=ro' handling for the 'opfs' VFS. Work around a couple of browser-specific OPFS quirks. * Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. * Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. * Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. - Update to release 3.46.1: * Improved robustness while parsing the tokenize= arguments in FTS5. * Enhancements to covering index prediction in the query planner. * Do not let the number of terms on a VALUES clause be limited by SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that appear to be variables due to double-quoted string literals. * Fix the window function version of group_concat() so that it returns an empty string if it has one or more empty string inputs. * In FTS5 secure-delete mode, fix false-positive integrity-check reports about corrupt indexes. * Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases, they were formerly returning SQLITE_INTERNAL. * Other minor fixes. - Update to release 3.46.0: * https://sqlite.org/releaselog/3_46_0.html * Enhance PRAGMA optimize in multiple ways. * Enhancements to the date and time functions. * Add support for underscore ('_') characters between digits in numeric literals. * Add the json_pretty() SQL function. * Query planner improvements. * Allocate additional memory from the heap for the SQL parser stack if that stack overflows, rather than reporting a 'parser stack overflow' error. * Allow ASCII control characters within JSON5 string literals. * Fix the -> and ->> JSON operators so that when the right-hand side operand is a string that looks like an integer it is still treated as a string, because that is what PostgreSQL does. - Update to release 3.45.3: * Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause the 'old.*' values of an UPDATE trigger to be incorrect if that trigger fires in response to an UPSERT. * Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0. The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. - Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream. - Update to release 3.45.2: * Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL functions. * Enhancements to the JSON SQL functions * Add the FTS5 tokendata option to the FTS5 virtual table. * The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. * Query planner improvements * Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. * Enhancements to the CLI * Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. * Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. * Fix issues associated with processing corrupt JSONB inputs. * Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. * Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. * Fix an error in UPSERT, introduced in version 3.35.0. * Reduce the scope of the NOT NULL strength reduction optimization that was added in version 3.35.0. ----------------------------------------------------------------- Advisory ID: 328 Released: Wed May 21 13:04:20 2025 Summary: Security update for glibc Type: security Severity: critical References: 1234128,1239883,1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: Fixed local root exploits when using static built setuid root applications. (elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static) (bsc#1243317) - pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ #25847) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) ----------------------------------------------------------------- Advisory ID: 329 Released: Wed May 21 13:23:02 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed out-of-bounds read when parsing text via the Python API (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read (bsc#1241453) ----------------------------------------------------------------- Advisory ID: 330 Released: Wed May 21 17:37:32 2025 Summary: Security update for perl Type: security Severity: important References: 1241083,CVE-2024-56406 This update for perl fixes the following issues: - CVE-2024-56406: Fixed heap buffer overflow with tr// [bsc#1241083] ----------------------------------------------------------------- Advisory ID: 331 Released: Wed May 21 17:40:23 2025 Summary: Security update for ca-certificates-mozilla Type: security Severity: moderate References: 1010996,1199079,1229003,1234798,1240009,1240343,441356 This update for ca-certificates-mozilla fixes the following issues: - test for a concretely missing certificate rather than just the directory, as the latter is now also provided by openssl-3 - Re-create java-cacerts with SOURCE_DATE_EPOCH set for reproducible builds (bsc#1229003) - explicit remove distrusted certs, as the distrust does not get exported correctly and the SSL certs are still trusted. (bsc#1240343) - Entrust.net Premium 2048 Secure Server CA - Entrust Root Certification Authority - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - GlobalSign Root E46 - GLOBALTRUST 2020 - pass file argument to awk (bsc#1240009) - update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 - remove extensive signature printing in comments of the cert bundle - Define two macros to break a build cycle with p11-kit. - Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798) Removed: - SecureSign RootCA11 - Security Communication RootCA3 Added: - TWCA CYBER Root CA - TWCA Global Root CA G2 - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: 333 Released: Thu May 22 09:36:22 2025 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1222650,1230371,1231838 This update for supportutils fixes the following issues: Changes to version 3.2.10: + network.txt collect all firewalld zones (pr#233) + Collects gfs2 info (PED-11853, pr#235, pr#236) + Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237) + Added openldap2_5 support for SLES (pr#238) + Collects additional hawk details (pr#239) + Optimized filtering D/Z processes (pr#241) + Collect firewalld permanent configuration (pr#243) + ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247) + Added dbus_info for dbus.txt (bsc#1222650, pr#248) Changes to version 3.2.10: + network.txt collect all firewalld zones (pr#233) + Collects gfs2 info (PED-11853, pr#235, pr#236) + Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237) + Added openldap2_5 support for SLES (pr#238) + Collects additional hawk details (pr#239) + Optimized filtering D/Z processes (pr#241) + Collect firewalld permanent configuration (pr#243) + ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247) + Added dbus_info for dbus.txt (bsc#1222650, pr#248) ----------------------------------------------------------------- Advisory ID: 337 Released: Fri May 23 15:00:13 2025 Summary: Security update for augeas Type: security Severity: moderate References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Fixed check for NULL pointers when calling re_case_expand in function fa_expand_nocase (bsc#1239909) ----------------------------------------------------------------- Advisory ID: 336 Released: Fri May 23 15:40:05 2025 Summary: Security update for python311 Type: security Severity: moderate References: 1236705,1241067,CVE-2025-0938 This update for python311 fixes the following issues: - Updated to 3.11.12: - gh-131809: Updated bundled libexpat to 2.7.1 - gh-131261: Upgraded to libexpat 2.7.0 - CVE-2025-0938: Fixed functions `urllib.parse.urlsplit` and `urlparse` accepting domain names including square brackets (bsc#1236705) - gh-121284: Fixed bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fixed bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fixed a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only a mapping, but if this hit a virtual address size limit it could lead to a MemoryError or other process crash. On unusual systems or builds where all allocated memory is touched and backed by actual ram or storage it could???ve consumed resources doing so until similarly crashing. - gh-127257: In ssl, system call failures that OpenSSL reports using ERR_LIB_SYS are now raised as OSError. - gh-121277: Writers of CPython???s documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. - gh-106883: Disabled GC during the _PyThread_CurrentFrames() and _PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock. The following package changes have been done: - SL-Micro-release-6.0-25.28 updated - ca-certificates-mozilla-2.74-1.1 updated - curl-8.6.0-6.1 updated - findutils-4.9.0-4.1 updated - glibc-locale-base-2.38-9.1 updated - glibc-locale-2.38-9.1 updated - glibc-2.38-9.1 updated - gpg2-2.4.4-2.1 updated - krb5-1.20.1-6.1 updated - libaugeas0-1.14.1-2.1 updated - libblkid1-2.39.3-3.1 updated - libcom_err2-1.47.0-3.1 updated - libcurl4-8.6.0-6.1 updated - libdb-4_8-4.8.30-7.1 updated - libexpat1-2.7.1-1.1 updated - libfa1-1.14.1-2.1 updated - libfdisk1-2.39.3-3.1 updated - libgcc_s1-13.3.0+git8781-2.1 updated - libglib-2_0-0-2.76.2-7.1 updated - libgmodule-2_0-0-2.76.2-7.1 updated - libip4tc2-1.8.9-4.1 updated - libmount1-2.39.3-3.1 updated - libopenssl3-3.1.4-7.1 updated - libprocps8-3.3.17-5.1 updated - libpython3_11-1_0-3.11.12-1.1 updated - libsmartcols1-2.39.3-3.1 updated - libsolv-tools-base-0.7.30-1.1 added - libsqlite3-0-3.49.1-1.1 updated - libstdc++6-13.3.0+git8781-2.1 updated - libsystemd0-254.24-1.1 updated - libtasn1-6-4.19.0-4.1 updated - libudev1-254.24-1.1 updated - libuuid1-2.39.3-3.1 updated - libxml2-2-2.11.6-8.1 updated - libxtables12-1.8.9-4.1 updated - libzypp-17.35.16-1.1 updated - pam-1.6.0-4.1 updated - perl-base-5.38.2-2.1 updated - perl-5.38.2-2.1 updated - procps-3.3.17-5.1 updated - python311-base-3.11.12-1.1 updated - skelcd-EULA-SL-Micro-2024.01.19-8.27 updated - strace-6.7-2.1 updated - supportutils-3.2.10-1.1 updated - suse-build-key-12.0-5.1 updated - systemd-254.24-1.1 updated - timezone-2025b-1.1 updated - util-linux-2.39.3-3.1 updated - vim-data-common-9.1.1176-1.1 updated - vim-9.1.1176-1.1 updated - xxd-9.1.1176-1.1 updated - zypper-1.14.77-1.1 updated - libabsl2308_0_0-20230802.1-1.6 removed - libprotobuf-lite23_4_0-23.4-7.24 removed - libproxy1-0.4.18-5.12 removed - libsolv-tools-0.7.28-1.3 removed From sle-container-updates at lists.suse.com Mon Jun 16 07:02:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:02:34 +0200 (CEST) Subject: SUSE-IU-2025:1571-1: Security update of suse-sles-15-sp6-chost-byos-v20250611-x86_64-gen2 Message-ID: <20250616070234.98170FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp6-chost-byos-v20250611-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1571-1 Image Tags : suse-sles-15-sp6-chost-byos-v20250611-x86_64-gen2:20250611 Image Release : Severity : important Type : security References : 1027519 1095485 1112822 1118783 1122013 1123008 1135257 1135263 1135592 1144282 1157117 1157190 1159460 1162705 1162707 1178486 1179031 1179032 1187939 1199853 1204549 1214715 1215199 1218069 1219007 1219454 1220718 1221202 1221757 1223809 1224013 1224597 1224757 1228659 1230764 1231103 1231910 1232493 1233075 1233098 1234074 1234157 1234698 1235501 1235526 1235550 1235870 1235958 1235971 1236086 1236177 1236704 1236826 1237111 1237230 1237496 1237874 1237882 1238052 1238212 1238471 1238527 1238565 1238714 1238737 1238742 1238745 1238746 1238862 1238961 1238970 1238983 1238990 1239066 1239079 1239108 1239470 1239475 1239476 1239487 1239510 1239651 1239671 1239684 1239906 1239925 1239997 1240167 1240168 1240171 1240176 1240181 1240184 1240185 1240375 1240557 1240575 1240576 1240581 1240582 1240583 1240584 1240585 1240587 1240590 1240591 1240592 1240594 1240595 1240596 1240600 1240612 1240616 1240639 1240643 1240647 1240648 1240655 1240691 1240700 1240701 1240703 1240708 1240709 1240712 1240713 1240714 1240715 1240716 1240717 1240718 1240719 1240720 1240722 1240727 1240739 1240740 1240742 1240779 1240783 1240784 1240785 1240795 1240796 1240797 1240799 1240801 1240802 1240806 1240808 1240809 1240811 1240812 1240813 1240815 1240816 1240819 1240821 1240825 1240829 1240835 1240869 1240873 1240934 1240936 1240937 1240938 1240940 1240942 1240943 1240944 1240978 1240979 1241010 1241012 1241038 1241051 1241123 1241151 1241167 1241175 1241204 1241250 1241265 1241266 1241280 1241332 1241333 1241341 1241343 1241344 1241347 1241357 1241361 1241369 1241371 1241373 1241378 1241394 1241402 1241412 1241413 1241416 1241424 1241426 1241433 1241436 1241441 1241442 1241443 1241451 1241452 1241456 1241458 1241459 1241526 1241528 1241537 1241541 1241545 1241547 1241548 1241550 1241573 1241574 1241575 1241578 1241590 1241593 1241598 1241599 1241601 1241626 1241640 1241648 1242006 1242044 1242060 1242172 1242283 1242300 1242307 1242313 1242314 1242315 1242321 1242326 1242327 1242328 1242332 1242333 1242335 1242336 1242342 1242343 1242344 1242345 1242346 1242347 1242348 1242414 1242490 1242526 1242528 1242534 1242535 1242536 1242537 1242538 1242539 1242540 1242546 1242556 1242596 1242710 1242778 1242831 1242842 1242938 1242971 1242985 1243117 1243259 1243313 1243317 CVE-2023-53034 CVE-2024-27018 CVE-2024-27415 CVE-2024-28956 CVE-2024-28956 CVE-2024-35840 CVE-2024-46763 CVE-2024-46865 CVE-2024-50038 CVE-2024-50083 CVE-2024-50162 CVE-2024-50163 CVE-2024-53124 CVE-2024-53139 CVE-2024-56641 CVE-2024-56702 CVE-2024-57924 CVE-2024-57998 CVE-2024-58001 CVE-2024-58018 CVE-2024-58068 CVE-2024-58070 CVE-2024-58071 CVE-2024-58088 CVE-2024-58093 CVE-2024-58094 CVE-2024-58095 CVE-2024-58096 CVE-2024-58097 CVE-2025-21683 CVE-2025-21696 CVE-2025-21707 CVE-2025-21729 CVE-2025-21755 CVE-2025-21758 CVE-2025-21768 CVE-2025-21792 CVE-2025-21806 CVE-2025-21808 CVE-2025-21812 CVE-2025-21833 CVE-2025-21836 CVE-2025-21852 CVE-2025-21853 CVE-2025-21854 CVE-2025-21863 CVE-2025-21867 CVE-2025-21873 CVE-2025-21875 CVE-2025-21881 CVE-2025-21884 CVE-2025-21887 CVE-2025-21889 CVE-2025-21894 CVE-2025-21895 CVE-2025-21904 CVE-2025-21905 CVE-2025-21906 CVE-2025-21908 CVE-2025-21909 CVE-2025-21910 CVE-2025-21912 CVE-2025-21913 CVE-2025-21914 CVE-2025-21915 CVE-2025-21916 CVE-2025-21917 CVE-2025-21918 CVE-2025-21922 CVE-2025-21923 CVE-2025-21924 CVE-2025-21925 CVE-2025-21926 CVE-2025-21927 CVE-2025-21928 CVE-2025-21930 CVE-2025-21931 CVE-2025-21934 CVE-2025-21935 CVE-2025-21936 CVE-2025-21937 CVE-2025-21941 CVE-2025-21943 CVE-2025-21948 CVE-2025-21950 CVE-2025-21951 CVE-2025-21953 CVE-2025-21956 CVE-2025-21957 CVE-2025-21960 CVE-2025-21961 CVE-2025-21962 CVE-2025-21963 CVE-2025-21964 CVE-2025-21966 CVE-2025-21968 CVE-2025-21969 CVE-2025-21970 CVE-2025-21971 CVE-2025-21972 CVE-2025-21975 CVE-2025-21978 CVE-2025-21979 CVE-2025-21980 CVE-2025-21981 CVE-2025-21985 CVE-2025-21991 CVE-2025-21992 CVE-2025-21993 CVE-2025-21995 CVE-2025-21996 CVE-2025-21999 CVE-2025-22001 CVE-2025-22003 CVE-2025-22004 CVE-2025-22007 CVE-2025-22008 CVE-2025-22009 CVE-2025-22010 CVE-2025-22013 CVE-2025-22014 CVE-2025-22015 CVE-2025-22016 CVE-2025-22017 CVE-2025-22018 CVE-2025-22020 CVE-2025-22025 CVE-2025-22027 CVE-2025-22029 CVE-2025-22033 CVE-2025-22036 CVE-2025-22044 CVE-2025-22045 CVE-2025-22050 CVE-2025-22053 CVE-2025-22055 CVE-2025-22058 CVE-2025-22060 CVE-2025-22062 CVE-2025-22064 CVE-2025-22065 CVE-2025-22075 CVE-2025-22080 CVE-2025-22086 CVE-2025-22088 CVE-2025-22090 CVE-2025-22093 CVE-2025-22097 CVE-2025-22102 CVE-2025-22104 CVE-2025-22105 CVE-2025-22106 CVE-2025-22107 CVE-2025-22108 CVE-2025-22109 CVE-2025-22115 CVE-2025-22116 CVE-2025-22121 CVE-2025-22128 CVE-2025-2312 CVE-2025-23129 CVE-2025-23131 CVE-2025-23133 CVE-2025-23136 CVE-2025-23138 CVE-2025-23145 CVE-2025-32728 CVE-2025-37785 CVE-2025-37798 CVE-2025-37799 CVE-2025-37860 CVE-2025-39728 CVE-2025-4382 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 ----------------------------------------------------------------- The container suse-sles-15-sp6-chost-byos-v20250611-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1335-1 Released: Tue Jul 17 10:13:39 2018 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1095485 This update for cloud-netconfig fixes the following issues: - Make interface names in Azure persistent. (bsc#1095485) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:529-1 Released: Fri Mar 1 13:46:51 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1112822,1118783,1122013,1123008 This update for cloud-netconfig provides the following fixes: - Run cloud-netconfig periodically. (bsc#1118783, bsc#1122013) - Do not treat eth0 special with regard to routing policies. (bsc#1123008) - Reduce the timeout on metadata read. (bsc#1112822) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1560-1 Released: Wed Jun 19 08:57:17 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135257,1135263 This update for cloud-netconfig fixes the following issues: - cloud-netconfig will now pause and retry if API call throttling is detected in Azure (bsc#1135257, bsc#1135263) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:31-1 Released: Mon Feb 24 10:36:36 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135592,1144282,1157117,1157190 This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1: + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:637-1 Released: Wed Mar 11 11:29:56 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1162705,1162707 This update for cloud-netconfig fixes the following issues: - Copy routes from the default routing table. (bsc#1162705, bsc#1162707) On multi-NIC systems, cloud-netconfig creates separate routing tables with different default routes, so packets get routed via the network interfaces associated with the source IP address. Systems may have additional routing in place and in that case cloud-netconfig's NIC specific routing may bypass those routes. - Make the key CLOUD_NETCONFIG_MANAGE enable by default. Any network interface that has been configured automatically via cloud-netconfig has a configuration file associated. If the value is set to 'NO' (or the pair is removed altogether), cloud-netconfig will not handle secondary IPv4 addresses and routing policies for the associated network interface. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3619-1 Released: Tue Dec 15 13:41:16 2020 Summary: Recommended update for cloud-netconfig, google-guest-agent Type: recommended Severity: moderate References: 1159460,1178486,1179031,1179032 This update for cloud-netconfig, google-guest-agent fixes the following issues: cloud-netconfig: - Update to version 1.5: + Add support for GCE (bsc#1159460, bsc#1178486, jsc#ECO-2800) + Improve default gateway determination google-guest-agent: - Update to version 20201026.00 * remove old unused workflow files * fallback to IP for metadata * getPasswd: Check full prefix of line for username - dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files to allow manual configuration and compatibility with cloud-netconfig. (bsc#1159460, bsc#1178486) - Update to version 20200929.00 * correct varname * don't call dhclient -x on network setup * add instance id dir override * update agent systemd service file * typo, change to noadjfile * add gaohannk to OWNERS * remove illfelder from OWNERS * Add all license files to packages ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:167-1 Released: Mon Jan 24 18:16:24 2022 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1187939 This update for cloud-netconfig fixes the following issues: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:658-1 Released: Wed Mar 8 10:51:10 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1199853,1204549 This update for cloud-netconfig fixes the following issues: - Update to version 1.7: + Overhaul policy routing setup + Support alias IPv4 ranges + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3637-1 Released: Mon Sep 18 13:02:23 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1214715 This update for cloud-netconfig fixes the following issues: - Update to version 1.8: - Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:630-1 Released: Tue Feb 27 09:14:49 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1218069,1219007 This update for cloud-netconfig fixes the following issues: - Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) - Drop package dependency on sysconfig-netconfig - Improve log level handling - Support IPv6 IMDS endpoint in EC2 (bsc#1218069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:781-1 Released: Wed Mar 6 15:05:13 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1219454,1220718 This update for cloud-netconfig fixes the following issues: - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:869-1 Released: Wed Mar 13 10:48:51 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1221202 This update for cloud-netconfig fixes the following issues: - Update to version 1.12 (bsc#1221202) * If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1085-1 Released: Tue Apr 2 11:24:09 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1221757 This update for cloud-netconfig fixes the following issues: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1606-1 Released: Tue May 20 15:53:14 2025 Summary: Recommended update for librdkafka Type: recommended Severity: moderate References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain circumstances (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1614-1 Released: Wed May 21 11:52:34 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1215199,1223809,1224013,1224597,1224757,1228659,1230764,1231103,1231910,1232493,1233075,1233098,1234074,1234157,1234698,1235501,1235526,1235550,1235870,1236086,1236704,1237111,1237874,1237882,1238052,1238212,1238471,1238527,1238565,1238714,1238737,1238742,1238745,1238746,1238862,1238961,1238970,1238983,1238990,1239066,1239079,1239108,1239470,1239475,1239476,1239487,1239510,1239684,1239906,1239925,1239997,1240167,1240168,1240171,1240176,1240181,1240184,1240185,1240375,1240557,1240575,1240576,1240581,1240582,1240583,1240584,1240585,1240587,1240590,1240591,1240592,1240594,1240595,1240596,1240600,1240612,1240616,1240639,1240643,1240647,1240655,1240691,1240700,1240701,1240703,1240708,1240709,1240712,1240713,1240714,1240715,1240716,1240717,1240718,1240719,1240720,1240722,1240727,1240739,1240740,1240742,1240779,1240783,1240784,1240785,1240795,1240796,1240797,1240799,1240801,1240802,1240806,1240808,1240809,1240811,1240812,1240813,1240815,1240816,1240819,1240821,1240825,1240829,1 240835,1240873,1240934,1240936,1240937,1240938,1240940,1240942,1240943,1240944,1240978,1240979,1241010,1241038,1241051,1241123,1241151,1241167,1241175,1241204,1241250,1241265,1241266,1241280,1241332,1241333,1241341,1241343,1241344,1241347,1241357,1241361,1241369,1241371,1241373,1241378,1241394,1241402,1241412,1241413,1241416,1241424,1241426,1241433,1241436,1241441,1241442,1241443,1241451,1241452,1241456,1241458,1241459,1241526,1241528,1241537,1241541,1241545,1241547,1241548,1241550,1241573,1241574,1241575,1241578,1241590,1241593,1241598,1241599,1241601,1241626,1241640,1241648,1242006,1242044,1242172,1242283,1242307,1242313,1242314,1242315,1242321,1242326,1242327,1242328,1242332,1242333,1242335,1242336,1242342,1242343,1242344,1242345,1242346,1242347,1242348,1242414,1242526,1242528,1242534,1242535,1242536,1242537,1242538,1242539,1242540,1242546,1242556,1242596,1242710,1242778,1242831,1242985,CVE-2023-53034,CVE-2024-27018,CVE-2024-27415,CVE-2024-28956,CVE-2024-35840,CVE-2024-46763,CVE- 2024-46865,CVE-2024-50038,CVE-2024-50083,CVE-2024-50162,CVE-2024-50163,CVE-2024-53124,CVE-2024-53139,CVE-2024-56641,CVE-2024-56702,CVE-2024-57924,CVE-2024-57998,CVE-2024-58001,CVE-2024-58018,CVE-2024-58068,CVE-2024-58070,CVE-2024-58071,CVE-2024-58088,CVE-2024-58093,CVE-2024-58094,CVE-2024-58095,CVE-2024-58096,CVE-2024-58097,CVE-2025-21683,CVE-2025-21696,CVE-2025-21707,CVE-2025-21729,CVE-2025-21755,CVE-2025-21758,CVE-2025-21768,CVE-2025-21792,CVE-2025-21806,CVE-2025-21808,CVE-2025-21812,CVE-2025-21833,CVE-2025-21836,CVE-2025-21852,CVE-2025-21853,CVE-2025-21854,CVE-2025-21863,CVE-2025-21867,CVE-2025-21873,CVE-2025-21875,CVE-2025-21881,CVE-2025-21884,CVE-2025-21887,CVE-2025-21889,CVE-2025-21894,CVE-2025-21895,CVE-2025-21904,CVE-2025-21905,CVE-2025-21906,CVE-2025-21908,CVE-2025-21909,CVE-2025-21910,CVE-2025-21912,CVE-2025-21913,CVE-2025-21914,CVE-2025-21915,CVE-2025-21916,CVE-2025-21917,CVE-2025-21918,CVE-2025-21922,CVE-2025-21923,CVE-2025-21924,CVE-2025-21925,CVE-2025-21926,CVE-2025-21 927,CVE-2025-21928,CVE-2025-21930,CVE-2025-21931,CVE-2025-21934,CVE-2025-21935,CVE-2025-21936,CVE-2025-21937,CVE-2025-21941,CVE-2025-21943,CVE-2025-21948,CVE-2025-21950,CVE-2025-21951,CVE-2025-21953,CVE-2025-21956,CVE-2025-21957,CVE-2025-21960,CVE-2025-21961,CVE-2025-21962,CVE-2025-21963,CVE-2025-21964,CVE-2025-21966,CVE-2025-21968,CVE-2025-21969,CVE-2025-21970,CVE-2025-21971,CVE-2025-21972,CVE-2025-21975,CVE-2025-21978,CVE-2025-21979,CVE-2025-21980,CVE-2025-21981,CVE-2025-21985,CVE-2025-21991,CVE-2025-21992,CVE-2025-21993,CVE-2025-21995,CVE-2025-21996,CVE-2025-21999,CVE-2025-22001,CVE-2025-22003,CVE-2025-22004,CVE-2025-22007,CVE-2025-22008,CVE-2025-22009,CVE-2025-22010,CVE-2025-22013,CVE-2025-22014,CVE-2025-22015,CVE-2025-22016,CVE-2025-22017,CVE-2025-22018,CVE-2025-22020,CVE-2025-22025,CVE-2025-22027,CVE-2025-22029,CVE-2025-22033,CVE-2025-22036,CVE-2025-22044,CVE-2025-22045,CVE-2025-22050,CVE-2025-22053,CVE-2025-22055,CVE-2025-22058,CVE-2025-22060,CVE-2025-22062,CVE-2025-22064,CVE -2025-22065,CVE-2025-22075,CVE-2025-22080,CVE-2025-22086,CVE-2025-22088,CVE-2025-22090,CVE-2025-22093,CVE-2025-22097,CVE-2025-22102,CVE-2025-22104,CVE-2025-22105,CVE-2025-22106,CVE-2025-22107,CVE-2025-22108,CVE-2025-22109,CVE-2025-22115,CVE-2025-22116,CVE-2025-22121,CVE-2025-22128,CVE-2025-2312,CVE-2025-23129,CVE-2025-23131,CVE-2025-23133,CVE-2025-23136,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37798,CVE-2025-37799,CVE-2025-37860,CVE-2025-39728 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-35840: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (bsc#1224597). - CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910). - CVE-2024-50162: bpf: selftests: send packet to devmap redirect XDP (bsc#1233075). - CVE-2024-50163: bpf: Make sure internal and UAPI bpf_redirect flags do not overlap (bsc#1233098). - CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074). - CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157). - CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086). - CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990). - CVE-2024-58068: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (bsc#1238961). - CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (bsc#1238983). - CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970). - CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage (bsc#1239510). - CVE-2025-21683: bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704). - CVE-2025-21696: mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111). - CVE-2025-21707: mptcp: consolidate suboption status (bsc#1238862). - CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874). - CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882). - CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737). - CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714). - CVE-2025-21792: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (bsc#1238745). - CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746). - CVE-2025-21808: net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-21833: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (bsc#1239108). - CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475). - CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181). - CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184). - CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168). - CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185). - CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171). - CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176). - CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167). - CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581). - CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585). - CVE-2025-21904: caif_virtio: fix wrong pointer check in cfv_probe() (bsc#1240576). - CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587). - CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600). - CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591). - CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639). - CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720). - CVE-2025-21925: llc: do not use skb_get() before dev_queue_xmit() (bsc#1240713). - CVE-2025-21926: net: gso: fix ownership in __udp_gso_segment (bsc#1240712). - CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709). - CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742). - CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815). - CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816). - CVE-2025-21962: cifs: Fix integer overflow while processing closetimeo mount option (bsc#1240655). - CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717). - CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740). - CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784). - CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819). - CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813). - CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812). - CVE-2025-21980: sched: address a potential NULL pointer dereference in the GRED scheduler (bsc#1240809). - CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612). - CVE-2025-21985: drm/amd/display: Fix out-of-bound accesses (bsc#1240811). - CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795). - CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22015: mm/migrate: fix shmem xarray update during migration (bsc#1240944). - CVE-2025-22016: dpll: fix xa_alloc_cyclic() error handling (bsc#1240934). - CVE-2025-22017: devlink: fix xa_alloc_cyclic() error handling (bsc#1240936). - CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266). - CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec (bsc#1241378). - CVE-2025-22036: exfat: fix random stack corruption after get_block (bsc#1241426). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22053: net: ibmveth: make veth_pool_store stop hanging (bsc#1241373). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). - CVE-2025-22058: udp: Fix memory accounting leak (bsc#1241332). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-22064: netfilter: nf_tables: do not unregister hook when table is dormant (bsc#1241413). - CVE-2025-22080: fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-22102: Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456). - CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps (bsc#1241550). - CVE-2025-22105, CVE-2025-37860: Add missing bugzilla references (bsc#1241452 bsc#1241548). - CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (bsc#1241575). - CVE-2025-22109: ax25: Remove broken autobind (bsc#1241573). - CVE-2025-22115: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241578). - CVE-2025-22121: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593). - CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684). - CVE-2025-23133: wifi: ath11k: update channel list in reg notifier instead reg worker (bsc#1241451). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37798: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (bsc#1242414). - CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (bsc#1242283). - CVE-2025-39728: clk: samsung: Fix UBSAN panic in samsung_clk_init() (bsc#1241626). The following non-security bugs were fixed: - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes). - ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - ALSA: hda/realtek - Enable speaker for HP platform (git-fixes). - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes). - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes). - ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes). - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044). - ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes). - ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes). - ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes). - ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes). - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes). - ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes). - Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes). - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes). - Bluetooth: hci_uart: Fix another race during initialization (git-fixes). - Bluetooth: hci_uart: fix race during initialization (stable-fixes). - Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes). - Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes). - Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961) - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes). - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes) - RDMA/core: Silence oversized kvmalloc() warning (git-fixes) - RDMA/hns: Fix wrong maximum DMA segment size (git-fixes) - RDMA/mana_ib: Ensure variable err is initialized (git-fixes). - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes) - Reapply 'Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6'. - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - Revert 'drivers: core: synchronize really_probe() and dev_uevent()' (stable-fixes). - Revert 'drm/meson: vclk: fix calculation of 59.94 fractional rates' (git-fixes). - Revert 'tcp: Fix bind() regression for v6-only wildcard and'. - Revert 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 ('kernel-binary: Support livepatch_rt with merged RT branch') - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes). - USB: VLI disk crashes if LPM is used (stable-fixes). - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes). - USB: serial: option: add Sierra Wireless EM9291 (stable-fixes). - USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes). - USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes). - USB: wdm: add annotation (git-fixes). - USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes). - USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes). - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - affs: do not write overlarge OFS data block size fields (git-fixes). - affs: generate OFS sequence numbers starting at 1 (git-fixes). - ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes). - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes) - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - arm64: mm: Correct the update of max_pfn (git-fixes) - asus-laptop: Fix an uninitialized variable (git-fixes). - ata: libata-sata: Save all fields from sense data descriptor (git-fixes). - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes). - ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes). - ata: libata-scsi: Improve CDL control (git-fixes). - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes). - ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes). - auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes). - auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes). - badblocks: Fix error shitf ops (git-fixes). - badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes). - badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes). - badblocks: fix the using of MAX_BADBLOCKS (git-fixes). - badblocks: return error directly when setting badblocks exceeds 512 (git-fixes). - badblocks: return error if any badblock set fails (git-fixes). - blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes). - block: change blk_mq_add_to_batch() third argument type to bool (git-fixes). - block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes). - block: fix conversion of GPT partition name to 7-bit (git-fixes). - block: fix resource leak in blk_register_queue() error path (git-fixes). - block: integrity: Do not call set_page_dirty_lock() (git-fixes). - block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes). - bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes). - bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes). - bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes). - bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: add find_containing_subprog() utility function (bsc#1241590). - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: check changes_pkt_data property for extension programs (bsc#1241590). - bpf: consider that tail calls invalidate packet pointers (bsc#1241590). - bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590). - bpf: fix potential error return (git-fixes). - bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590). - bpf: track changes_pkt_data property for global functions (bsc#1241590). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204). - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710). - btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151). - btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204). - btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204). - btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204). - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes). - char: misc: register chrdev region with all possible minors (git-fixes). - cifs: Fix integer overflow while processing actimeo mount option (git-fixes). - counter: fix privdata alignment (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052) - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052) - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64 - crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes). - crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes). - crypto: ccp - Add support for PCI device 0x1134 (stable-fixes). - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes). - dm-bufio: do not schedule in atomic context (git-fixes). - dm-ebs: fix prefetch-vs-suspend race (git-fixes). - dm-integrity: set ti->error on memory allocation failure (git-fixes). - dm-verity: fix prefetch-vs-suspend race (git-fixes). - dm: add missing unlock on in dm_keyslot_evict() (git-fixes). - dm: always update the array size in realloc_argv on success (git-fixes). - dm: fix copying after src array boundaries (git-fixes). - dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes). - drivers: base: devres: Allow to release group on device release (stable-fixes). - drm/amd/display: Fix gpu reset in multidisplay config (git-fixes). - drm/amd/display: Force full update in gpu reset (stable-fixes). - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - drm/amd: Handle being compiled without SI or CIK support better (stable-fixes). - drm/amd: Keep display off while going into S4 (stable-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes). - drm/amdkfd: Fix mode1 reset crash issue (stable-fixes). - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes). - drm/amdkfd: clamp queue size to minimum (stable-fixes). - drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes). - drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - drm/fdinfo: Protect against driver unbind (git-fixes). - drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes). - drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes). - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes). - drm/i915: Disable RPG during live selftest (git-fixes). - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes). - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes). - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/sti: remove duplicate object names (git-fixes). - drm/tests: Add helper to create mock crtc (stable-fixes). - drm/tests: Add helper to create mock plane (stable-fixes). - drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes). - drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes). - drm/tests: helpers: Add atomic helpers (stable-fixes). - drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes). - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes). - drm/tests: helpers: Fix compiler warning (git-fixes). - drm/tests: modes: Fix drm_display_mode memory leak (git-fixes). - drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes). - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes). - drm: allow encoder mode_set even when connectors change for crtc (stable-fixes). - drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes). - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes). - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes). - drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes). - e1000e: change k1 configuration on MTP and later platforms (git-fixes). - eth: bnxt: fix missing ring index trim on error path (git-fixes). - ethtool: Fix context creation with no parameters (git-fixes). - ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes). - ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes). - ethtool: do not propagate EOPNOTSUPP from dumps (git-fixes). - ethtool: fix setting key and resetting indir at once (git-fixes). - ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes). - ethtool: netlink: do not return SQI value if link is down (git-fixes). - ethtool: plca: fix plca enable data type while parsing the value (git-fixes). - ethtool: rss: echo the context number back (git-fixes). - exfat: do not fallback to buffered write (git-fixes). - exfat: drop ->i_size_ondisk (git-fixes). - exfat: fix soft lockup in exfat_clear_bitmap (git-fixes). - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes). - ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342). - ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540). - ext4: do not over-report free space or inodes in statvfs (bsc#1242345). - ext4: do not treat fhandle lookup of ea_inode as FS corruption (bsc#1242347). - ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557). - ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556). - ext4: make block validity check resistent to sb bh corruption (bsc#1242348). - ext4: partial zero eof block on unaligned inode size extension (bsc#1242336). - ext4: protect ext4_release_dquot against freezing (bsc#1242335). - ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536). - ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539). - ext4: unify the type of flexbg_size to unsigned int (bsc#1242538). - fbdev: omapfb: Add 'plane' value check (stable-fixes). - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes). - firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - fs/jfs: Prevent integer overflow in AG size calculation (git-fixes). - fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes). - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250). - fs: better handle deep ancestor chains in is_subdir() (bsc#1242528). - fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535). - fs: do not allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526). - fs: support relative paths with FSCONFIG_SET_STRING (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes). - gve: handle overflow when reporting TX consumed descriptors (git-fixes). - gve: set xdp redirect target only when it is available (git-fixes). - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes). - i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes). - ice: Add check for devm_kzalloc() (git-fixes). - ice: fix reservation of resources for RDMA when disabled (git-fixes). - ice: stop truncating queue ids when checking (git-fixes). - idpf: check error for register_netdev() on init (git-fixes). - idpf: fix adapter NULL pointer dereference on reboot (git-fixes). - igb: reject invalid external timestamp requests for 82580-based HW (git-fixes). - igc: add lock preventing multiple simultaneous PTM transactions (git-fixes). - igc: cleanup PTP module if probe fails (git-fixes). - igc: fix PTM cycle trigger logic (git-fixes). - igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes). - igc: increase wait time before retrying PTM (git-fixes). - igc: move ktime snapshot into PTM retry loop (git-fixes). - iio: adc: ad7768-1: Fix conversion result sign (git-fixes). - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes). - iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes). - ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr (git-fixes). - irqchip/davinci: Remove leftover header (git-fixes). - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes). - isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307). - jbd2: add a missing data flush during file and fs synchronization (bsc#1242346). - jbd2: fix off-by-one while erasing journal (bsc#1242344). - jbd2: flush filesystem device before updating tail sequence (bsc#1242333). - jbd2: increase IO priority for writing revoke records (bsc#1242332). - jbd2: increase the journal IO's priority (bsc#1242537). - jbd2: remove wrong sb->s_sequence check (bsc#1242343). - jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes). - jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes). - jfs: add sanity check for agwidth in dbMount (git-fixes). - kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - kABI workaround for powercap update (bsc#1241010). - kernel-binary: Support livepatch_rt with merged RT branch - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env' - ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes). - kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes). - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - loop: LOOP_SET_FD: send uevents for partitions (git-fixes). - loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes). - loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes). - md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212) - media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes). - mei: me: add panther lake H DID (stable-fixes). - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes). - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes). - mm/readahead: fix large folio support in async readahead (bsc#1242321). - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326). - mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327). - mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546). - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes). - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes). - mptcp: refine opt_mp_capable determination (git-fixes). - mptcp: relax check on MPC passive fallback (git-fixes). - mptcp: strict validation before using mp_opt->hmac (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - net/mlx5: Fill out devlink dev info only for PFs (git-fixes). - net/mlx5: IRQ, Fix null string in debug print (git-fixes). - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes). - net/mlx5: Start health poll after enable hca (git-fixes). - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes). - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes). - net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes). - net/tcp: refactor tcp_inet6_sk() (git-fixes). - net: annotate data-races around sk->sk_dst_pending_confirm (git-fixes). - net: annotate data-races around sk->sk_tx_queue_mapping (git-fixes). - net: blackhole_dev: fix build warning for ethh set but not used (git-fixes). - net: ethtool: Do not call .cleanup_data when prepare_data fails (git-fixes). - net: ethtool: Fix RSS setting (git-fixes). - net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes). - net: mana: Switch to page pool for jumbo frames (git-fixes). - net: mark racy access on sk->sk_rcvbuf (git-fixes). - net: phy: leds: fix memory leak (git-fixes). - net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes). - net: sctp: fix skb leak in sctp_inq_free() (git-fixes). - net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes). - net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes). - net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes). - netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes). - nfs: add missing selections of CONFIG_CRC32 (git-fixes). - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes). - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb: intel: Fix using link status DB's (git-fixes). - ntb: reduce stack usage in idt_scan_mws (stable-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - ntb_perf: Fix printk format (git-fixes). - nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes). - nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes). - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes). - nvme/ioctl: do not warn on vectorized uring_cmd with fixed buffer (git-fixes). - nvmet-fcloop: swap list_add_tail arguments (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf tools: annotate asm_pure_loop.S (bsc#1239906). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172) - perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172) - perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172) - perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172) - phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes). - pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes). - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - powerpc/boot: Check for ld-option support (bsc#1215199). - powerpc/boot: Fix dash warning (bsc#1215199). - powerpc: Do not use --- in kernel logs (git-fixes). - pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes). - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes). - pwm: rcar: Improve register calculation (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires The recent change using OrderWithRequires addresses the known issues, but also caused regressions for the existing image or package builds. For SLE15-SPx, better to be conservative and stick with the older way. - rpm/package-descriptions: Add rt and rt_debug descriptions - rtc: pcf85063: do a SW reset if POR failed (stable-fixes). - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - s390/cio: Fix CHPID 'configure' attribute caching (git-fixes bsc#1240979). - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes). - scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes). - scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes). - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag (git-fixes). - scsi: mpi3mr: Fix locking in an error path (git-fixes). - scsi: mpt3sas: Fix a locking bug in an error path (git-fixes). - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes). - scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes). - sctp: Fix undefined behavior in left shift operation (git-fixes). - sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes). - sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes). - sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes). - sctp: fix busy polling (git-fixes). - sctp: prefer struct_size over open coded arithmetic (git-fixes). - sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes). - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selftests/bpf: Add a few tests to cover (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590). - selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590). - selftests/bpf: test for changing packet data from global functions (bsc#1241590). - selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590). - selftests/futex: futex_waitv wouldblock test should fail (git-fixes). - selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - serial: msm: Configure correct working mode before starting earlycon (git-fixes). - serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes). - smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265). - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes). - spi: tegra114: Do not fail set_cs_timing when delays are zero (git-fixes). - spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes). - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes). - splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes). - tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes). - thunderbolt: Scan retimers after device router has been enumerated (stable-fixes). - tools/hv: update route parsing in kvp daemon (git-fixes). - tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175). - tools/power turbostat: report CoreThr per measurement interval (git-fixes). - topology: Set capacity_freq_ref in all cases (bsc#1238052) - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - tty: n_tty: use uint for space returned by tty_write_room() (git-fixes). - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - ublk: set_params: properly check if parameters can be applied (git-fixes). - ucsi_ccg: Do not show failed to get FW build information error (git-fixes). - udf: Fix inode_getblk() return value (bsc#1242313). - udf: Skip parent dir link count update if corrupted (bsc#1242315). - udf: Verify inode link counts before performing rename (bsc#1242314). - usb: cdns3: Fix deadlock when using NCM gadget (git-fixes). - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes). - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes). - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes). - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes). - usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes). - usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes). - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes). - usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes). - usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func (stable-fixes). - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes). - usb: xhci: correct debug message page size calculation (git-fixes). - usbnet:fix NPE during rx_complete (git-fixes). - vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes). - vfs: do not mod negative dentry count when on shrinker list (bsc#1242534). - virtchnl: make proto and filter action count unsigned (git-fixes). - vmxnet3: Fix tx queue race condition with XDP (bsc#1241394). - vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394). - wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes). - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes). - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes). - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes). - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes). - wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - x86/bugs: Add RSB mitigation document (git-fixes). - x86/bugs: Do not fill RSB on VMEXIT with eIBRS+retpoline (git-fixes). - x86/bugs: Do not fill RSB on context switch with eIBRS (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes). - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes). - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes). - x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes). - x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes). - x86/microcode/AMD: Split load_microcode_amd() (git-fixes). - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes). - x86/microcode/intel: Set new revision only after a successful update (git-fixes). - x86/microcode: Remove the driver announcement and version (git-fixes). - x86/microcode: Rework early revisions reporting (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes). - xfs: flush inodegc before swapon (git-fixes). - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1615-1 Released: Wed May 21 11:53:06 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1235958,1235971,1239651,1242971,CVE-2025-4382 This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. Also the following issue were fixed: - CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971) - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1638-1 Released: Wed May 21 12:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1236826,1239671,1241012,CVE-2025-32728 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows 'wall' to print messages in ssh ttys (bsc#1239671) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1689-1 Released: Fri May 23 12:46:42 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1240648 This update for hwinfo fixes the following issues: - Version update v21.88 - Fix network card detection on aarch64 (bsc#1240648). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1703-1 Released: Sun May 25 23:42:28 2025 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1242490,1243117,CVE-2024-28956 This update for xen fixes the following issues: Update to Xen 4.18.5: Security fixes: - CVE-2024-28956: Fixed Intel CPU Indirect Target Selection (ITS) (bsc#1243117) Other fixes: - Fixed boot failing with XEN kernel on DL580 Gen12 (bsc#1242490) - Added missing upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1776-1 Released: Fri May 30 15:02:52 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1836-1 Released: Mon Jun 9 16:11:28 2025 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1240869 This update for cloud-netconfig fixes the following issues: - Add support for creating IPv6 default route in GCE (bsc#1240869) - Minor fix when looking up IPv6 default route The following package changes have been done: - cloud-netconfig-azure-1.15-150000.25.26.1 added - curl-8.6.0-150600.4.21.1 added - glibc-locale-base-2.38-150600.14.32.1 updated - glibc-locale-2.38-150600.14.32.1 updated - glibc-2.38-150600.14.32.1 updated - grub2-i386-pc-2.12-150600.8.27.1 updated - grub2-x86_64-efi-2.12-150600.8.27.1 updated - grub2-2.12-150600.8.27.1 updated - hwdata-0.394-150000.3.77.2 updated - hwinfo-21.88-150500.3.9.2 updated - iputils-20221126-150500.3.11.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - kernel-default-6.4.0-150600.23.50.1 updated - krb5-1.20.1-150600.11.11.2 updated - libncurses6-6.1-150000.5.30.1 updated - librdkafka1-0.11.6-150600.16.3.1 updated - libsystemd0-254.24-150600.4.33.1 updated - libudev1-254.24-150600.4.33.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - openssh-clients-9.6p1-150600.6.26.1 updated - openssh-common-9.6p1-150600.6.26.1 updated - openssh-server-9.6p1-150600.6.26.1 updated - openssh-9.6p1-150600.6.26.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - systemd-254.24-150600.4.33.1 updated - terminfo-base-6.1-150000.5.30.1 updated - terminfo-6.1-150000.5.30.1 updated - udev-254.24-150600.4.33.1 updated - xen-libs-4.18.5_02-150600.3.23.1 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:02:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:02:43 +0200 (CEST) Subject: SUSE-IU-2025:1572-1: Security update of suse-sles-15-sp6-chost-byos-v20250611-hvm-ssd-x86_64 Message-ID: <20250616070243.733A8FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp6-chost-byos-v20250611-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1572-1 Image Tags : suse-sles-15-sp6-chost-byos-v20250611-hvm-ssd-x86_64:20250611 Image Release : Severity : important Type : security References : 1027519 1095485 1112822 1118783 1122013 1123008 1135257 1135263 1135592 1144282 1157117 1157190 1159460 1162705 1162707 1178486 1179031 1179032 1187939 1199853 1204549 1214715 1215199 1218069 1219007 1219454 1220718 1221202 1221757 1223809 1224013 1224597 1224757 1228659 1230764 1231103 1231910 1232493 1233075 1233098 1234074 1234157 1234698 1235501 1235526 1235550 1235870 1235958 1235971 1236086 1236177 1236704 1236826 1237111 1237230 1237496 1237874 1237882 1238052 1238212 1238471 1238527 1238565 1238714 1238737 1238742 1238745 1238746 1238862 1238961 1238970 1238983 1238990 1239066 1239079 1239108 1239470 1239475 1239476 1239487 1239510 1239651 1239671 1239684 1239906 1239925 1239997 1240167 1240168 1240171 1240176 1240181 1240184 1240185 1240375 1240557 1240575 1240576 1240581 1240582 1240583 1240584 1240585 1240587 1240590 1240591 1240592 1240594 1240595 1240596 1240600 1240612 1240616 1240639 1240643 1240647 1240648 1240655 1240691 1240700 1240701 1240703 1240708 1240709 1240712 1240713 1240714 1240715 1240716 1240717 1240718 1240719 1240720 1240722 1240727 1240739 1240740 1240742 1240779 1240783 1240784 1240785 1240795 1240796 1240797 1240799 1240801 1240802 1240806 1240808 1240809 1240811 1240812 1240813 1240815 1240816 1240819 1240821 1240825 1240829 1240835 1240869 1240873 1240934 1240936 1240937 1240938 1240940 1240942 1240943 1240944 1240978 1240979 1241010 1241012 1241038 1241051 1241123 1241151 1241167 1241175 1241204 1241250 1241265 1241266 1241280 1241332 1241333 1241341 1241343 1241344 1241347 1241357 1241361 1241369 1241371 1241373 1241378 1241394 1241402 1241412 1241413 1241416 1241424 1241426 1241433 1241436 1241441 1241442 1241443 1241451 1241452 1241456 1241458 1241459 1241526 1241528 1241537 1241541 1241545 1241547 1241548 1241550 1241573 1241574 1241575 1241578 1241590 1241593 1241598 1241599 1241601 1241626 1241640 1241648 1242006 1242044 1242060 1242172 1242283 1242300 1242307 1242313 1242314 1242315 1242321 1242326 1242327 1242328 1242332 1242333 1242335 1242336 1242342 1242343 1242344 1242345 1242346 1242347 1242348 1242414 1242490 1242526 1242528 1242534 1242535 1242536 1242537 1242538 1242539 1242540 1242546 1242556 1242596 1242710 1242778 1242831 1242842 1242938 1242971 1242985 1243117 1243259 1243313 1243317 CVE-2023-53034 CVE-2024-27018 CVE-2024-27415 CVE-2024-28956 CVE-2024-28956 CVE-2024-35840 CVE-2024-46763 CVE-2024-46865 CVE-2024-50038 CVE-2024-50083 CVE-2024-50162 CVE-2024-50163 CVE-2024-53124 CVE-2024-53139 CVE-2024-56641 CVE-2024-56702 CVE-2024-57924 CVE-2024-57998 CVE-2024-58001 CVE-2024-58018 CVE-2024-58068 CVE-2024-58070 CVE-2024-58071 CVE-2024-58088 CVE-2024-58093 CVE-2024-58094 CVE-2024-58095 CVE-2024-58096 CVE-2024-58097 CVE-2025-21683 CVE-2025-21696 CVE-2025-21707 CVE-2025-21729 CVE-2025-21755 CVE-2025-21758 CVE-2025-21768 CVE-2025-21792 CVE-2025-21806 CVE-2025-21808 CVE-2025-21812 CVE-2025-21833 CVE-2025-21836 CVE-2025-21852 CVE-2025-21853 CVE-2025-21854 CVE-2025-21863 CVE-2025-21867 CVE-2025-21873 CVE-2025-21875 CVE-2025-21881 CVE-2025-21884 CVE-2025-21887 CVE-2025-21889 CVE-2025-21894 CVE-2025-21895 CVE-2025-21904 CVE-2025-21905 CVE-2025-21906 CVE-2025-21908 CVE-2025-21909 CVE-2025-21910 CVE-2025-21912 CVE-2025-21913 CVE-2025-21914 CVE-2025-21915 CVE-2025-21916 CVE-2025-21917 CVE-2025-21918 CVE-2025-21922 CVE-2025-21923 CVE-2025-21924 CVE-2025-21925 CVE-2025-21926 CVE-2025-21927 CVE-2025-21928 CVE-2025-21930 CVE-2025-21931 CVE-2025-21934 CVE-2025-21935 CVE-2025-21936 CVE-2025-21937 CVE-2025-21941 CVE-2025-21943 CVE-2025-21948 CVE-2025-21950 CVE-2025-21951 CVE-2025-21953 CVE-2025-21956 CVE-2025-21957 CVE-2025-21960 CVE-2025-21961 CVE-2025-21962 CVE-2025-21963 CVE-2025-21964 CVE-2025-21966 CVE-2025-21968 CVE-2025-21969 CVE-2025-21970 CVE-2025-21971 CVE-2025-21972 CVE-2025-21975 CVE-2025-21978 CVE-2025-21979 CVE-2025-21980 CVE-2025-21981 CVE-2025-21985 CVE-2025-21991 CVE-2025-21992 CVE-2025-21993 CVE-2025-21995 CVE-2025-21996 CVE-2025-21999 CVE-2025-22001 CVE-2025-22003 CVE-2025-22004 CVE-2025-22007 CVE-2025-22008 CVE-2025-22009 CVE-2025-22010 CVE-2025-22013 CVE-2025-22014 CVE-2025-22015 CVE-2025-22016 CVE-2025-22017 CVE-2025-22018 CVE-2025-22020 CVE-2025-22025 CVE-2025-22027 CVE-2025-22029 CVE-2025-22033 CVE-2025-22036 CVE-2025-22044 CVE-2025-22045 CVE-2025-22050 CVE-2025-22053 CVE-2025-22055 CVE-2025-22058 CVE-2025-22060 CVE-2025-22062 CVE-2025-22064 CVE-2025-22065 CVE-2025-22075 CVE-2025-22080 CVE-2025-22086 CVE-2025-22088 CVE-2025-22090 CVE-2025-22093 CVE-2025-22097 CVE-2025-22102 CVE-2025-22104 CVE-2025-22105 CVE-2025-22106 CVE-2025-22107 CVE-2025-22108 CVE-2025-22109 CVE-2025-22115 CVE-2025-22116 CVE-2025-22121 CVE-2025-22128 CVE-2025-2312 CVE-2025-23129 CVE-2025-23131 CVE-2025-23133 CVE-2025-23136 CVE-2025-23138 CVE-2025-23145 CVE-2025-32728 CVE-2025-37785 CVE-2025-37798 CVE-2025-37799 CVE-2025-37860 CVE-2025-39728 CVE-2025-4382 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 ----------------------------------------------------------------- The container suse-sles-15-sp6-chost-byos-v20250611-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1335-1 Released: Tue Jul 17 10:13:39 2018 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1095485 This update for cloud-netconfig fixes the following issues: - Make interface names in Azure persistent. (bsc#1095485) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:529-1 Released: Fri Mar 1 13:46:51 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1112822,1118783,1122013,1123008 This update for cloud-netconfig provides the following fixes: - Run cloud-netconfig periodically. (bsc#1118783, bsc#1122013) - Do not treat eth0 special with regard to routing policies. (bsc#1123008) - Reduce the timeout on metadata read. (bsc#1112822) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1560-1 Released: Wed Jun 19 08:57:17 2019 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135257,1135263 This update for cloud-netconfig fixes the following issues: - cloud-netconfig will now pause and retry if API call throttling is detected in Azure (bsc#1135257, bsc#1135263) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:31-1 Released: Mon Feb 24 10:36:36 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1135592,1144282,1157117,1157190 This update for cloud-netconfig contains the following fixes: - Removed obsolete Group tag from spec file. - Update to version 1.3: + Fix IPv4 address handling on secondary NICs in Azure. - Update to version 1.2: + support AWS IMDSv2 token. - Update to version 1.1: + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190) + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282) + simplify routing setup for single NIC systems (partly fixes bsc#1135592) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:637-1 Released: Wed Mar 11 11:29:56 2020 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1162705,1162707 This update for cloud-netconfig fixes the following issues: - Copy routes from the default routing table. (bsc#1162705, bsc#1162707) On multi-NIC systems, cloud-netconfig creates separate routing tables with different default routes, so packets get routed via the network interfaces associated with the source IP address. Systems may have additional routing in place and in that case cloud-netconfig's NIC specific routing may bypass those routes. - Make the key CLOUD_NETCONFIG_MANAGE enable by default. Any network interface that has been configured automatically via cloud-netconfig has a configuration file associated. If the value is set to 'NO' (or the pair is removed altogether), cloud-netconfig will not handle secondary IPv4 addresses and routing policies for the associated network interface. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3619-1 Released: Tue Dec 15 13:41:16 2020 Summary: Recommended update for cloud-netconfig, google-guest-agent Type: recommended Severity: moderate References: 1159460,1178486,1179031,1179032 This update for cloud-netconfig, google-guest-agent fixes the following issues: cloud-netconfig: - Update to version 1.5: + Add support for GCE (bsc#1159460, bsc#1178486, jsc#ECO-2800) + Improve default gateway determination google-guest-agent: - Update to version 20201026.00 * remove old unused workflow files * fallback to IP for metadata * getPasswd: Check full prefix of line for username - dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files to allow manual configuration and compatibility with cloud-netconfig. (bsc#1159460, bsc#1178486) - Update to version 20200929.00 * correct varname * don't call dhclient -x on network setup * add instance id dir override * update agent systemd service file * typo, change to noadjfile * add gaohannk to OWNERS * remove illfelder from OWNERS * Add all license files to packages ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:167-1 Released: Mon Jan 24 18:16:24 2022 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1187939 This update for cloud-netconfig fixes the following issues: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:658-1 Released: Wed Mar 8 10:51:10 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1199853,1204549 This update for cloud-netconfig fixes the following issues: - Update to version 1.7: + Overhaul policy routing setup + Support alias IPv4 ranges + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3637-1 Released: Mon Sep 18 13:02:23 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1214715 This update for cloud-netconfig fixes the following issues: - Update to version 1.8: - Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:630-1 Released: Tue Feb 27 09:14:49 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1218069,1219007 This update for cloud-netconfig fixes the following issues: - Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) - Drop package dependency on sysconfig-netconfig - Improve log level handling - Support IPv6 IMDS endpoint in EC2 (bsc#1218069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:781-1 Released: Wed Mar 6 15:05:13 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1219454,1220718 This update for cloud-netconfig fixes the following issues: - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:869-1 Released: Wed Mar 13 10:48:51 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1221202 This update for cloud-netconfig fixes the following issues: - Update to version 1.12 (bsc#1221202) * If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1085-1 Released: Tue Apr 2 11:24:09 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1221757 This update for cloud-netconfig fixes the following issues: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1606-1 Released: Tue May 20 15:53:14 2025 Summary: Recommended update for librdkafka Type: recommended Severity: moderate References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain circumstances (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1614-1 Released: Wed May 21 11:52:34 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1215199,1223809,1224013,1224597,1224757,1228659,1230764,1231103,1231910,1232493,1233075,1233098,1234074,1234157,1234698,1235501,1235526,1235550,1235870,1236086,1236704,1237111,1237874,1237882,1238052,1238212,1238471,1238527,1238565,1238714,1238737,1238742,1238745,1238746,1238862,1238961,1238970,1238983,1238990,1239066,1239079,1239108,1239470,1239475,1239476,1239487,1239510,1239684,1239906,1239925,1239997,1240167,1240168,1240171,1240176,1240181,1240184,1240185,1240375,1240557,1240575,1240576,1240581,1240582,1240583,1240584,1240585,1240587,1240590,1240591,1240592,1240594,1240595,1240596,1240600,1240612,1240616,1240639,1240643,1240647,1240655,1240691,1240700,1240701,1240703,1240708,1240709,1240712,1240713,1240714,1240715,1240716,1240717,1240718,1240719,1240720,1240722,1240727,1240739,1240740,1240742,1240779,1240783,1240784,1240785,1240795,1240796,1240797,1240799,1240801,1240802,1240806,1240808,1240809,1240811,1240812,1240813,1240815,1240816,1240819,1240821,1240825,1240829,1 240835,1240873,1240934,1240936,1240937,1240938,1240940,1240942,1240943,1240944,1240978,1240979,1241010,1241038,1241051,1241123,1241151,1241167,1241175,1241204,1241250,1241265,1241266,1241280,1241332,1241333,1241341,1241343,1241344,1241347,1241357,1241361,1241369,1241371,1241373,1241378,1241394,1241402,1241412,1241413,1241416,1241424,1241426,1241433,1241436,1241441,1241442,1241443,1241451,1241452,1241456,1241458,1241459,1241526,1241528,1241537,1241541,1241545,1241547,1241548,1241550,1241573,1241574,1241575,1241578,1241590,1241593,1241598,1241599,1241601,1241626,1241640,1241648,1242006,1242044,1242172,1242283,1242307,1242313,1242314,1242315,1242321,1242326,1242327,1242328,1242332,1242333,1242335,1242336,1242342,1242343,1242344,1242345,1242346,1242347,1242348,1242414,1242526,1242528,1242534,1242535,1242536,1242537,1242538,1242539,1242540,1242546,1242556,1242596,1242710,1242778,1242831,1242985,CVE-2023-53034,CVE-2024-27018,CVE-2024-27415,CVE-2024-28956,CVE-2024-35840,CVE-2024-46763,CVE- 2024-46865,CVE-2024-50038,CVE-2024-50083,CVE-2024-50162,CVE-2024-50163,CVE-2024-53124,CVE-2024-53139,CVE-2024-56641,CVE-2024-56702,CVE-2024-57924,CVE-2024-57998,CVE-2024-58001,CVE-2024-58018,CVE-2024-58068,CVE-2024-58070,CVE-2024-58071,CVE-2024-58088,CVE-2024-58093,CVE-2024-58094,CVE-2024-58095,CVE-2024-58096,CVE-2024-58097,CVE-2025-21683,CVE-2025-21696,CVE-2025-21707,CVE-2025-21729,CVE-2025-21755,CVE-2025-21758,CVE-2025-21768,CVE-2025-21792,CVE-2025-21806,CVE-2025-21808,CVE-2025-21812,CVE-2025-21833,CVE-2025-21836,CVE-2025-21852,CVE-2025-21853,CVE-2025-21854,CVE-2025-21863,CVE-2025-21867,CVE-2025-21873,CVE-2025-21875,CVE-2025-21881,CVE-2025-21884,CVE-2025-21887,CVE-2025-21889,CVE-2025-21894,CVE-2025-21895,CVE-2025-21904,CVE-2025-21905,CVE-2025-21906,CVE-2025-21908,CVE-2025-21909,CVE-2025-21910,CVE-2025-21912,CVE-2025-21913,CVE-2025-21914,CVE-2025-21915,CVE-2025-21916,CVE-2025-21917,CVE-2025-21918,CVE-2025-21922,CVE-2025-21923,CVE-2025-21924,CVE-2025-21925,CVE-2025-21926,CVE-2025-21 927,CVE-2025-21928,CVE-2025-21930,CVE-2025-21931,CVE-2025-21934,CVE-2025-21935,CVE-2025-21936,CVE-2025-21937,CVE-2025-21941,CVE-2025-21943,CVE-2025-21948,CVE-2025-21950,CVE-2025-21951,CVE-2025-21953,CVE-2025-21956,CVE-2025-21957,CVE-2025-21960,CVE-2025-21961,CVE-2025-21962,CVE-2025-21963,CVE-2025-21964,CVE-2025-21966,CVE-2025-21968,CVE-2025-21969,CVE-2025-21970,CVE-2025-21971,CVE-2025-21972,CVE-2025-21975,CVE-2025-21978,CVE-2025-21979,CVE-2025-21980,CVE-2025-21981,CVE-2025-21985,CVE-2025-21991,CVE-2025-21992,CVE-2025-21993,CVE-2025-21995,CVE-2025-21996,CVE-2025-21999,CVE-2025-22001,CVE-2025-22003,CVE-2025-22004,CVE-2025-22007,CVE-2025-22008,CVE-2025-22009,CVE-2025-22010,CVE-2025-22013,CVE-2025-22014,CVE-2025-22015,CVE-2025-22016,CVE-2025-22017,CVE-2025-22018,CVE-2025-22020,CVE-2025-22025,CVE-2025-22027,CVE-2025-22029,CVE-2025-22033,CVE-2025-22036,CVE-2025-22044,CVE-2025-22045,CVE-2025-22050,CVE-2025-22053,CVE-2025-22055,CVE-2025-22058,CVE-2025-22060,CVE-2025-22062,CVE-2025-22064,CVE -2025-22065,CVE-2025-22075,CVE-2025-22080,CVE-2025-22086,CVE-2025-22088,CVE-2025-22090,CVE-2025-22093,CVE-2025-22097,CVE-2025-22102,CVE-2025-22104,CVE-2025-22105,CVE-2025-22106,CVE-2025-22107,CVE-2025-22108,CVE-2025-22109,CVE-2025-22115,CVE-2025-22116,CVE-2025-22121,CVE-2025-22128,CVE-2025-2312,CVE-2025-23129,CVE-2025-23131,CVE-2025-23133,CVE-2025-23136,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37798,CVE-2025-37799,CVE-2025-37860,CVE-2025-39728 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-35840: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (bsc#1224597). - CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910). - CVE-2024-50162: bpf: selftests: send packet to devmap redirect XDP (bsc#1233075). - CVE-2024-50163: bpf: Make sure internal and UAPI bpf_redirect flags do not overlap (bsc#1233098). - CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074). - CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157). - CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086). - CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990). - CVE-2024-58068: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (bsc#1238961). - CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (bsc#1238983). - CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970). - CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage (bsc#1239510). - CVE-2025-21683: bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704). - CVE-2025-21696: mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111). - CVE-2025-21707: mptcp: consolidate suboption status (bsc#1238862). - CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874). - CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882). - CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737). - CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714). - CVE-2025-21792: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (bsc#1238745). - CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746). - CVE-2025-21808: net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-21833: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (bsc#1239108). - CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475). - CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181). - CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184). - CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168). - CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185). - CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171). - CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176). - CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167). - CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581). - CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585). - CVE-2025-21904: caif_virtio: fix wrong pointer check in cfv_probe() (bsc#1240576). - CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587). - CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600). - CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591). - CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639). - CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720). - CVE-2025-21925: llc: do not use skb_get() before dev_queue_xmit() (bsc#1240713). - CVE-2025-21926: net: gso: fix ownership in __udp_gso_segment (bsc#1240712). - CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709). - CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742). - CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815). - CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816). - CVE-2025-21962: cifs: Fix integer overflow while processing closetimeo mount option (bsc#1240655). - CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717). - CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740). - CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784). - CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819). - CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813). - CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812). - CVE-2025-21980: sched: address a potential NULL pointer dereference in the GRED scheduler (bsc#1240809). - CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612). - CVE-2025-21985: drm/amd/display: Fix out-of-bound accesses (bsc#1240811). - CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795). - CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22015: mm/migrate: fix shmem xarray update during migration (bsc#1240944). - CVE-2025-22016: dpll: fix xa_alloc_cyclic() error handling (bsc#1240934). - CVE-2025-22017: devlink: fix xa_alloc_cyclic() error handling (bsc#1240936). - CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266). - CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec (bsc#1241378). - CVE-2025-22036: exfat: fix random stack corruption after get_block (bsc#1241426). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22053: net: ibmveth: make veth_pool_store stop hanging (bsc#1241373). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). - CVE-2025-22058: udp: Fix memory accounting leak (bsc#1241332). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-22064: netfilter: nf_tables: do not unregister hook when table is dormant (bsc#1241413). - CVE-2025-22080: fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-22102: Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456). - CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps (bsc#1241550). - CVE-2025-22105, CVE-2025-37860: Add missing bugzilla references (bsc#1241452 bsc#1241548). - CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (bsc#1241575). - CVE-2025-22109: ax25: Remove broken autobind (bsc#1241573). - CVE-2025-22115: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241578). - CVE-2025-22121: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593). - CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684). - CVE-2025-23133: wifi: ath11k: update channel list in reg notifier instead reg worker (bsc#1241451). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37798: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (bsc#1242414). - CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (bsc#1242283). - CVE-2025-39728: clk: samsung: Fix UBSAN panic in samsung_clk_init() (bsc#1241626). The following non-security bugs were fixed: - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes). - ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - ALSA: hda/realtek - Enable speaker for HP platform (git-fixes). - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes). - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes). - ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes). - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044). - ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes). - ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes). - ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes). - ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes). - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes). - ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes). - Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes). - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes). - Bluetooth: hci_uart: Fix another race during initialization (git-fixes). - Bluetooth: hci_uart: fix race during initialization (stable-fixes). - Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes). - Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes). - Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961) - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes). - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes) - RDMA/core: Silence oversized kvmalloc() warning (git-fixes) - RDMA/hns: Fix wrong maximum DMA segment size (git-fixes) - RDMA/mana_ib: Ensure variable err is initialized (git-fixes). - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes) - Reapply 'Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6'. - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - Revert 'drivers: core: synchronize really_probe() and dev_uevent()' (stable-fixes). - Revert 'drm/meson: vclk: fix calculation of 59.94 fractional rates' (git-fixes). - Revert 'tcp: Fix bind() regression for v6-only wildcard and'. - Revert 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 ('kernel-binary: Support livepatch_rt with merged RT branch') - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes). - USB: VLI disk crashes if LPM is used (stable-fixes). - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes). - USB: serial: option: add Sierra Wireless EM9291 (stable-fixes). - USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes). - USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes). - USB: wdm: add annotation (git-fixes). - USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes). - USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes). - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - affs: do not write overlarge OFS data block size fields (git-fixes). - affs: generate OFS sequence numbers starting at 1 (git-fixes). - ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes). - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes) - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - arm64: mm: Correct the update of max_pfn (git-fixes) - asus-laptop: Fix an uninitialized variable (git-fixes). - ata: libata-sata: Save all fields from sense data descriptor (git-fixes). - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes). - ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes). - ata: libata-scsi: Improve CDL control (git-fixes). - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes). - ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes). - auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes). - auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes). - badblocks: Fix error shitf ops (git-fixes). - badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes). - badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes). - badblocks: fix the using of MAX_BADBLOCKS (git-fixes). - badblocks: return error directly when setting badblocks exceeds 512 (git-fixes). - badblocks: return error if any badblock set fails (git-fixes). - blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes). - block: change blk_mq_add_to_batch() third argument type to bool (git-fixes). - block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes). - block: fix conversion of GPT partition name to 7-bit (git-fixes). - block: fix resource leak in blk_register_queue() error path (git-fixes). - block: integrity: Do not call set_page_dirty_lock() (git-fixes). - block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes). - bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes). - bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes). - bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes). - bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: add find_containing_subprog() utility function (bsc#1241590). - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: check changes_pkt_data property for extension programs (bsc#1241590). - bpf: consider that tail calls invalidate packet pointers (bsc#1241590). - bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590). - bpf: fix potential error return (git-fixes). - bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590). - bpf: track changes_pkt_data property for global functions (bsc#1241590). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204). - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710). - btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151). - btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204). - btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204). - btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204). - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes). - char: misc: register chrdev region with all possible minors (git-fixes). - cifs: Fix integer overflow while processing actimeo mount option (git-fixes). - counter: fix privdata alignment (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052) - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052) - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64 - crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes). - crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes). - crypto: ccp - Add support for PCI device 0x1134 (stable-fixes). - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes). - dm-bufio: do not schedule in atomic context (git-fixes). - dm-ebs: fix prefetch-vs-suspend race (git-fixes). - dm-integrity: set ti->error on memory allocation failure (git-fixes). - dm-verity: fix prefetch-vs-suspend race (git-fixes). - dm: add missing unlock on in dm_keyslot_evict() (git-fixes). - dm: always update the array size in realloc_argv on success (git-fixes). - dm: fix copying after src array boundaries (git-fixes). - dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes). - drivers: base: devres: Allow to release group on device release (stable-fixes). - drm/amd/display: Fix gpu reset in multidisplay config (git-fixes). - drm/amd/display: Force full update in gpu reset (stable-fixes). - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - drm/amd: Handle being compiled without SI or CIK support better (stable-fixes). - drm/amd: Keep display off while going into S4 (stable-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes). - drm/amdkfd: Fix mode1 reset crash issue (stable-fixes). - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes). - drm/amdkfd: clamp queue size to minimum (stable-fixes). - drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes). - drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - drm/fdinfo: Protect against driver unbind (git-fixes). - drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes). - drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes). - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes). - drm/i915: Disable RPG during live selftest (git-fixes). - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes). - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes). - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/sti: remove duplicate object names (git-fixes). - drm/tests: Add helper to create mock crtc (stable-fixes). - drm/tests: Add helper to create mock plane (stable-fixes). - drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes). - drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes). - drm/tests: helpers: Add atomic helpers (stable-fixes). - drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes). - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes). - drm/tests: helpers: Fix compiler warning (git-fixes). - drm/tests: modes: Fix drm_display_mode memory leak (git-fixes). - drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes). - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes). - drm: allow encoder mode_set even when connectors change for crtc (stable-fixes). - drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes). - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes). - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes). - drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes). - e1000e: change k1 configuration on MTP and later platforms (git-fixes). - eth: bnxt: fix missing ring index trim on error path (git-fixes). - ethtool: Fix context creation with no parameters (git-fixes). - ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes). - ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes). - ethtool: do not propagate EOPNOTSUPP from dumps (git-fixes). - ethtool: fix setting key and resetting indir at once (git-fixes). - ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes). - ethtool: netlink: do not return SQI value if link is down (git-fixes). - ethtool: plca: fix plca enable data type while parsing the value (git-fixes). - ethtool: rss: echo the context number back (git-fixes). - exfat: do not fallback to buffered write (git-fixes). - exfat: drop ->i_size_ondisk (git-fixes). - exfat: fix soft lockup in exfat_clear_bitmap (git-fixes). - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes). - ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342). - ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540). - ext4: do not over-report free space or inodes in statvfs (bsc#1242345). - ext4: do not treat fhandle lookup of ea_inode as FS corruption (bsc#1242347). - ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557). - ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556). - ext4: make block validity check resistent to sb bh corruption (bsc#1242348). - ext4: partial zero eof block on unaligned inode size extension (bsc#1242336). - ext4: protect ext4_release_dquot against freezing (bsc#1242335). - ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536). - ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539). - ext4: unify the type of flexbg_size to unsigned int (bsc#1242538). - fbdev: omapfb: Add 'plane' value check (stable-fixes). - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes). - firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - fs/jfs: Prevent integer overflow in AG size calculation (git-fixes). - fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes). - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250). - fs: better handle deep ancestor chains in is_subdir() (bsc#1242528). - fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535). - fs: do not allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526). - fs: support relative paths with FSCONFIG_SET_STRING (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes). - gve: handle overflow when reporting TX consumed descriptors (git-fixes). - gve: set xdp redirect target only when it is available (git-fixes). - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes). - i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes). - ice: Add check for devm_kzalloc() (git-fixes). - ice: fix reservation of resources for RDMA when disabled (git-fixes). - ice: stop truncating queue ids when checking (git-fixes). - idpf: check error for register_netdev() on init (git-fixes). - idpf: fix adapter NULL pointer dereference on reboot (git-fixes). - igb: reject invalid external timestamp requests for 82580-based HW (git-fixes). - igc: add lock preventing multiple simultaneous PTM transactions (git-fixes). - igc: cleanup PTP module if probe fails (git-fixes). - igc: fix PTM cycle trigger logic (git-fixes). - igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes). - igc: increase wait time before retrying PTM (git-fixes). - igc: move ktime snapshot into PTM retry loop (git-fixes). - iio: adc: ad7768-1: Fix conversion result sign (git-fixes). - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes). - iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes). - ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr (git-fixes). - irqchip/davinci: Remove leftover header (git-fixes). - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes). - isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307). - jbd2: add a missing data flush during file and fs synchronization (bsc#1242346). - jbd2: fix off-by-one while erasing journal (bsc#1242344). - jbd2: flush filesystem device before updating tail sequence (bsc#1242333). - jbd2: increase IO priority for writing revoke records (bsc#1242332). - jbd2: increase the journal IO's priority (bsc#1242537). - jbd2: remove wrong sb->s_sequence check (bsc#1242343). - jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes). - jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes). - jfs: add sanity check for agwidth in dbMount (git-fixes). - kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - kABI workaround for powercap update (bsc#1241010). - kernel-binary: Support livepatch_rt with merged RT branch - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env' - ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes). - kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes). - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - loop: LOOP_SET_FD: send uevents for partitions (git-fixes). - loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes). - loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes). - md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212) - media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes). - mei: me: add panther lake H DID (stable-fixes). - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes). - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes). - mm/readahead: fix large folio support in async readahead (bsc#1242321). - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326). - mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327). - mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546). - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes). - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes). - mptcp: refine opt_mp_capable determination (git-fixes). - mptcp: relax check on MPC passive fallback (git-fixes). - mptcp: strict validation before using mp_opt->hmac (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - net/mlx5: Fill out devlink dev info only for PFs (git-fixes). - net/mlx5: IRQ, Fix null string in debug print (git-fixes). - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes). - net/mlx5: Start health poll after enable hca (git-fixes). - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes). - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes). - net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes). - net/tcp: refactor tcp_inet6_sk() (git-fixes). - net: annotate data-races around sk->sk_dst_pending_confirm (git-fixes). - net: annotate data-races around sk->sk_tx_queue_mapping (git-fixes). - net: blackhole_dev: fix build warning for ethh set but not used (git-fixes). - net: ethtool: Do not call .cleanup_data when prepare_data fails (git-fixes). - net: ethtool: Fix RSS setting (git-fixes). - net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes). - net: mana: Switch to page pool for jumbo frames (git-fixes). - net: mark racy access on sk->sk_rcvbuf (git-fixes). - net: phy: leds: fix memory leak (git-fixes). - net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes). - net: sctp: fix skb leak in sctp_inq_free() (git-fixes). - net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes). - net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes). - net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes). - netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes). - nfs: add missing selections of CONFIG_CRC32 (git-fixes). - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes). - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb: intel: Fix using link status DB's (git-fixes). - ntb: reduce stack usage in idt_scan_mws (stable-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - ntb_perf: Fix printk format (git-fixes). - nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes). - nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes). - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes). - nvme/ioctl: do not warn on vectorized uring_cmd with fixed buffer (git-fixes). - nvmet-fcloop: swap list_add_tail arguments (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf tools: annotate asm_pure_loop.S (bsc#1239906). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172) - perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172) - perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172) - perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172) - phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes). - pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes). - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - powerpc/boot: Check for ld-option support (bsc#1215199). - powerpc/boot: Fix dash warning (bsc#1215199). - powerpc: Do not use --- in kernel logs (git-fixes). - pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes). - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes). - pwm: rcar: Improve register calculation (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires The recent change using OrderWithRequires addresses the known issues, but also caused regressions for the existing image or package builds. For SLE15-SPx, better to be conservative and stick with the older way. - rpm/package-descriptions: Add rt and rt_debug descriptions - rtc: pcf85063: do a SW reset if POR failed (stable-fixes). - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - s390/cio: Fix CHPID 'configure' attribute caching (git-fixes bsc#1240979). - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes). - scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes). - scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes). - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag (git-fixes). - scsi: mpi3mr: Fix locking in an error path (git-fixes). - scsi: mpt3sas: Fix a locking bug in an error path (git-fixes). - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes). - scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes). - sctp: Fix undefined behavior in left shift operation (git-fixes). - sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes). - sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes). - sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes). - sctp: fix busy polling (git-fixes). - sctp: prefer struct_size over open coded arithmetic (git-fixes). - sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes). - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selftests/bpf: Add a few tests to cover (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590). - selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590). - selftests/bpf: test for changing packet data from global functions (bsc#1241590). - selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590). - selftests/futex: futex_waitv wouldblock test should fail (git-fixes). - selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - serial: msm: Configure correct working mode before starting earlycon (git-fixes). - serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes). - smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265). - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes). - spi: tegra114: Do not fail set_cs_timing when delays are zero (git-fixes). - spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes). - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes). - splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes). - tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes). - thunderbolt: Scan retimers after device router has been enumerated (stable-fixes). - tools/hv: update route parsing in kvp daemon (git-fixes). - tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175). - tools/power turbostat: report CoreThr per measurement interval (git-fixes). - topology: Set capacity_freq_ref in all cases (bsc#1238052) - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - tty: n_tty: use uint for space returned by tty_write_room() (git-fixes). - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - ublk: set_params: properly check if parameters can be applied (git-fixes). - ucsi_ccg: Do not show failed to get FW build information error (git-fixes). - udf: Fix inode_getblk() return value (bsc#1242313). - udf: Skip parent dir link count update if corrupted (bsc#1242315). - udf: Verify inode link counts before performing rename (bsc#1242314). - usb: cdns3: Fix deadlock when using NCM gadget (git-fixes). - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes). - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes). - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes). - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes). - usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes). - usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes). - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes). - usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes). - usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func (stable-fixes). - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes). - usb: xhci: correct debug message page size calculation (git-fixes). - usbnet:fix NPE during rx_complete (git-fixes). - vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes). - vfs: do not mod negative dentry count when on shrinker list (bsc#1242534). - virtchnl: make proto and filter action count unsigned (git-fixes). - vmxnet3: Fix tx queue race condition with XDP (bsc#1241394). - vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394). - wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes). - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes). - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes). - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes). - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes). - wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - x86/bugs: Add RSB mitigation document (git-fixes). - x86/bugs: Do not fill RSB on VMEXIT with eIBRS+retpoline (git-fixes). - x86/bugs: Do not fill RSB on context switch with eIBRS (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes). - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes). - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes). - x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes). - x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes). - x86/microcode/AMD: Split load_microcode_amd() (git-fixes). - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes). - x86/microcode/intel: Set new revision only after a successful update (git-fixes). - x86/microcode: Remove the driver announcement and version (git-fixes). - x86/microcode: Rework early revisions reporting (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes). - xfs: flush inodegc before swapon (git-fixes). - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1615-1 Released: Wed May 21 11:53:06 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1235958,1235971,1239651,1242971,CVE-2025-4382 This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. Also the following issue were fixed: - CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971) - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1638-1 Released: Wed May 21 12:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1236826,1239671,1241012,CVE-2025-32728 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows 'wall' to print messages in ssh ttys (bsc#1239671) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1689-1 Released: Fri May 23 12:46:42 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1240648 This update for hwinfo fixes the following issues: - Version update v21.88 - Fix network card detection on aarch64 (bsc#1240648). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1703-1 Released: Sun May 25 23:42:28 2025 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1242490,1243117,CVE-2024-28956 This update for xen fixes the following issues: Update to Xen 4.18.5: Security fixes: - CVE-2024-28956: Fixed Intel CPU Indirect Target Selection (ITS) (bsc#1243117) Other fixes: - Fixed boot failing with XEN kernel on DL580 Gen12 (bsc#1242490) - Added missing upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1776-1 Released: Fri May 30 15:02:52 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1836-1 Released: Mon Jun 9 16:11:28 2025 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1240869 This update for cloud-netconfig fixes the following issues: - Add support for creating IPv6 default route in GCE (bsc#1240869) - Minor fix when looking up IPv6 default route The following package changes have been done: - cloud-netconfig-ec2-1.15-150000.25.26.1 added - curl-8.6.0-150600.4.21.1 added - glibc-locale-base-2.38-150600.14.32.1 updated - glibc-locale-2.38-150600.14.32.1 updated - glibc-2.38-150600.14.32.1 updated - grub2-i386-pc-2.12-150600.8.27.1 updated - grub2-x86_64-efi-2.12-150600.8.27.1 updated - grub2-x86_64-xen-2.12-150600.8.27.1 updated - grub2-2.12-150600.8.27.1 updated - hwdata-0.394-150000.3.77.2 updated - hwinfo-21.88-150500.3.9.2 updated - iputils-20221126-150500.3.11.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - kernel-default-6.4.0-150600.23.50.1 updated - krb5-1.20.1-150600.11.11.2 updated - libncurses6-6.1-150000.5.30.1 updated - librdkafka1-0.11.6-150600.16.3.1 updated - libsystemd0-254.24-150600.4.33.1 updated - libudev1-254.24-150600.4.33.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - openssh-clients-9.6p1-150600.6.26.1 updated - openssh-common-9.6p1-150600.6.26.1 updated - openssh-server-config-disallow-rootlogin-9.6p1-150600.6.26.1 updated - openssh-server-9.6p1-150600.6.26.1 updated - openssh-9.6p1-150600.6.26.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - systemd-254.24-150600.4.33.1 updated - terminfo-base-6.1-150000.5.30.1 updated - terminfo-6.1-150000.5.30.1 updated - udev-254.24-150600.4.33.1 updated - xen-libs-4.18.5_02-150600.3.23.1 updated - xen-tools-domU-4.18.5_02-150600.3.23.1 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:02:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:02:59 +0200 (CEST) Subject: SUSE-IU-2025:1573-1: Security update of sles-15-sp6-chost-byos-v20250611-arm64 Message-ID: <20250616070259.5CF47FCFE@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20250611-arm64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1573-1 Image Tags : sles-15-sp6-chost-byos-v20250611-arm64:20250611 Image Release : Severity : important Type : security References : 1027519 1187939 1199853 1204549 1214715 1215199 1218069 1219007 1219454 1220718 1221202 1221757 1223809 1224013 1224597 1224757 1228659 1230764 1231103 1231910 1232493 1233075 1233098 1234074 1234157 1234698 1235501 1235526 1235550 1235870 1235958 1235971 1236086 1236177 1236704 1236826 1237111 1237230 1237496 1237874 1237882 1238052 1238212 1238471 1238527 1238565 1238714 1238737 1238742 1238745 1238746 1238862 1238961 1238970 1238983 1238990 1239066 1239079 1239108 1239470 1239475 1239476 1239487 1239510 1239651 1239671 1239684 1239906 1239925 1239997 1240167 1240168 1240171 1240176 1240181 1240184 1240185 1240375 1240557 1240575 1240576 1240581 1240582 1240583 1240584 1240585 1240587 1240590 1240591 1240592 1240594 1240595 1240596 1240600 1240612 1240616 1240639 1240643 1240647 1240648 1240655 1240691 1240700 1240701 1240703 1240708 1240709 1240712 1240713 1240714 1240715 1240716 1240717 1240718 1240719 1240720 1240722 1240727 1240739 1240740 1240742 1240779 1240783 1240784 1240785 1240795 1240796 1240797 1240799 1240801 1240802 1240806 1240808 1240809 1240811 1240812 1240813 1240815 1240816 1240819 1240821 1240825 1240829 1240835 1240869 1240873 1240934 1240936 1240937 1240938 1240940 1240942 1240943 1240944 1240978 1240979 1241010 1241012 1241038 1241051 1241123 1241151 1241167 1241175 1241204 1241250 1241265 1241266 1241280 1241332 1241333 1241341 1241343 1241344 1241347 1241357 1241361 1241369 1241371 1241373 1241378 1241394 1241402 1241412 1241413 1241416 1241424 1241426 1241433 1241436 1241441 1241442 1241443 1241451 1241452 1241456 1241458 1241459 1241526 1241528 1241537 1241541 1241545 1241547 1241548 1241550 1241573 1241574 1241575 1241578 1241590 1241593 1241598 1241599 1241601 1241626 1241640 1241648 1242006 1242044 1242060 1242172 1242283 1242300 1242307 1242313 1242314 1242315 1242321 1242326 1242327 1242328 1242332 1242333 1242335 1242336 1242342 1242343 1242344 1242345 1242346 1242347 1242348 1242414 1242490 1242526 1242528 1242534 1242535 1242536 1242537 1242538 1242539 1242540 1242546 1242556 1242596 1242710 1242778 1242831 1242842 1242938 1242971 1242985 1243117 1243254 1243259 1243313 1243317 1243505 CVE-2023-53034 CVE-2024-27018 CVE-2024-27415 CVE-2024-28956 CVE-2024-28956 CVE-2024-35840 CVE-2024-46763 CVE-2024-46865 CVE-2024-50038 CVE-2024-50083 CVE-2024-50162 CVE-2024-50163 CVE-2024-53124 CVE-2024-53139 CVE-2024-56641 CVE-2024-56702 CVE-2024-57924 CVE-2024-57998 CVE-2024-58001 CVE-2024-58018 CVE-2024-58068 CVE-2024-58070 CVE-2024-58071 CVE-2024-58088 CVE-2024-58093 CVE-2024-58094 CVE-2024-58095 CVE-2024-58096 CVE-2024-58097 CVE-2025-21683 CVE-2025-21696 CVE-2025-21707 CVE-2025-21729 CVE-2025-21755 CVE-2025-21758 CVE-2025-21768 CVE-2025-21792 CVE-2025-21806 CVE-2025-21808 CVE-2025-21812 CVE-2025-21833 CVE-2025-21836 CVE-2025-21852 CVE-2025-21853 CVE-2025-21854 CVE-2025-21863 CVE-2025-21867 CVE-2025-21873 CVE-2025-21875 CVE-2025-21881 CVE-2025-21884 CVE-2025-21887 CVE-2025-21889 CVE-2025-21894 CVE-2025-21895 CVE-2025-21904 CVE-2025-21905 CVE-2025-21906 CVE-2025-21908 CVE-2025-21909 CVE-2025-21910 CVE-2025-21912 CVE-2025-21913 CVE-2025-21914 CVE-2025-21915 CVE-2025-21916 CVE-2025-21917 CVE-2025-21918 CVE-2025-21922 CVE-2025-21923 CVE-2025-21924 CVE-2025-21925 CVE-2025-21926 CVE-2025-21927 CVE-2025-21928 CVE-2025-21930 CVE-2025-21931 CVE-2025-21934 CVE-2025-21935 CVE-2025-21936 CVE-2025-21937 CVE-2025-21941 CVE-2025-21943 CVE-2025-21948 CVE-2025-21950 CVE-2025-21951 CVE-2025-21953 CVE-2025-21956 CVE-2025-21957 CVE-2025-21960 CVE-2025-21961 CVE-2025-21962 CVE-2025-21963 CVE-2025-21964 CVE-2025-21966 CVE-2025-21968 CVE-2025-21969 CVE-2025-21970 CVE-2025-21971 CVE-2025-21972 CVE-2025-21975 CVE-2025-21978 CVE-2025-21979 CVE-2025-21980 CVE-2025-21981 CVE-2025-21985 CVE-2025-21991 CVE-2025-21992 CVE-2025-21993 CVE-2025-21995 CVE-2025-21996 CVE-2025-21999 CVE-2025-22001 CVE-2025-22003 CVE-2025-22004 CVE-2025-22007 CVE-2025-22008 CVE-2025-22009 CVE-2025-22010 CVE-2025-22013 CVE-2025-22014 CVE-2025-22015 CVE-2025-22016 CVE-2025-22017 CVE-2025-22018 CVE-2025-22020 CVE-2025-22025 CVE-2025-22027 CVE-2025-22029 CVE-2025-22033 CVE-2025-22036 CVE-2025-22044 CVE-2025-22045 CVE-2025-22050 CVE-2025-22053 CVE-2025-22055 CVE-2025-22058 CVE-2025-22060 CVE-2025-22062 CVE-2025-22064 CVE-2025-22065 CVE-2025-22075 CVE-2025-22080 CVE-2025-22086 CVE-2025-22088 CVE-2025-22090 CVE-2025-22093 CVE-2025-22097 CVE-2025-22102 CVE-2025-22104 CVE-2025-22105 CVE-2025-22106 CVE-2025-22107 CVE-2025-22108 CVE-2025-22109 CVE-2025-22115 CVE-2025-22116 CVE-2025-22121 CVE-2025-22128 CVE-2025-2312 CVE-2025-23129 CVE-2025-23131 CVE-2025-23133 CVE-2025-23136 CVE-2025-23138 CVE-2025-23145 CVE-2025-32728 CVE-2025-37785 CVE-2025-37798 CVE-2025-37799 CVE-2025-37860 CVE-2025-39728 CVE-2025-4382 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 ----------------------------------------------------------------- The container sles-15-sp6-chost-byos-v20250611-arm64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:167-1 Released: Mon Jan 24 18:16:24 2022 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1187939 This update for cloud-netconfig fixes the following issues: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:658-1 Released: Wed Mar 8 10:51:10 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1199853,1204549 This update for cloud-netconfig fixes the following issues: - Update to version 1.7: + Overhaul policy routing setup + Support alias IPv4 ranges + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3637-1 Released: Mon Sep 18 13:02:23 2023 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1214715 This update for cloud-netconfig fixes the following issues: - Update to version 1.8: - Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:630-1 Released: Tue Feb 27 09:14:49 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1218069,1219007 This update for cloud-netconfig fixes the following issues: - Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) - Drop package dependency on sysconfig-netconfig - Improve log level handling - Support IPv6 IMDS endpoint in EC2 (bsc#1218069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:781-1 Released: Wed Mar 6 15:05:13 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1219454,1220718 This update for cloud-netconfig fixes the following issues: - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:869-1 Released: Wed Mar 13 10:48:51 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1221202 This update for cloud-netconfig fixes the following issues: - Update to version 1.12 (bsc#1221202) * If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1085-1 Released: Tue Apr 2 11:24:09 2024 Summary: Recommended update for cloud-netconfig Type: recommended Severity: moderate References: 1221757 This update for cloud-netconfig fixes the following issues: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1606-1 Released: Tue May 20 15:53:14 2025 Summary: Recommended update for librdkafka Type: recommended Severity: moderate References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain circumstances (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1614-1 Released: Wed May 21 11:52:34 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1215199,1223809,1224013,1224597,1224757,1228659,1230764,1231103,1231910,1232493,1233075,1233098,1234074,1234157,1234698,1235501,1235526,1235550,1235870,1236086,1236704,1237111,1237874,1237882,1238052,1238212,1238471,1238527,1238565,1238714,1238737,1238742,1238745,1238746,1238862,1238961,1238970,1238983,1238990,1239066,1239079,1239108,1239470,1239475,1239476,1239487,1239510,1239684,1239906,1239925,1239997,1240167,1240168,1240171,1240176,1240181,1240184,1240185,1240375,1240557,1240575,1240576,1240581,1240582,1240583,1240584,1240585,1240587,1240590,1240591,1240592,1240594,1240595,1240596,1240600,1240612,1240616,1240639,1240643,1240647,1240655,1240691,1240700,1240701,1240703,1240708,1240709,1240712,1240713,1240714,1240715,1240716,1240717,1240718,1240719,1240720,1240722,1240727,1240739,1240740,1240742,1240779,1240783,1240784,1240785,1240795,1240796,1240797,1240799,1240801,1240802,1240806,1240808,1240809,1240811,1240812,1240813,1240815,1240816,1240819,1240821,1240825,1240829,1 240835,1240873,1240934,1240936,1240937,1240938,1240940,1240942,1240943,1240944,1240978,1240979,1241010,1241038,1241051,1241123,1241151,1241167,1241175,1241204,1241250,1241265,1241266,1241280,1241332,1241333,1241341,1241343,1241344,1241347,1241357,1241361,1241369,1241371,1241373,1241378,1241394,1241402,1241412,1241413,1241416,1241424,1241426,1241433,1241436,1241441,1241442,1241443,1241451,1241452,1241456,1241458,1241459,1241526,1241528,1241537,1241541,1241545,1241547,1241548,1241550,1241573,1241574,1241575,1241578,1241590,1241593,1241598,1241599,1241601,1241626,1241640,1241648,1242006,1242044,1242172,1242283,1242307,1242313,1242314,1242315,1242321,1242326,1242327,1242328,1242332,1242333,1242335,1242336,1242342,1242343,1242344,1242345,1242346,1242347,1242348,1242414,1242526,1242528,1242534,1242535,1242536,1242537,1242538,1242539,1242540,1242546,1242556,1242596,1242710,1242778,1242831,1242985,CVE-2023-53034,CVE-2024-27018,CVE-2024-27415,CVE-2024-28956,CVE-2024-35840,CVE-2024-46763,CVE- 2024-46865,CVE-2024-50038,CVE-2024-50083,CVE-2024-50162,CVE-2024-50163,CVE-2024-53124,CVE-2024-53139,CVE-2024-56641,CVE-2024-56702,CVE-2024-57924,CVE-2024-57998,CVE-2024-58001,CVE-2024-58018,CVE-2024-58068,CVE-2024-58070,CVE-2024-58071,CVE-2024-58088,CVE-2024-58093,CVE-2024-58094,CVE-2024-58095,CVE-2024-58096,CVE-2024-58097,CVE-2025-21683,CVE-2025-21696,CVE-2025-21707,CVE-2025-21729,CVE-2025-21755,CVE-2025-21758,CVE-2025-21768,CVE-2025-21792,CVE-2025-21806,CVE-2025-21808,CVE-2025-21812,CVE-2025-21833,CVE-2025-21836,CVE-2025-21852,CVE-2025-21853,CVE-2025-21854,CVE-2025-21863,CVE-2025-21867,CVE-2025-21873,CVE-2025-21875,CVE-2025-21881,CVE-2025-21884,CVE-2025-21887,CVE-2025-21889,CVE-2025-21894,CVE-2025-21895,CVE-2025-21904,CVE-2025-21905,CVE-2025-21906,CVE-2025-21908,CVE-2025-21909,CVE-2025-21910,CVE-2025-21912,CVE-2025-21913,CVE-2025-21914,CVE-2025-21915,CVE-2025-21916,CVE-2025-21917,CVE-2025-21918,CVE-2025-21922,CVE-2025-21923,CVE-2025-21924,CVE-2025-21925,CVE-2025-21926,CVE-2025-21 927,CVE-2025-21928,CVE-2025-21930,CVE-2025-21931,CVE-2025-21934,CVE-2025-21935,CVE-2025-21936,CVE-2025-21937,CVE-2025-21941,CVE-2025-21943,CVE-2025-21948,CVE-2025-21950,CVE-2025-21951,CVE-2025-21953,CVE-2025-21956,CVE-2025-21957,CVE-2025-21960,CVE-2025-21961,CVE-2025-21962,CVE-2025-21963,CVE-2025-21964,CVE-2025-21966,CVE-2025-21968,CVE-2025-21969,CVE-2025-21970,CVE-2025-21971,CVE-2025-21972,CVE-2025-21975,CVE-2025-21978,CVE-2025-21979,CVE-2025-21980,CVE-2025-21981,CVE-2025-21985,CVE-2025-21991,CVE-2025-21992,CVE-2025-21993,CVE-2025-21995,CVE-2025-21996,CVE-2025-21999,CVE-2025-22001,CVE-2025-22003,CVE-2025-22004,CVE-2025-22007,CVE-2025-22008,CVE-2025-22009,CVE-2025-22010,CVE-2025-22013,CVE-2025-22014,CVE-2025-22015,CVE-2025-22016,CVE-2025-22017,CVE-2025-22018,CVE-2025-22020,CVE-2025-22025,CVE-2025-22027,CVE-2025-22029,CVE-2025-22033,CVE-2025-22036,CVE-2025-22044,CVE-2025-22045,CVE-2025-22050,CVE-2025-22053,CVE-2025-22055,CVE-2025-22058,CVE-2025-22060,CVE-2025-22062,CVE-2025-22064,CVE -2025-22065,CVE-2025-22075,CVE-2025-22080,CVE-2025-22086,CVE-2025-22088,CVE-2025-22090,CVE-2025-22093,CVE-2025-22097,CVE-2025-22102,CVE-2025-22104,CVE-2025-22105,CVE-2025-22106,CVE-2025-22107,CVE-2025-22108,CVE-2025-22109,CVE-2025-22115,CVE-2025-22116,CVE-2025-22121,CVE-2025-22128,CVE-2025-2312,CVE-2025-23129,CVE-2025-23131,CVE-2025-23133,CVE-2025-23136,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37798,CVE-2025-37799,CVE-2025-37860,CVE-2025-39728 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-35840: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (bsc#1224597). - CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910). - CVE-2024-50162: bpf: selftests: send packet to devmap redirect XDP (bsc#1233075). - CVE-2024-50163: bpf: Make sure internal and UAPI bpf_redirect flags do not overlap (bsc#1233098). - CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074). - CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157). - CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086). - CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990). - CVE-2024-58068: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (bsc#1238961). - CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (bsc#1238983). - CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970). - CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage (bsc#1239510). - CVE-2025-21683: bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704). - CVE-2025-21696: mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111). - CVE-2025-21707: mptcp: consolidate suboption status (bsc#1238862). - CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874). - CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882). - CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737). - CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714). - CVE-2025-21792: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (bsc#1238745). - CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746). - CVE-2025-21808: net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-21833: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (bsc#1239108). - CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475). - CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181). - CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184). - CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168). - CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185). - CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171). - CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176). - CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167). - CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581). - CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585). - CVE-2025-21904: caif_virtio: fix wrong pointer check in cfv_probe() (bsc#1240576). - CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587). - CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600). - CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591). - CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639). - CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720). - CVE-2025-21925: llc: do not use skb_get() before dev_queue_xmit() (bsc#1240713). - CVE-2025-21926: net: gso: fix ownership in __udp_gso_segment (bsc#1240712). - CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709). - CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742). - CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815). - CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816). - CVE-2025-21962: cifs: Fix integer overflow while processing closetimeo mount option (bsc#1240655). - CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717). - CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740). - CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784). - CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819). - CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813). - CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812). - CVE-2025-21980: sched: address a potential NULL pointer dereference in the GRED scheduler (bsc#1240809). - CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612). - CVE-2025-21985: drm/amd/display: Fix out-of-bound accesses (bsc#1240811). - CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795). - CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835). - CVE-2025-22015: mm/migrate: fix shmem xarray update during migration (bsc#1240944). - CVE-2025-22016: dpll: fix xa_alloc_cyclic() error handling (bsc#1240934). - CVE-2025-22017: devlink: fix xa_alloc_cyclic() error handling (bsc#1240936). - CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266). - CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec (bsc#1241378). - CVE-2025-22036: exfat: fix random stack corruption after get_block (bsc#1241426). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22053: net: ibmveth: make veth_pool_store stop hanging (bsc#1241373). - CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371). - CVE-2025-22058: udp: Fix memory accounting leak (bsc#1241332). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-22064: netfilter: nf_tables: do not unregister hook when table is dormant (bsc#1241413). - CVE-2025-22080: fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-22102: Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456). - CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps (bsc#1241550). - CVE-2025-22105, CVE-2025-37860: Add missing bugzilla references (bsc#1241452 bsc#1241548). - CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (bsc#1241575). - CVE-2025-22109: ax25: Remove broken autobind (bsc#1241573). - CVE-2025-22115: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241578). - CVE-2025-22121: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593). - CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684). - CVE-2025-23133: wifi: ath11k: update channel list in reg notifier instead reg worker (bsc#1241451). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37798: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (bsc#1242414). - CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (bsc#1242283). - CVE-2025-39728: clk: samsung: Fix UBSAN panic in samsung_clk_init() (bsc#1241626). The following non-security bugs were fixed: - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes). - ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - ALSA: hda/realtek - Enable speaker for HP platform (git-fixes). - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes). - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes). - ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes). - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044). - ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes). - ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes). - ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes). - ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes). - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes). - ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes). - Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes). - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes). - Bluetooth: hci_uart: Fix another race during initialization (git-fixes). - Bluetooth: hci_uart: fix race during initialization (stable-fixes). - Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes). - Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes). - Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961) - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes). - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes) - RDMA/core: Silence oversized kvmalloc() warning (git-fixes) - RDMA/hns: Fix wrong maximum DMA segment size (git-fixes) - RDMA/mana_ib: Ensure variable err is initialized (git-fixes). - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes) - Reapply 'Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6'. - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - Revert 'drivers: core: synchronize really_probe() and dev_uevent()' (stable-fixes). - Revert 'drm/meson: vclk: fix calculation of 59.94 fractional rates' (git-fixes). - Revert 'tcp: Fix bind() regression for v6-only wildcard and'. - Revert 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes). - Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 ('kernel-binary: Support livepatch_rt with merged RT branch') - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes). - USB: VLI disk crashes if LPM is used (stable-fixes). - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes). - USB: serial: option: add Sierra Wireless EM9291 (stable-fixes). - USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes). - USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes). - USB: wdm: add annotation (git-fixes). - USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes). - USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes). - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - affs: do not write overlarge OFS data block size fields (git-fixes). - affs: generate OFS sequence numbers starting at 1 (git-fixes). - ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes). - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes) - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - arm64: mm: Correct the update of max_pfn (git-fixes) - asus-laptop: Fix an uninitialized variable (git-fixes). - ata: libata-sata: Save all fields from sense data descriptor (git-fixes). - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes). - ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes). - ata: libata-scsi: Improve CDL control (git-fixes). - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes). - ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes). - auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes). - auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes). - badblocks: Fix error shitf ops (git-fixes). - badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes). - badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes). - badblocks: fix the using of MAX_BADBLOCKS (git-fixes). - badblocks: return error directly when setting badblocks exceeds 512 (git-fixes). - badblocks: return error if any badblock set fails (git-fixes). - blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes). - block: change blk_mq_add_to_batch() third argument type to bool (git-fixes). - block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes). - block: fix conversion of GPT partition name to 7-bit (git-fixes). - block: fix resource leak in blk_register_queue() error path (git-fixes). - block: integrity: Do not call set_page_dirty_lock() (git-fixes). - block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes). - bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes). - bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes). - bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes). - bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: add find_containing_subprog() utility function (bsc#1241590). - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: check changes_pkt_data property for extension programs (bsc#1241590). - bpf: consider that tail calls invalidate packet pointers (bsc#1241590). - bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590). - bpf: fix potential error return (git-fixes). - bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590). - bpf: track changes_pkt_data property for global functions (bsc#1241590). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204). - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710). - btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151). - btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204). - btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204). - btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204). - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes). - char: misc: register chrdev region with all possible minors (git-fixes). - cifs: Fix integer overflow while processing actimeo mount option (git-fixes). - counter: fix privdata alignment (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052) - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052) - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64 - crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes). - crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes). - crypto: ccp - Add support for PCI device 0x1134 (stable-fixes). - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes). - dm-bufio: do not schedule in atomic context (git-fixes). - dm-ebs: fix prefetch-vs-suspend race (git-fixes). - dm-integrity: set ti->error on memory allocation failure (git-fixes). - dm-verity: fix prefetch-vs-suspend race (git-fixes). - dm: add missing unlock on in dm_keyslot_evict() (git-fixes). - dm: always update the array size in realloc_argv on success (git-fixes). - dm: fix copying after src array boundaries (git-fixes). - dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes). - drivers: base: devres: Allow to release group on device release (stable-fixes). - drm/amd/display: Fix gpu reset in multidisplay config (git-fixes). - drm/amd/display: Force full update in gpu reset (stable-fixes). - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - drm/amd: Handle being compiled without SI or CIK support better (stable-fixes). - drm/amd: Keep display off while going into S4 (stable-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes). - drm/amdkfd: Fix mode1 reset crash issue (stable-fixes). - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes). - drm/amdkfd: clamp queue size to minimum (stable-fixes). - drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes). - drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - drm/fdinfo: Protect against driver unbind (git-fixes). - drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes). - drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes). - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes). - drm/i915: Disable RPG during live selftest (git-fixes). - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes). - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes). - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/sti: remove duplicate object names (git-fixes). - drm/tests: Add helper to create mock crtc (stable-fixes). - drm/tests: Add helper to create mock plane (stable-fixes). - drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes). - drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes). - drm/tests: helpers: Add atomic helpers (stable-fixes). - drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes). - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes). - drm/tests: helpers: Fix compiler warning (git-fixes). - drm/tests: modes: Fix drm_display_mode memory leak (git-fixes). - drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes). - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes). - drm: allow encoder mode_set even when connectors change for crtc (stable-fixes). - drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes). - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes). - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes). - drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes). - e1000e: change k1 configuration on MTP and later platforms (git-fixes). - eth: bnxt: fix missing ring index trim on error path (git-fixes). - ethtool: Fix context creation with no parameters (git-fixes). - ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes). - ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes). - ethtool: do not propagate EOPNOTSUPP from dumps (git-fixes). - ethtool: fix setting key and resetting indir at once (git-fixes). - ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes). - ethtool: netlink: do not return SQI value if link is down (git-fixes). - ethtool: plca: fix plca enable data type while parsing the value (git-fixes). - ethtool: rss: echo the context number back (git-fixes). - exfat: do not fallback to buffered write (git-fixes). - exfat: drop ->i_size_ondisk (git-fixes). - exfat: fix soft lockup in exfat_clear_bitmap (git-fixes). - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes). - ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342). - ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540). - ext4: do not over-report free space or inodes in statvfs (bsc#1242345). - ext4: do not treat fhandle lookup of ea_inode as FS corruption (bsc#1242347). - ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557). - ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556). - ext4: make block validity check resistent to sb bh corruption (bsc#1242348). - ext4: partial zero eof block on unaligned inode size extension (bsc#1242336). - ext4: protect ext4_release_dquot against freezing (bsc#1242335). - ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536). - ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539). - ext4: unify the type of flexbg_size to unsigned int (bsc#1242538). - fbdev: omapfb: Add 'plane' value check (stable-fixes). - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes). - firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - fs/jfs: Prevent integer overflow in AG size calculation (git-fixes). - fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes). - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250). - fs: better handle deep ancestor chains in is_subdir() (bsc#1242528). - fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535). - fs: do not allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526). - fs: support relative paths with FSCONFIG_SET_STRING (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes). - gve: handle overflow when reporting TX consumed descriptors (git-fixes). - gve: set xdp redirect target only when it is available (git-fixes). - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes). - i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes). - ice: Add check for devm_kzalloc() (git-fixes). - ice: fix reservation of resources for RDMA when disabled (git-fixes). - ice: stop truncating queue ids when checking (git-fixes). - idpf: check error for register_netdev() on init (git-fixes). - idpf: fix adapter NULL pointer dereference on reboot (git-fixes). - igb: reject invalid external timestamp requests for 82580-based HW (git-fixes). - igc: add lock preventing multiple simultaneous PTM transactions (git-fixes). - igc: cleanup PTP module if probe fails (git-fixes). - igc: fix PTM cycle trigger logic (git-fixes). - igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes). - igc: increase wait time before retrying PTM (git-fixes). - igc: move ktime snapshot into PTM retry loop (git-fixes). - iio: adc: ad7768-1: Fix conversion result sign (git-fixes). - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes). - iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes). - ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr (git-fixes). - irqchip/davinci: Remove leftover header (git-fixes). - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes). - isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307). - jbd2: add a missing data flush during file and fs synchronization (bsc#1242346). - jbd2: fix off-by-one while erasing journal (bsc#1242344). - jbd2: flush filesystem device before updating tail sequence (bsc#1242333). - jbd2: increase IO priority for writing revoke records (bsc#1242332). - jbd2: increase the journal IO's priority (bsc#1242537). - jbd2: remove wrong sb->s_sequence check (bsc#1242343). - jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes). - jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes). - jfs: add sanity check for agwidth in dbMount (git-fixes). - kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - kABI workaround for powercap update (bsc#1241010). - kernel-binary: Support livepatch_rt with merged RT branch - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env' - ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes). - kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes). - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - loop: LOOP_SET_FD: send uevents for partitions (git-fixes). - loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes). - loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes). - md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212) - media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes). - mei: me: add panther lake H DID (stable-fixes). - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes). - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes). - mm/readahead: fix large folio support in async readahead (bsc#1242321). - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326). - mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327). - mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546). - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes). - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes). - mptcp: refine opt_mp_capable determination (git-fixes). - mptcp: relax check on MPC passive fallback (git-fixes). - mptcp: strict validation before using mp_opt->hmac (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - net/mlx5: Fill out devlink dev info only for PFs (git-fixes). - net/mlx5: IRQ, Fix null string in debug print (git-fixes). - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes). - net/mlx5: Start health poll after enable hca (git-fixes). - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes). - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes). - net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes). - net/tcp: refactor tcp_inet6_sk() (git-fixes). - net: annotate data-races around sk->sk_dst_pending_confirm (git-fixes). - net: annotate data-races around sk->sk_tx_queue_mapping (git-fixes). - net: blackhole_dev: fix build warning for ethh set but not used (git-fixes). - net: ethtool: Do not call .cleanup_data when prepare_data fails (git-fixes). - net: ethtool: Fix RSS setting (git-fixes). - net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes). - net: mana: Switch to page pool for jumbo frames (git-fixes). - net: mark racy access on sk->sk_rcvbuf (git-fixes). - net: phy: leds: fix memory leak (git-fixes). - net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes). - net: sctp: fix skb leak in sctp_inq_free() (git-fixes). - net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes). - net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes). - net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes). - netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes). - nfs: add missing selections of CONFIG_CRC32 (git-fixes). - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes). - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb: intel: Fix using link status DB's (git-fixes). - ntb: reduce stack usage in idt_scan_mws (stable-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - ntb_perf: Fix printk format (git-fixes). - nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes). - nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes). - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes). - nvme/ioctl: do not warn on vectorized uring_cmd with fixed buffer (git-fixes). - nvmet-fcloop: swap list_add_tail arguments (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf tools: annotate asm_pure_loop.S (bsc#1239906). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172) - perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172) - perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172) - perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172) - phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes). - pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes). - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - powerpc/boot: Check for ld-option support (bsc#1215199). - powerpc/boot: Fix dash warning (bsc#1215199). - powerpc: Do not use --- in kernel logs (git-fixes). - pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes). - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes). - pwm: rcar: Improve register calculation (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires The recent change using OrderWithRequires addresses the known issues, but also caused regressions for the existing image or package builds. For SLE15-SPx, better to be conservative and stick with the older way. - rpm/package-descriptions: Add rt and rt_debug descriptions - rtc: pcf85063: do a SW reset if POR failed (stable-fixes). - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - s390/cio: Fix CHPID 'configure' attribute caching (git-fixes bsc#1240979). - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes). - scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes). - scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes). - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag (git-fixes). - scsi: mpi3mr: Fix locking in an error path (git-fixes). - scsi: mpt3sas: Fix a locking bug in an error path (git-fixes). - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes). - scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes). - sctp: Fix undefined behavior in left shift operation (git-fixes). - sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes). - sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes). - sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes). - sctp: fix busy polling (git-fixes). - sctp: prefer struct_size over open coded arithmetic (git-fixes). - sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes). - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selftests/bpf: Add a few tests to cover (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590). - selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590). - selftests/bpf: test for changing packet data from global functions (bsc#1241590). - selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590). - selftests/futex: futex_waitv wouldblock test should fail (git-fixes). - selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - serial: msm: Configure correct working mode before starting earlycon (git-fixes). - serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes). - smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265). - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes). - spi: tegra114: Do not fail set_cs_timing when delays are zero (git-fixes). - spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes). - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes). - splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes). - tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes). - thunderbolt: Scan retimers after device router has been enumerated (stable-fixes). - tools/hv: update route parsing in kvp daemon (git-fixes). - tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175). - tools/power turbostat: report CoreThr per measurement interval (git-fixes). - topology: Set capacity_freq_ref in all cases (bsc#1238052) - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - tty: n_tty: use uint for space returned by tty_write_room() (git-fixes). - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - ublk: set_params: properly check if parameters can be applied (git-fixes). - ucsi_ccg: Do not show failed to get FW build information error (git-fixes). - udf: Fix inode_getblk() return value (bsc#1242313). - udf: Skip parent dir link count update if corrupted (bsc#1242315). - udf: Verify inode link counts before performing rename (bsc#1242314). - usb: cdns3: Fix deadlock when using NCM gadget (git-fixes). - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes). - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes). - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes). - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes). - usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes). - usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes). - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes). - usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes). - usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func (stable-fixes). - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes). - usb: xhci: correct debug message page size calculation (git-fixes). - usbnet:fix NPE during rx_complete (git-fixes). - vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes). - vfs: do not mod negative dentry count when on shrinker list (bsc#1242534). - virtchnl: make proto and filter action count unsigned (git-fixes). - vmxnet3: Fix tx queue race condition with XDP (bsc#1241394). - vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394). - wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes). - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes). - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes). - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes). - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes). - wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - x86/bugs: Add RSB mitigation document (git-fixes). - x86/bugs: Do not fill RSB on VMEXIT with eIBRS+retpoline (git-fixes). - x86/bugs: Do not fill RSB on context switch with eIBRS (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes). - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes). - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes). - x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes). - x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes). - x86/microcode/AMD: Split load_microcode_amd() (git-fixes). - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes). - x86/microcode/intel: Set new revision only after a successful update (git-fixes). - x86/microcode: Remove the driver announcement and version (git-fixes). - x86/microcode: Rework early revisions reporting (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes). - xfs: flush inodegc before swapon (git-fixes). - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1615-1 Released: Wed May 21 11:53:06 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1235958,1235971,1239651,1242971,CVE-2025-4382 This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. Also the following issue were fixed: - CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971) - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1638-1 Released: Wed May 21 12:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1236826,1239671,1241012,CVE-2025-32728 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows 'wall' to print messages in ssh ttys (bsc#1239671) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1689-1 Released: Fri May 23 12:46:42 2025 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1240648 This update for hwinfo fixes the following issues: - Version update v21.88 - Fix network card detection on aarch64 (bsc#1240648). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1703-1 Released: Sun May 25 23:42:28 2025 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1242490,1243117,CVE-2024-28956 This update for xen fixes the following issues: Update to Xen 4.18.5: Security fixes: - CVE-2024-28956: Fixed Intel CPU Indirect Target Selection (ITS) (bsc#1243117) Other fixes: - Fixed boot failing with XEN kernel on DL580 Gen12 (bsc#1242490) - Added missing upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1776-1 Released: Fri May 30 15:02:52 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1825-1 Released: Thu Jun 5 16:38:39 2025 Summary: Recommended update for google-guest-agent Type: recommended Severity: moderate References: 1243254,1243505 This update for google-guest-agent fixes the following issues: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) - Make sure agent added connections are activated by NM - Wrap NSS cache refresh in a goroutine - Wicked: Only reload interfaces for which configurations are written or changed. - Add AuthorizedKeysCompat to windows packaging - Remove error messages from gce_workload_cert_refresh and metadata script runner - Update guest-logging-go dependency - Add 'created-by' metadata, and pass it as option to logging library - Re-enable disabled services if the core plugin was enabled - Enable guest services on package upgrade - Fix core plugin path - Fix package build issues - Fix dependencies ran go mod tidy -v - Bundle compat metadata script runner binary in package - Bump golang.org/x/net from 0.27.0 to 0.36.0 - Update startup/shutdown services to launch compat manager - Bundle new gce metadata script runner binary in agent package - Revert 'Revert bundling new binaries in the package' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1836-1 Released: Mon Jun 9 16:11:28 2025 Summary: Recommended update for cloud-netconfig Type: recommended Severity: important References: 1240869 This update for cloud-netconfig fixes the following issues: - Add support for creating IPv6 default route in GCE (bsc#1240869) - Minor fix when looking up IPv6 default route The following package changes have been done: - cloud-netconfig-gce-1.15-150000.25.26.1 added - curl-8.6.0-150600.4.21.1 added - glibc-locale-base-2.38-150600.14.32.1 updated - glibc-locale-2.38-150600.14.32.1 updated - glibc-2.38-150600.14.32.1 updated - google-guest-agent-20250506.01-150000.1.63.1 updated - grub2-i386-pc-2.12-150600.8.27.1 updated - grub2-x86_64-efi-2.12-150600.8.27.1 updated - grub2-2.12-150600.8.27.1 updated - hwdata-0.394-150000.3.77.2 updated - hwinfo-21.88-150500.3.9.2 updated - iputils-20221126-150500.3.11.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - kernel-default-6.4.0-150600.23.50.1 updated - krb5-1.20.1-150600.11.11.2 updated - libncurses6-6.1-150000.5.30.1 updated - librdkafka1-0.11.6-150600.16.3.1 updated - libsystemd0-254.24-150600.4.33.1 updated - libudev1-254.24-150600.4.33.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - openssh-clients-9.6p1-150600.6.26.1 updated - openssh-common-9.6p1-150600.6.26.1 updated - openssh-server-config-disallow-rootlogin-9.6p1-150600.6.26.1 updated - openssh-server-9.6p1-150600.6.26.1 updated - openssh-9.6p1-150600.6.26.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - systemd-254.24-150600.4.33.1 updated - terminfo-base-6.1-150000.5.30.1 updated - terminfo-6.1-150000.5.30.1 updated - udev-254.24-150600.4.33.1 updated - xen-libs-4.18.5_02-150600.3.23.1 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:05:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:05:39 +0200 (CEST) Subject: SUSE-IU-2025:1576-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250616070539.826AFFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1576-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.10 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.10 Severity : important Type : security References : 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242849 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-40 Released: Sun Jun 15 15:06:50 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242849,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1 242930,1242944,1242945,1242948,1242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE- 2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37 810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE -2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). The following non-security bugs were fixed: - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - drm: Add valid clones check (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kernel-obs-qa: Use srchash for dependency as well - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: Improve CDL control (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). The following package changes have been done: - kernel-default-6.4.0-30.1 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:06:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:06:17 +0200 (CEST) Subject: SUSE-IU-2025:1577-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250616070617.EF6BAFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1577-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.37 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.37 Severity : important Type : security References : 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242849 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-40 Released: Sun Jun 15 15:06:50 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242849,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1 242930,1242944,1242945,1242948,1242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE- 2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37 810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE -2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). The following non-security bugs were fixed: - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - drm: Add valid clones check (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kernel-obs-qa: Use srchash for dependency as well - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: Improve CDL control (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). The following package changes have been done: - kernel-default-base-6.4.0-30.1.21.8 updated - container:SL-Micro-base-container-2.1.3-7.10 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:08:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:08:51 +0200 (CEST) Subject: SUSE-IU-2025:1579-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250616070851.8211BFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1579-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.51 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.51 Severity : important Type : security References : 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242849 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-40 Released: Sun Jun 15 15:06:50 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242849,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1 242930,1242944,1242945,1242948,1242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE- 2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37 810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE -2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). The following non-security bugs were fixed: - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - drm: Add valid clones check (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kernel-obs-qa: Use srchash for dependency as well - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: Improve CDL control (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). The following package changes have been done: - kernel-default-6.4.0-30.1 updated From sle-container-updates at lists.suse.com Mon Jun 16 07:09:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 09:09:25 +0200 (CEST) Subject: SUSE-IU-2025:1580-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250616070925.0A8B2FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1580-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.50 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.50 Severity : important Type : security References : 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242849 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-40 Released: Sun Jun 15 15:06:50 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242849,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1 242930,1242944,1242945,1242948,1242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE- 2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37 810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE -2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). The following non-security bugs were fixed: - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - drm: Add valid clones check (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kernel-obs-qa: Use srchash for dependency as well - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: Improve CDL control (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). The following package changes have been done: - kernel-default-base-6.4.0-30.1.21.8 updated - container:SL-Micro-base-container-2.2.0-4.51 updated From sle-container-updates at lists.suse.com Mon Jun 16 12:11:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 14:11:31 +0200 (CEST) Subject: SUSE-CU-2025:4330-1: Security update of suse/kubectl Message-ID: <20250616121131.372BCFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4330-1 Container Tags : suse/kubectl:1.31 , suse/kubectl:1.31.9 , suse/kubectl:1.31.9-2.36.1 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.36.1 Container Release : 36.1 Severity : moderate Type : security References : 1241781 CVE-2025-22872 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:996-1 Released: Mon Mar 24 18:06:54 2025 Summary: Feature update for kubernetes-client Type: optional Severity: moderate References: This update for the kubernetes client fixes the following issues: This update ships the kubernetes 1.31.6 client. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1945-1 Released: Fri Jun 13 12:16:34 2025 Summary: Security update for kubernetes-old Type: security Severity: moderate References: 1241781,CVE-2025-22872 This update for kubernetes-old fixes the following issues: - CVE-2025-22872: Fixed golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241781) This update to version 1.31.9 (jsc#PED-11105) * Find full changelog https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md#v1319 The following package changes have been done: - kubernetes1.31-client-1.31.9-150600.13.10.1 added - kubernetes1.31-client-common-1.31.9-150600.13.10.1 added - container:suse-sle15-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated - kubernetes1.29-client-1.29.14-150600.13.4.1 removed - kubernetes1.29-client-common-1.29.14-150600.13.4.1 removed From sle-container-updates at lists.suse.com Mon Jun 16 12:11:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Mon, 16 Jun 2025 14:11:37 +0200 (CEST) Subject: SUSE-CU-2025:4331-1: Recommended update of suse/kubectl Message-ID: <20250616121137.90E3CFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4331-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.1 , suse/kubectl:1.33.1-1.36.1 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.36.1 Container Release : 36.1 Severity : moderate Type : recommended References : ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1947-1 Released: Fri Jun 13 12:17:32 2025 Summary: Recommended update for kubernetes client Type: recommended Severity: moderate References: This update for kubernetes fixes the following issues: kubernetes client version 1.33.1,(jsc#PED-11106) * Find full changelog ??? https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.33.md#v1331 The following package changes have been done: - kubernetes1.33-client-1.33.1-150600.13.10.1 added - kubernetes1.33-client-common-1.33.1-150600.13.10.1 added - kubernetes1.31-client-1.31.9-150600.13.10.1 removed - kubernetes1.31-client-common-1.31.9-150600.13.10.1 removed From sle-container-updates at lists.suse.com Tue Jun 17 07:04:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 17 Jun 2025 09:04:38 +0200 (CEST) Subject: SUSE-IU-2025:1582-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250617070438.1CF19FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1582-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.402 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.402 Severity : important Type : security References : 1184350 1193629 1204562 1204569 1204619 1204705 1205282 1206051 1206073 1206649 1206843 1206886 1206887 1207361 1208105 1208542 1209292 1209556 1209684 1209780 1209980 1210337 1210763 1210767 1211465 1213012 1213013 1213094 1213096 1213233 1213946 1214991 1218470 1222629 1223096 1225903 1232649 1234395 1234887 1235100 1235870 1240802 1241525 1242146 1242147 1242150 1242151 1242154 1242157 1242158 1242160 1242164 1242165 1242169 1242215 1242217 1242218 1242219 1242222 1242224 1242226 1242227 1242228 1242229 1242230 1242231 1242232 1242237 1242239 1242240 1242241 1242244 1242245 1242248 1242249 1242261 1242264 1242265 1242270 1242276 1242278 1242279 1242280 1242281 1242282 1242285 1242286 1242289 1242294 1242295 1242298 1242302 1242305 1242311 1242312 1242320 1242338 1242349 1242351 1242352 1242353 1242355 1242357 1242358 1242359 1242360 1242361 1242365 1242366 1242369 1242370 1242371 1242372 1242377 1242378 1242380 1242381 1242382 1242385 1242387 1242389 1242391 1242392 1242393 1242394 1242398 1242399 1242400 1242402 1242403 1242405 1242406 1242409 1242410 1242411 1242415 1242416 1242421 1242422 1242425 1242426 1242428 1242440 1242443 1242448 1242449 1242452 1242453 1242454 1242455 1242456 1242458 1242464 1242465 1242467 1242469 1242473 1242474 1242478 1242481 1242484 1242489 1242497 1242527 1242542 1242544 1242545 1242547 1242548 1242549 1242550 1242551 1242558 1242570 1242580 1242586 1242589 1242596 1242597 1242685 1242686 1242688 1242689 1242695 1242716 1242733 1242734 1242735 1242736 1242739 1242740 1242743 1242744 1242745 1242746 1242747 1242748 1242749 1242751 1242752 1242753 1242756 1242759 1242762 1242765 1242767 1242778 1242779 1242790 1242791 1243047 1243133 1243737 1243919 CVE-2022-3564 CVE-2022-3619 CVE-2022-3640 CVE-2022-49762 CVE-2022-49763 CVE-2022-49769 CVE-2022-49770 CVE-2022-49771 CVE-2022-49772 CVE-2022-49773 CVE-2022-49775 CVE-2022-49776 CVE-2022-49777 CVE-2022-49779 CVE-2022-49781 CVE-2022-49783 CVE-2022-49784 CVE-2022-49786 CVE-2022-49787 CVE-2022-49788 CVE-2022-49789 CVE-2022-49790 CVE-2022-49792 CVE-2022-49793 CVE-2022-49794 CVE-2022-49795 CVE-2022-49796 CVE-2022-49797 CVE-2022-49799 CVE-2022-49800 CVE-2022-49801 CVE-2022-49802 CVE-2022-49807 CVE-2022-49809 CVE-2022-49810 CVE-2022-49812 CVE-2022-49813 CVE-2022-49818 CVE-2022-49821 CVE-2022-49822 CVE-2022-49823 CVE-2022-49824 CVE-2022-49825 CVE-2022-49826 CVE-2022-49827 CVE-2022-49830 CVE-2022-49832 CVE-2022-49834 CVE-2022-49835 CVE-2022-49836 CVE-2022-49837 CVE-2022-49839 CVE-2022-49841 CVE-2022-49842 CVE-2022-49845 CVE-2022-49846 CVE-2022-49850 CVE-2022-49853 CVE-2022-49858 CVE-2022-49860 CVE-2022-49861 CVE-2022-49863 CVE-2022-49864 CVE-2022-49865 CVE-2022-49868 CVE-2022-49869 CVE-2022-49870 CVE-2022-49871 CVE-2022-49874 CVE-2022-49879 CVE-2022-49880 CVE-2022-49881 CVE-2022-49885 CVE-2022-49886 CVE-2022-49887 CVE-2022-49888 CVE-2022-49889 CVE-2022-49890 CVE-2022-49891 CVE-2022-49892 CVE-2022-49900 CVE-2022-49901 CVE-2022-49902 CVE-2022-49905 CVE-2022-49906 CVE-2022-49908 CVE-2022-49909 CVE-2022-49910 CVE-2022-49915 CVE-2022-49916 CVE-2022-49917 CVE-2022-49918 CVE-2022-49921 CVE-2022-49922 CVE-2022-49923 CVE-2022-49924 CVE-2022-49925 CVE-2022-49927 CVE-2022-49928 CVE-2022-49929 CVE-2022-49931 CVE-2023-1990 CVE-2023-28866 CVE-2023-53035 CVE-2023-53036 CVE-2023-53038 CVE-2023-53039 CVE-2023-53040 CVE-2023-53041 CVE-2023-53042 CVE-2023-53044 CVE-2023-53045 CVE-2023-53049 CVE-2023-53052 CVE-2023-53054 CVE-2023-53056 CVE-2023-53057 CVE-2023-53058 CVE-2023-53059 CVE-2023-53060 CVE-2023-53062 CVE-2023-53064 CVE-2023-53065 CVE-2023-53066 CVE-2023-53068 CVE-2023-53070 CVE-2023-53071 CVE-2023-53073 CVE-2023-53074 CVE-2023-53075 CVE-2023-53077 CVE-2023-53078 CVE-2023-53079 CVE-2023-53081 CVE-2023-53082 CVE-2023-53084 CVE-2023-53087 CVE-2023-53089 CVE-2023-53090 CVE-2023-53091 CVE-2023-53092 CVE-2023-53093 CVE-2023-53095 CVE-2023-53096 CVE-2023-53098 CVE-2023-53099 CVE-2023-53100 CVE-2023-53101 CVE-2023-53102 CVE-2023-53105 CVE-2023-53106 CVE-2023-53108 CVE-2023-53109 CVE-2023-53111 CVE-2023-53112 CVE-2023-53114 CVE-2023-53116 CVE-2023-53118 CVE-2023-53119 CVE-2023-53123 CVE-2023-53124 CVE-2023-53125 CVE-2023-53128 CVE-2023-53131 CVE-2023-53134 CVE-2023-53137 CVE-2023-53139 CVE-2023-53140 CVE-2023-53142 CVE-2023-53143 CVE-2023-53145 CVE-2024-26804 CVE-2024-53168 CVE-2024-56558 CVE-2025-21999 CVE-2025-22056 CVE-2025-23145 CVE-2025-37789 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1966-1 Released: Mon Jun 16 16:55:48 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1184350,1193629,1204562,1204569,1204619,1204705,1205282,1206051,1206073,1206649,1206843,1206886,1206887,1207361,1208105,1208542,1209292,1209556,1209684,1209780,1209980,1210337,1210763,1210767,1211465,1213012,1213013,1213094,1213096,1213233,1213946,1214991,1218470,1222629,1223096,1225903,1232649,1234395,1234887,1235100,1235870,1240802,1241525,1242146,1242147,1242150,1242151,1242154,1242157,1242158,1242160,1242164,1242165,1242169,1242215,1242217,1242218,1242219,1242222,1242224,1242226,1242227,1242228,1242229,1242230,1242231,1242232,1242237,1242239,1242240,1242241,1242244,1242245,1242248,1242249,1242261,1242264,1242265,1242270,1242276,1242278,1242279,1242280,1242281,1242282,1242285,1242286,1242289,1242294,1242295,1242298,1242302,1242305,1242311,1242312,1242320,1242338,1242349,1242351,1242352,1242353,1242355,1242357,1242358,1242359,1242360,1242361,1242365,1242366,1242369,1242370,1242371,1242372,1242377,1242378,1242380,1242381,1242382,1242385,1242387,1242389,1242391,1242392,1 242393,1242394,1242398,1242399,1242400,1242402,1242403,1242405,1242406,1242409,1242410,1242411,1242415,1242416,1242421,1242422,1242425,1242426,1242428,1242440,1242443,1242448,1242449,1242452,1242453,1242454,1242455,1242456,1242458,1242464,1242465,1242467,1242469,1242473,1242474,1242478,1242481,1242484,1242489,1242497,1242527,1242542,1242544,1242545,1242547,1242548,1242549,1242550,1242551,1242558,1242570,1242580,1242586,1242589,1242596,1242597,1242685,1242686,1242688,1242689,1242695,1242716,1242733,1242734,1242735,1242736,1242739,1242740,1242743,1242744,1242745,1242746,1242747,1242748,1242749,1242751,1242752,1242753,1242756,1242759,1242762,1242765,1242767,1242778,1242779,1242790,1242791,1243047,1243133,1243737,1243919,CVE-2022-3564,CVE-2022-3619,CVE-2022-3640,CVE-2022-49762,CVE-2022-49763,CVE-2022-49769,CVE-2022-49770,CVE-2022-49771,CVE-2022-49772,CVE-2022-49773,CVE-2022-49775,CVE-2022-49776,CVE-2022-49777,CVE-2022-49779,CVE-2022-49781,CVE-2022-49783,CVE-2022-49784,CVE-2022-49786,CVE -2022-49787,CVE-2022-49788,CVE-2022-49789,CVE-2022-49790,CVE-2022-49792,CVE-2022-49793,CVE-2022-49794,CVE-2022-49795,CVE-2022-49796,CVE-2022-49797,CVE-2022-49799,CVE-2022-49800,CVE-2022-49801,CVE-2022-49802,CVE-2022-49807,CVE-2022-49809,CVE-2022-49810,CVE-2022-49812,CVE-2022-49813,CVE-2022-49818,CVE-2022-49821,CVE-2022-49822,CVE-2022-49823,CVE-2022-49824,CVE-2022-49825,CVE-2022-49826,CVE-2022-49827,CVE-2022-49830,CVE-2022-49832,CVE-2022-49834,CVE-2022-49835,CVE-2022-49836,CVE-2022-49837,CVE-2022-49839,CVE-2022-49841,CVE-2022-49842,CVE-2022-49845,CVE-2022-49846,CVE-2022-49850,CVE-2022-49853,CVE-2022-49858,CVE-2022-49860,CVE-2022-49861,CVE-2022-49863,CVE-2022-49864,CVE-2022-49865,CVE-2022-49868,CVE-2022-49869,CVE-2022-49870,CVE-2022-49871,CVE-2022-49874,CVE-2022-49879,CVE-2022-49880,CVE-2022-49881,CVE-2022-49885,CVE-2022-49886,CVE-2022-49887,CVE-2022-49888,CVE-2022-49889,CVE-2022-49890,CVE-2022-49891,CVE-2022-49892,CVE-2022-49900,CVE-2022-49901,CVE-2022-49902,CVE-2022-49905,CVE-2022-4 9906,CVE-2022-49908,CVE-2022-49909,CVE-2022-49910,CVE-2022-49915,CVE-2022-49916,CVE-2022-49917,CVE-2022-49918,CVE-2022-49921,CVE-2022-49922,CVE-2022-49923,CVE-2022-49924,CVE-2022-49925,CVE-2022-49927,CVE-2022-49928,CVE-2022-49929,CVE-2022-49931,CVE-2023-1990,CVE-2023-28866,CVE-2023-53035,CVE-2023-53036,CVE-2023-53038,CVE-2023-53039,CVE-2023-53040,CVE-2023-53041,CVE-2023-53042,CVE-2023-53044,CVE-2023-53045,CVE-2023-53049,CVE-2023-53052,CVE-2023-53054,CVE-2023-53056,CVE-2023-53057,CVE-2023-53058,CVE-2023-53059,CVE-2023-53060,CVE-2023-53062,CVE-2023-53064,CVE-2023-53065,CVE-2023-53066,CVE-2023-53068,CVE-2023-53070,CVE-2023-53071,CVE-2023-53073,CVE-2023-53074,CVE-2023-53075,CVE-2023-53077,CVE-2023-53078,CVE-2023-53079,CVE-2023-53081,CVE-2023-53082,CVE-2023-53084,CVE-2023-53087,CVE-2023-53089,CVE-2023-53090,CVE-2023-53091,CVE-2023-53092,CVE-2023-53093,CVE-2023-53095,CVE-2023-53096,CVE-2023-53098,CVE-2023-53099,CVE-2023-53100,CVE-2023-53101,CVE-2023-53102,CVE-2023-53105,CVE-2023-53106,CVE -2023-53108,CVE-2023-53109,CVE-2023-53111,CVE-2023-53112,CVE-2023-53114,CVE-2023-53116,CVE-2023-53118,CVE-2023-53119,CVE-2023-53123,CVE-2023-53124,CVE-2023-53125,CVE-2023-53128,CVE-2023-53131,CVE-2023-53134,CVE-2023-53137,CVE-2023-53139,CVE-2023-53140,CVE-2023-53142,CVE-2023-53143,CVE-2023-53145,CVE-2024-26804,CVE-2024-53168,CVE-2024-56558,CVE-2025-21999,CVE-2025-22056,CVE-2025-23145,CVE-2025-37789 The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-49775: tcp: cdg: allow tcp_cdg_release() to be called multiple times (bsc#1242245). - CVE-2024-53168: net: make sock_inuse_add() available (bsc#1234887). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1235100). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). The following non-security bugs were fixed: - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (bsc#1243737). - Remove debug flavor (bsc#1243919). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737). - hv_netvsc: Remove rmsg_pgcnt (bsc#1243737). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (bsc#1243737). - mtd: phram: Add the kernel lock down check (bsc#1232649). - net :mana :Add remaining GDMA stats for MANA to ethtool (bsc#1234395). - net :mana :Request a V2 response version for MANA_QUERY_GF_STAT (bsc#1234395). - net: mana: Add gdma stats to ethtool output for mana (bsc#1234395). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (bsc#1223096). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531). - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - tcp: Dump bound-only sockets in inet_diag (bsc#1204562). - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). The following package changes have been done: - kernel-rt-5.14.21-150500.13.97.1 updated From sle-container-updates at lists.suse.com Tue Jun 17 07:05:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 17 Jun 2025 09:05:47 +0200 (CEST) Subject: SUSE-IU-2025:1583-1: Security update of suse/sl-micro/6.0/rt-os-container Message-ID: <20250617070547.E2DA0FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1583-1 Image Tags : suse/sl-micro/6.0/rt-os-container:2.1.3 , suse/sl-micro/6.0/rt-os-container:2.1.3-7.43 , suse/sl-micro/6.0/rt-os-container:latest Image Release : 7.43 Severity : important Type : security References : 1215199 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232504 1232649 1232882 1233192 1234154 1235149 1235728 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240180 1240593 1240723 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241617 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242086 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242504 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242573 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242846 1242849 1242850 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242940 1242944 1242945 1242946 1242948 1242949 1242951 1242953 1242954 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242982 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243475 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243537 1243539 1243540 1243541 1243542 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243571 1243572 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243628 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243836 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-49568 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21868 CVE-2025-21919 CVE-2025-21938 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22113 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23155 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37738 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37752 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37801 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37844 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37862 CVE-2025-37865 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37874 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37917 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37933 CVE-2025-37936 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37967 CVE-2025-37968 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37987 CVE-2025-37989 CVE-2025-37990 CVE-2025-37998 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.0/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-42 Released: Mon Jun 16 17:33:59 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1215199,1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232504,1232649,1232882,1233192,1234154,1235149,1235728,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240180,1240593,1240723,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241617,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242086,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242504,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242573,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242846,1242849,1242850,1242852,1242854,1242856,1242859,1 242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242940,1242944,1242945,1242946,1242948,1242949,1242951,1242953,1242954,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242982,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243475,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243537,1243539,1243540,1243541,1243542,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243571,1243572,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243628,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243836,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-49568,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024 -58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21868,CVE-2025-21919,CVE-2025-21938,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22113,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23155,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37738,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37752,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773, CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37801,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37844,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37862,CVE-2025-37865,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37874,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-202 5-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37917,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37933,CVE-2025-37936,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37967,CVE-2025-37968,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37987,CVE-2025-37989,CVE-2025-37990,CVE-2025-37998,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21868: kABI workaround for adding an header (bsc#1240180). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946). - CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982). - CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475). - CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628). - CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572). - CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542). - CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - Move upstreamed patches into sorted section - Move upstreamed tpm patch into sorted section - NFS: Do not allow waiting for exiting tasks (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - SUNRPC: Do not allow waiting for exiting tasks (git-fixes). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - drm: Add valid clones check (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - ip6mr: fix tables suspicious RCU usage (git-fixes). - ip_tunnel: annotate data-races around t->parms.link (git-fixes). - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - ipmr: fix tables suspicious RCU usage (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: save dontfrag in cork (git-fixes). - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kABI: ipv6: save dontfrag in cork (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/neighbor: clear error in case strict check is not set (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: linkwatch: use system_unbound_wq (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: page_pool: fix warning code (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - orangefs: Do not truncate file size (git-fixes). - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes). - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - udp: annotate data-races around up->pending (git-fixes). - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - udp: fix receiving fraglist GSO packets (git-fixes). - udp: preserve the connected status if only UDP cmsg (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). The following package changes have been done: - kernel-rt-6.4.0-33.1 updated From sle-container-updates at lists.suse.com Tue Jun 17 07:06:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 17 Jun 2025 09:06:26 +0200 (CEST) Subject: SUSE-IU-2025:1584-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250617070626.797AEFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1584-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.57 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.57 Severity : important Type : security References : 1215199 1220112 1223096 1226498 1228557 1228854 1229491 1230581 1231016 1232504 1232649 1232882 1233192 1234154 1235149 1235728 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240180 1240593 1240723 1240823 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241617 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242012 1242035 1242044 1242086 1242163 1242203 1242343 1242414 1242417 1242501 1242502 1242504 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242573 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242846 1242849 1242850 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242940 1242944 1242945 1242946 1242948 1242949 1242951 1242953 1242954 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242982 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243475 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243537 1243539 1243540 1243541 1243542 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243571 1243572 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243628 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243782 1243805 1243836 1243963 1244145 1244261 CVE-2023-52888 CVE-2023-53146 CVE-2024-43869 CVE-2024-46713 CVE-2024-49568 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21868 CVE-2025-21919 CVE-2025-21938 CVE-2025-21997 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22113 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23155 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37738 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37743 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37752 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37800 CVE-2025-37801 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37844 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37862 CVE-2025-37865 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37874 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37917 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37933 CVE-2025-37936 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37967 CVE-2025-37968 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37987 CVE-2025-37989 CVE-2025-37990 CVE-2025-37998 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: kernel-42 Released: Mon Jun 16 17:33:59 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1215199,1220112,1223096,1226498,1228557,1228854,1229491,1230581,1231016,1232504,1232649,1232882,1233192,1234154,1235149,1235728,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240180,1240593,1240723,1240823,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241617,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242012,1242035,1242044,1242086,1242163,1242203,1242343,1242414,1242417,1242501,1242502,1242504,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242573,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242846,1242849,1242850,1242852,1242854,1242856,1242859,1 242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242940,1242944,1242945,1242946,1242948,1242949,1242951,1242953,1242954,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242982,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243475,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243537,1243539,1243540,1243541,1243542,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243571,1243572,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243628,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243782,1243805,1243836,1243963,1244145,1244261,CVE-2023-52888,CVE-2023-53146,CVE-2024-43869,CVE-2024-46713,CVE-2024-49568,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024 -58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21868,CVE-2025-21919,CVE-2025-21938,CVE-2025-21997,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070,CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22113,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23155,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37738,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37743,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37752,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773, CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37800,CVE-2025-37801,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37844,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37862,CVE-2025-37865,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37874,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-202 5-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37917,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37933,CVE-2025-37936,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37967,CVE-2025-37968,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37987,CVE-2025-37989,CVE-2025-37990,CVE-2025-37998,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21868: kABI workaround for adding an header (bsc#1240180). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723). - CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846). - CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849). - CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946). - CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982). - CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475). - CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628). - CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572). - CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542). - CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: HED: Always initialize before evged (stable-fixes). - ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes). - ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Drop AMDGPU patch that may cause regressions (bsc#1243782) - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add more controllers (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - Move upstreamed patches into sorted section - Move upstreamed tpm patch into sorted section - NFS: Do not allow waiting for exiting tasks (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - PM: sleep: Print PM debug messages during hibernation (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Refresh fixes for cBPF issue (bsc#1242778) - Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes). - Revert 'drm/amd: Keep display off while going into S4' (git-fixes). - Revert 'drm/amd: Stop evicting resources on APUs in suspend' (stable-fixes). - Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes). - Revert 'rndis_host: Flag RNDIS modems as WWAN devices' (git-fixes). - Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes). - SUNRPC: Do not allow waiting for exiting tasks (git-fixes). - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - Squashfs: check return result of sb_min_blocksize (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dlm: mask sk_shutdown value (bsc#1228854). - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - drm: Add valid clones check (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev/efifb: Remove PM for parent device (bsc#1244261). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - intel_th: avoid using deprecated page->mapping, index fields (stable-fixes). - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - ip6mr: fix tables suspicious RCU usage (git-fixes). - ip_tunnel: annotate data-races around t->parms.link (git-fixes). - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - ipmr: fix tables suspicious RCU usage (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). Both spellings are actually used - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: save dontfrag in cork (git-fixes). - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - jffs2: check that raw node were preallocated before writing summary (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - kABI: ipv6: save dontfrag in cork (git-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: do not call schedule in loop (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: venus: Fix probe error handling (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/neighbor: clear error in case strict check is not set (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: linkwatch: use system_unbound_wq (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: page_pool: fix warning code (git-fixes). - net: phy: clear phydev->devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: aqc111: debug info before sanitation (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - orangefs: Do not truncate file size (git-fixes). - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: ad5398: Add device tree support (stable-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - rtc: Fix offset calculation for .start_secs < 0 (git-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - s390/pci: Serialize device addition and removal (bsc#1244145). - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes). - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - udp: annotate data-races around up->pending (git-fixes). - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - udp: fix receiving fraglist GSO packets (git-fixes). - udp: preserve the connected status if only UDP cmsg (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes). - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). The following package changes have been done: - kernel-rt-6.4.0-33.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:15:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:15:53 +0200 (CEST) Subject: SUSE-CU-2025:4359-1: Security update of suse/kiosk/xorg Message-ID: <20250618071553.778F6F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kiosk/xorg ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4359-1 Container Tags : suse/kiosk/xorg:21 , suse/kiosk/xorg:21.1 , suse/kiosk/xorg:21.1-46.1 , suse/kiosk/xorg:notaskbar Container Release : 46.1 Severity : important Type : security References : 1244082 1244084 1244085 1244087 1244089 1244090 CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 ----------------------------------------------------------------- The container suse/kiosk/xorg was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1980-1 Released: Tue Jun 17 17:30:26 2025 Summary: Security update for xorg-x11-server Type: security Severity: important References: 1244082,1244084,1244085,1244087,1244089,1244090,CVE-2025-49175,CVE-2025-49176,CVE-2025-49177,CVE-2025-49178,CVE-2025-49179,CVE-2025-49180 This update for xorg-x11-server fixes the following issues: - CVE-2025-49175: Out-of-bounds access in X Rendering extension (Animated cursors) (bsc#1244082). - CVE-2025-49176: Integer overflow in Big Requests Extension (bsc#1244084). - CVE-2025-49177: Data leak in XFIXES Extension 6 (XFixesSetClientDisconnectMode) (bsc#1244085). - CVE-2025-49178: Unprocessed client request via bytes to ignore (bsc#1244087). - CVE-2025-49179: Integer overflow in X Record extension (bsc#1244089). - CVE-2025-49180: Integer overflow in RandR extension (RRChangeProviderProperty) (bsc#1244090). The following package changes have been done: - xorg-x11-server-Xvfb-21.1.11-150600.5.12.1 updated - xorg-x11-server-21.1.11-150600.5.12.1 updated - container:suse-sle15-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated - container:registry.suse.com-bci-bci-micro-15.6-7896824d92030b8aaeb301b0bf4ef37ab2d17e60882d32079d3f45e182f305dc-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:15:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:15:55 +0200 (CEST) Subject: SUSE-CU-2025:4361-1: Security update of suse/bind Message-ID: <20250618071555.F101BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4361-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-10.1 , suse/bind:latest Container Release : 10.1 Severity : important Type : security References : 1236177 1236596 1236597 1237496 1242060 1242938 1243259 1243361 CVE-2024-11187 CVE-2024-12705 CVE-2025-40775 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1787-1 Released: Fri May 30 19:15:14 2025 Summary: Security update for bind Type: security Severity: important References: 1236596,1236597,1243361,CVE-2024-11187,CVE-2024-12705,CVE-2025-40775 This update for bind fixes the following issues: Update to version 9.20.9. - Security issues fixed: * CVE-2025-40775: denial-of-service due to assertion failure caused by the processing of a NS message with an invalid TSIG (bsc#1243361). * CVE-2024-12705: CPU and memory exhaustion due to DNS-over-HTTPS issues that arise under heavy query load (bsc#1236597). * CVE-2024-11187: CPU exhaustion when processing queries that lead to responses containing several records in the Additional data section (bsc#1236596). - Changelog: - Feature changes: * Performance optimization for NSEC3 lookups introduced in BIND 9.20.2 was reverted to avoid risks associated with a complex code change. * The configuration clauses parental-agents and primaries are renamed to remote-servers. * Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries but allow listening to queries from clients on IPv4 or IPv6. * dnssec-ksr now supports KSK rollovers. * Print RFC 7314: EXPIRE option in transfer summary. * Emit more helpful log messages for exceeding max-records-per-type. * Harden key management when key files have become unavailable. - New Features: * Add support for EDE 20 (Not Authoritative). * Add support for EDE 7 and EDE 8. * `dig` can now display the received BADVERS message during negotiation. * Add an `rndc` command to reset some statistics counters. * Implement the min-transfer-rate-in configuration option. * Add HTTPS record query to host command line tool. * Implement sig0key-checks-limit and sig0message-checks-limit. * Adds support for EDE code 1 and 2. * Add an rndc command to toggle jemalloc profiling. * Add support for multiple extended DNS errors. * Print the expiration time of stale records. * Add Extended DNS Error Code 22 - No Reachable Authority. * Add a new option to configure the maximum number of outgoing queries per client request. * Use the Server Name Indication (SNI) extension for all outgoing TLS connections. * Update built-in bind.keys file with the new 2025 IANA root key. * Add an initial-ds entry to bind.keys for the new root key, ID 38696, which is scheduled for publication in January 2025. - Bug Fixes: * Restore NSEC3 closest-encloser lookup improvements. * Stop caching lack of EDNS support. * Fix resolver statistics counters for timed-out responses. * Nested DNS validation could cause an assertion failure. * Wait for memory reclamation to finish in `named-checkconf`. * Ensure `max-clients-per-query` is at least `clients-per-query`. * Fix write after free in validator code. * Don't enforce NOAUTH/NOCONF flags in DNSKEYs. * Fix several small DNSSEC timing issues. * Fix inconsistency in CNAME/DNAME handling during resolution. * Fix dual-stack-servers configuration option. * Fix a data race causing a permanent active client increase. * Fix deferred validation of unsigned DS and DNSKEY records. * Fix RPZ race condition during a reconfiguration. * 'CNAME and other data check' not applied to all types. * Relax private DNSKEY and RRSIG constraints. * Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse(). * Fix TTL issue with ANY queries processed through RPZ 'passthru';. * dnssec-signzone needs to check for a NULL key when setting offline. * Fix a bug in the statistics channel when querying zone transfer information. * Fix assertion failure when dumping recursing clients. * Dump the active resolver fetches from dns_resolver_dumpfetches(). * Recently expired records could be returned with a timestamp in future. * YAML string not terminated in negative response in delv. * Fix a bug in dnssec-signzone related to keys being offline. * Apply the memory limit only to ADB database items. * Avoid unnecessary locking in the zone/cache database. * Fix reporting of Extended DNS Error 22 (No Reachable Authority). * Fix nsupdate hang when processing a large update. * Fix possible assertion failure when reloading server while processing update policy rules. * Preserve cache across reconfig when using attach-cache. * Resolve the spurious drops in performance due to glue cache. * Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys. * Fix improper handling of unknown directives in resolv.conf. * Fix response policy zones and catalog zones with an $INCLUDE statement defined. * Use TLS for notifies if configured to do so. * Notifies configured to use TLS will now be sent over TLS, instead of plain text UDP or TCP. Also, failing to load the TLS configuration for notify now results in an error.' * {&dns} is as valid as {?dns} in a SVCB's dohpath. * dig failed to parse a valid SVCB record with a dohpath URI template containing a {&dns}, like 'dohpath=/some/path?key=value{&dns}';. * Fix NSEC3 closest encloser lookup for names with empty non-terminals. * A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This has been fixed. * recursive-clients statement with value 0 triggered an assertion failure. * BIND 9.20.0 broke recursive-clients 0;. This has now been fixed. * Parsing of hostnames in rndc.conf was broken. * When DSCP support was removed, parsing of hostnames in rndc.conf was accidentally broken, resulting in an assertion failure. This has been fixed. * `dig` options of the form [+-]option= failed to display the value on the printed command line. This has been fixed. * Provide more visibility into TLS configuration errors by logging SSL_CTX_use_certificate_chain_file() and SSL_CTX_use_PrivateKey_file() errors individually. * Fix a race condition when canceling ADB find which could cause an assertion failure. * SERVFAIL cache memory cleaning is now more aggressive; it no longer consumes a lot of memory if the server encounters many SERVFAILs at once. * Fix trying the next primary XoT server when the previous one was marked as unreachable. * In some cases named failed to try the next primary server in the primaries list when the previous one was marked as unreachable. This has been fixed. The following package changes have been done: - libsystemd0-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - bind-utils-9.20.9-150700.3.3.1 updated - bind-9.20.9-150700.3.3.1 updated - container:suse-sle15-15.7-626120961c7a8016733514e970276dec30ade811d4f93e3382a3caac36480ef4-0 updated - container:registry.suse.com-bci-bci-micro-15.7-82739925ba65b8810dadaa4c56431db9d1b9fa413470d2633c47c756a7ba40df-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:11 +0200 (CEST) Subject: SUSE-CU-2025:4385-1: Recommended update of bci/python Message-ID: <20250618071611.0F968F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4385-1 Container Tags : bci/python:3.13 , bci/python:3.13.0 , bci/python:3.13.0-11.1 , bci/python:latest Container Release : 11.1 Severity : important Type : recommended References : 1236177 1237496 1242938 1243259 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1730-1 Released: Wed May 28 16:30:19 2025 Summary: Recommended update for lifecycle-data-sle-module-python3 Type: recommended Severity: moderate References: This update for lifecycle-data-sle-module-python3 fixes the following issues: - document python312 and python313 lifecycle (jsc#PED-12726) - extend python311 lifecycle (jsc#PED-12726) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) The following package changes have been done: - lifecycle-data-sle-module-python3-1-150400.9.6.1 updated - libsystemd0-254.24-150600.4.33.1 updated - container:registry.suse.com-bci-bci-base-15.7-626120961c7a8016733514e970276dec30ade811d4f93e3382a3caac36480ef4-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:15 +0200 (CEST) Subject: SUSE-CU-2025:4391-1: Security update of bci/ruby Message-ID: <20250618071615.680D4F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4391-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.1 , bci/ruby:latest Container Release : 10.1 Severity : important Type : security References : 1236177 1237496 1241020 1241078 1241189 1242938 1243259 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) The following package changes have been done: - libsqlite3-0-3.49.1-150000.3.27.1 updated - libsystemd0-254.24-150600.4.33.1 updated - glibc-devel-2.38-150600.14.32.1 updated - sqlite3-devel-3.49.1-150000.3.27.1 updated - container:registry.suse.com-bci-bci-base-15.7-626120961c7a8016733514e970276dec30ade811d4f93e3382a3caac36480ef4-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:27 +0200 (CEST) Subject: SUSE-CU-2025:4395-1: Security update of suse/manager/5.0/x86_64/proxy-httpd Message-ID: <20250618071627.03E97FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4395-1 Container Tags : suse/manager/5.0/x86_64/proxy-httpd:5.0.4 , suse/manager/5.0/x86_64/proxy-httpd:5.0.4.7.17.1 , suse/manager/5.0/x86_64/proxy-httpd:latest Container Release : 7.17.1 Severity : important Type : security References : 1189788 1216091 1216091 1220893 1220895 1220896 1222044 1225936 1225939 1225941 1225942 1227637 1228434 1229106 1230267 1230959 1231472 1231748 1232234 1232234 1232326 1232458 1234128 1234452 1234713 1234752 1235481 1235598 1235636 1235873 1236033 1236136 1236165 1236177 1236282 1236384 1236481 1236588 1236590 1236619 1236820 1236858 1236939 1236960 1236983 1237044 1237172 1237230 1237496 1237587 1237949 1238315 1239809 1239883 1239909 1240366 1240529 1240607 1240897 1241020 1241078 1241189 1241453 1241551 1241605 1241678 1242060 1242938 1243259 1243313 1243317 CVE-2024-10041 CVE-2024-10041 CVE-2024-13176 CVE-2025-0167 CVE-2025-0395 CVE-2025-0725 CVE-2025-24528 CVE-2025-2588 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-32414 CVE-2025-32415 CVE-2025-3277 CVE-2025-3360 CVE-2025-47273 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:358-1 Released: Wed Feb 5 10:06:22 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - Version update 20240826: * permissions: remove legacy and nonsensical entries. * permissions: remove traceroute entry. * permissions: remove outdated sudo directories. * permissions: remove legacy RPM directory entries. * permissions: remove some static /var/spool/* dirs. * permissions: remove unnecessary static dirs and devices (bsc#1235873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:363-1 Released: Wed Feb 5 11:01:45 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1216091,1229106,1232458,1234752,1235636 This update for libzypp, zypper fixes the following issues: - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cached there (bsc#1232458) - Fix missing UID checks in repomanager workflow - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp - Fix 'zypper ps' when running in incus container. Should apply to lxc and lxd containers as well. (bsc#1229106) - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: Restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:369-1 Released: Wed Feb 5 16:32:36 2025 Summary: Security update for curl Type: security Severity: moderate References: 1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:501-1 Released: Thu Feb 13 10:53:21 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1236960 This update for permissions fixes the following issues: - Version update 20240826. - Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:680-1 Released: Mon Feb 24 12:01:16 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1228434,1236384,1236820,1236939,1236983 This update for libzypp, zypper fixes the following issues: - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps' - Fix Repoverification plugin not being executed - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Deprecate RepoReports we do not trigger - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939) - New system-architecture command (bsc#1236384) - Change versioncmp command to return exit code according to the comparison result ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:837-1 Released: Tue Mar 11 13:10:41 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1189788,1216091,1236481,1237044 This update for libzypp, zypper fixes the following issues: - Disable zypp.conf:download.use_deltarpm by default Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) - Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Annonunce --root in commands not launching a Target (bsc#1237044) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:915-1 Released: Wed Mar 19 08:04:05 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942 This update for libgcrypt fixes the following issues: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] - FIPS: Disallow rsa < 2048 [bsc#1225941] * Mark RSA operations with keysize < 2048 as non-approved in the SLI - FIPS: Service level indicator for libgcrypt [bsc#1225939] - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1242-1 Released: Mon Apr 14 12:43:18 2025 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1235481,1236033 This update for aaa_base fixes the following issues: - SP6 logrotate and rcsyslog binary (bsc#1236033) - Update detection for systemd in rc.status - Mountpoint for cgroup changed with cgroup2 - If a user switches the login shell respect the already set PATH environment (bsc#1235481) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1367-1 Released: Thu Apr 24 16:38:48 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1375-1 Released: Fri Apr 25 17:40:36 2025 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1232234,1234452 This update for apparmor fixes the following issues: - Allow pam_unix to execute unix_chkpwd with abi/3.0 (bsc#1234452, bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1438-1 Released: Fri May 2 15:44:07 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1511-1 Released: Wed May 7 21:35:57 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1527-1 Released: Fri May 9 17:21:39 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - Support the apk package and repository format (both v2 and v3) - New dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false) - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - Strip a mediahandler tag from baseUrl querystrings - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1534-1 Released: Mon May 12 18:00:59 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libfa1-1.14.1-150600.3.3.1 updated - libxml2-2-2.10.3-150500.5.26.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libglib-2_0-0-2.78.6-150600.4.11.1 updated - libaugeas0-1.14.1-150600.3.3.1 updated - libudev1-254.24-150600.4.33.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libgcrypt20-1.10.3-150600.3.6.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - findutils-4.8.0-150300.3.3.2 updated - libcurl4-8.6.0-150600.4.21.1 updated - permissions-20240826-150600.10.18.2 updated - pam-1.3.0-150000.6.76.1 updated - libsolv-tools-base-0.7.32-150600.8.10.1 updated - libzypp-17.36.7-150600.3.53.1 updated - zypper-1.14.89-150600.10.31.1 updated - aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated - curl-8.6.0-150600.4.21.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - libapparmor1-3.1.7-150600.5.9.1 updated - libgmodule-2_0-0-2.78.6-150600.4.11.1 updated - libgobject-2_0-0-2.78.6-150600.4.11.1 updated - kbd-2.4.0-150400.5.9.1 updated - libsystemd0-254.24-150600.4.33.1 updated - hwdata-0.394-150000.3.77.2 updated - systemd-254.24-150600.4.33.1 updated - libgio-2_0-0-2.78.6-150600.4.11.1 updated - glib2-tools-2.78.6-150600.4.11.1 updated - python3-libxml2-2.10.3-150500.5.26.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:32 +0200 (CEST) Subject: SUSE-CU-2025:4396-1: Security update of suse/manager/5.0/x86_64/proxy-salt-broker Message-ID: <20250618071632.7CDBBFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4396-1 Container Tags : suse/manager/5.0/x86_64/proxy-salt-broker:5.0.4 , suse/manager/5.0/x86_64/proxy-salt-broker:5.0.4.7.19.1 , suse/manager/5.0/x86_64/proxy-salt-broker:latest Container Release : 7.19.1 Severity : important Type : security References : 1189788 1216091 1216091 1220893 1220895 1220896 1222044 1225936 1225939 1225941 1225942 1227637 1228434 1229106 1229228 1230267 1230959 1231472 1231748 1232234 1232326 1232458 1233752 1234015 1234128 1234313 1234713 1234752 1234765 1234798 1235481 1235598 1235636 1235873 1236033 1236136 1236165 1236177 1236282 1236384 1236481 1236588 1236590 1236619 1236643 1236820 1236858 1236878 1236886 1236939 1236960 1236983 1237044 1237172 1237363 1237370 1237418 1237496 1237587 1237949 1238315 1239809 1239883 1239909 1240009 1240343 1240343 1240366 1240414 1240529 1240607 1240897 1241020 1241078 1241189 1241453 1241551 1241605 1241624 1242060 1242938 1243259 1243317 CVE-2024-10041 CVE-2024-12133 CVE-2024-13176 CVE-2024-56171 CVE-2025-0167 CVE-2025-0395 CVE-2025-0725 CVE-2025-24528 CVE-2025-24928 CVE-2025-2588 CVE-2025-27113 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-31115 CVE-2025-32414 CVE-2025-32415 CVE-2025-3277 CVE-2025-3360 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:358-1 Released: Wed Feb 5 10:06:22 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - Version update 20240826: * permissions: remove legacy and nonsensical entries. * permissions: remove traceroute entry. * permissions: remove outdated sudo directories. * permissions: remove legacy RPM directory entries. * permissions: remove some static /var/spool/* dirs. * permissions: remove unnecessary static dirs and devices (bsc#1235873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:363-1 Released: Wed Feb 5 11:01:45 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1216091,1229106,1232458,1234752,1235636 This update for libzypp, zypper fixes the following issues: - Create '.keep_packages' in the package cache dir to enforce keeping downloaded packages of all repos cached there (bsc#1232458) - Fix missing UID checks in repomanager workflow - Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp - Fix 'zypper ps' when running in incus container. Should apply to lxc and lxd containers as well. (bsc#1229106) - Re-enable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - lr: show the repositories keep-packages flag (bsc#1232458) It is shown in the details view or by using -k,--keep-packages. In addition libyzpp supports to enforce keeping downloaded packages of all repos within a package cache by creating a '.keep_packages' file there. - Try to refresh update repos first to have updated GPG keys on the fly (bsc#1234752) An update repo may contain a prolonged GPG key for the GA repo. Refreshing the update repo first updates a trusted key on the fly and avoids a 'key has expired' warning being issued when refreshing the GA repo. - Refresh: Restore legacy behavior and suppress Exception reporting as non-root (bsc#1235636) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:369-1 Released: Wed Feb 5 16:32:36 2025 Summary: Security update for curl Type: security Severity: moderate References: 1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:501-1 Released: Thu Feb 13 10:53:21 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1236960 This update for permissions fixes the following issues: - Version update 20240826. - Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:547-1 Released: Fri Feb 14 08:26:30 2025 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1229228,1233752,1234313,1234765 This update for systemd fixes the following issues: - Fix agetty failing to open credentials directory (bsc#1229228) - stdio-bridge: fix polled fds - hwdb: comment out the entry for Logitech MX Keys for Mac - core/unit-serialize: fix serialization of markers - locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged - core: fix assert when AddDependencyUnitFiles is called with invalid parameter - Fix systemd-network recommending libidn2-devel (bsc#1234765) - tpm2-util: also retry unsealing after policy_pcr returns PCR_CHANGED (bsc#1233752 bsc#1234313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:548-1 Released: Fri Feb 14 11:19:24 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1236878,CVE-2024-12133 This update for libtasn1 fixes the following issues: - CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes quadratic time to complete. (bsc#1236878) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:680-1 Released: Mon Feb 24 12:01:16 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1228434,1236384,1236820,1236939,1236983 This update for libzypp, zypper fixes the following issues: - Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983) - Drop zypp-CheckAccessDeleted in favor of 'zypper ps' - Fix Repoverification plugin not being executed - Refresh: Fetch the master index file before key and signature (bsc#1236820) - Deprecate RepoReports we do not trigger - Let zypper dup fail in case of (temporarily) unaccessible repos (bsc#1228434, bsc#1236939) - New system-architecture command (bsc#1236384) - Change versioncmp command to return exit code according to the comparison result ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:746-1 Released: Fri Feb 28 17:10:22 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363). - CVE-2025-24928: stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370). - CVE-2025-27113: NULL pointer dereference in xmlPatMatch in pattern.c (bsc#1237418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:832-1 Released: Tue Mar 11 09:56:30 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Update to 2025a: * Paraguay adopts permanent -03 starting spring 2024 * Improve pre-1991 data for the Philippines * Etc/Unknown is now reserved * Improve historical data for Mexico, Mongolia, and Portugal * System V names are now obsolescent * The main data form now uses %z * The code now conforms to RFC 8536 for early timestamps * Support POSIX.1-2024, which removes asctime_r and ctime_r * Assume POSIX.2-1992 or later for shell scripts * SUPPORT_C89 now defaults to 1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:837-1 Released: Tue Mar 11 13:10:41 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1189788,1216091,1236481,1237044 This update for libzypp, zypper fixes the following issues: - Disable zypp.conf:download.use_deltarpm by default Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) - Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - Annonunce --root in commands not launching a Target (bsc#1237044) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:915-1 Released: Wed Mar 19 08:04:05 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942 This update for libgcrypt fixes the following issues: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] - FIPS: Disallow rsa < 2048 [bsc#1225941] * Mark RSA operations with keysize < 2048 as non-approved in the SLI - FIPS: Service level indicator for libgcrypt [bsc#1225939] - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1016-1 Released: Tue Mar 25 15:59:05 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1234015,1236643,1236886 This update for systemd fixes the following issues: - udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - journald: close runtime journals before their parent directory removed - journald: reset runtime seqnum data when flushing to system journal (bsc#1236886) - Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643) It is likely an oversight from when systemd-userdb was migrated from the experimental package to the main one. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1130-1 Released: Thu Apr 3 15:08:55 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1234798,1240009,1240343 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: - Removed: * SwissSign Silver CA - G2 - Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): - Removed: * SecureSign RootCA11 * Security Communication RootCA3 - Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1137-1 Released: Thu Apr 3 17:11:02 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1217-1 Released: Sun Apr 13 12:16:40 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1240343 This update for ca-certificates-mozilla fixes the following issues: - Reenable the distrusted certs for now. as these only distrust 'new issued' certs starting after a certain date, while old certs should still work. (bsc#1240343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1242-1 Released: Mon Apr 14 12:43:18 2025 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1235481,1236033 This update for aaa_base fixes the following issues: - SP6 logrotate and rcsyslog binary (bsc#1236033) - Update detection for systemd in rc.status - Mountpoint for cgroup changed with cgroup2 - If a user switches the login shell respect the already set PATH environment (bsc#1235481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1291-1 Released: Wed Apr 16 09:41:51 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Version update 2025b * New zone for Aysen Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches for philippines historical data and china tzdata ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1367-1 Released: Thu Apr 24 16:38:48 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1438-1 Released: Fri May 2 15:44:07 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1527-1 Released: Fri May 9 17:21:39 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - Support the apk package and repository format (both v2 and v3) - New dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false) - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - Strip a mediahandler tag from baseUrl querystrings - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1534-1 Released: Mon May 12 18:00:59 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1800-1 Released: Mon Jun 2 20:53:40 2025 Summary: Recommended update for python-pyzmq Type: recommended Severity: moderate References: 1241624 This update for python-pyzmq fixes the following issues: - Prevent open files leak by closing sockets on timeout (bsc#1241624) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libfa1-1.14.1-150600.3.3.1 updated - libxml2-2-2.10.3-150500.5.26.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libglib-2_0-0-2.78.6-150600.4.11.1 updated - libaugeas0-1.14.1-150600.3.3.1 updated - libudev1-254.24-150600.4.33.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libgcrypt20-1.10.3-150600.3.6.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - findutils-4.8.0-150300.3.3.2 updated - libcurl4-8.6.0-150600.4.21.1 updated - permissions-20240826-150600.10.18.2 updated - pam-1.3.0-150000.6.76.1 updated - libsolv-tools-base-0.7.32-150600.8.10.1 updated - libzypp-17.36.7-150600.3.53.1 updated - zypper-1.14.89-150600.10.31.1 updated - aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated - libtasn1-6-4.13-150000.4.11.1 updated - libtasn1-4.13-150000.4.11.1 updated - curl-8.6.0-150600.4.21.1 updated - timezone-2025b-150600.91.6.2 updated - openssl-3-3.1.4-150600.5.27.1 updated - ca-certificates-mozilla-2.74-150200.41.1 updated - python3-pyzmq-17.1.2-150000.3.8.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:37 +0200 (CEST) Subject: SUSE-CU-2025:4397-1: Security update of suse/manager/5.0/x86_64/proxy-squid Message-ID: <20250618071637.EDB87FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4397-1 Container Tags : suse/manager/5.0/x86_64/proxy-squid:5.0.4 , suse/manager/5.0/x86_64/proxy-squid:5.0.4.7.17.1 , suse/manager/5.0/x86_64/proxy-squid:latest Container Release : 7.17.1 Severity : important Type : security References : 1227637 1230959 1231748 1232234 1232326 1234128 1234713 1235873 1236136 1236165 1236282 1236619 1236858 1236960 1237363 1237370 1237418 1239883 1240366 1240414 1240607 1241020 1241078 1241189 1241453 1241551 1242060 1243317 CVE-2024-10041 CVE-2024-13176 CVE-2024-56171 CVE-2025-0395 CVE-2025-24528 CVE-2025-24928 CVE-2025-27113 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-31115 CVE-2025-32414 CVE-2025-32415 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:358-1 Released: Wed Feb 5 10:06:22 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - Version update 20240826: * permissions: remove legacy and nonsensical entries. * permissions: remove traceroute entry. * permissions: remove outdated sudo directories. * permissions: remove legacy RPM directory entries. * permissions: remove some static /var/spool/* dirs. * permissions: remove unnecessary static dirs and devices (bsc#1235873). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:501-1 Released: Thu Feb 13 10:53:21 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1236960 This update for permissions fixes the following issues: - Version update 20240826. - Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:746-1 Released: Fri Feb 28 17:10:22 2025 Summary: Security update for libxml2 Type: security Severity: important References: 1237363,1237370,1237418,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113 This update for libxml2 fixes the following issues: - CVE-2024-56171: use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c (bsc#1237363). - CVE-2025-24928: stack-based buffer overflow in xmlSnprintfElements in valid.c (bsc#1237370). - CVE-2025-27113: NULL pointer dereference in xmlPatMatch in pattern.c (bsc#1237418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1137-1 Released: Thu Apr 3 17:11:02 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1438-1 Released: Fri May 2 15:44:07 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libxml2-2-2.10.3-150500.5.26.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - permissions-20240826-150600.10.18.2 updated - pam-1.3.0-150000.6.76.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:43 +0200 (CEST) Subject: SUSE-CU-2025:4398-1: Security update of suse/manager/5.0/x86_64/proxy-ssh Message-ID: <20250618071643.5071FFD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4398-1 Container Tags : suse/manager/5.0/x86_64/proxy-ssh:5.0.4 , suse/manager/5.0/x86_64/proxy-ssh:5.0.4.7.17.1 , suse/manager/5.0/x86_64/proxy-ssh:latest Container Release : 7.17.1 Severity : important Type : security References : 1220893 1220895 1220896 1225936 1225939 1225941 1225942 1227637 1230959 1231472 1231748 1232234 1232326 1234128 1234713 1235873 1236136 1236165 1236177 1236282 1236619 1236826 1236858 1236960 1237496 1239671 1239883 1240366 1240414 1240607 1241012 1241020 1241078 1241189 1241605 1242060 1242938 1243259 1243317 CVE-2024-10041 CVE-2024-13176 CVE-2025-0395 CVE-2025-24528 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-31115 CVE-2025-32728 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:358-1 Released: Wed Feb 5 10:06:22 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - Version update 20240826: * permissions: remove legacy and nonsensical entries. * permissions: remove traceroute entry. * permissions: remove outdated sudo directories. * permissions: remove legacy RPM directory entries. * permissions: remove some static /var/spool/* dirs. * permissions: remove unnecessary static dirs and devices (bsc#1235873). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:501-1 Released: Thu Feb 13 10:53:21 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1236960 This update for permissions fixes the following issues: - Version update 20240826. - Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:915-1 Released: Wed Mar 19 08:04:05 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942 This update for libgcrypt fixes the following issues: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] - FIPS: Disallow rsa < 2048 [bsc#1225941] * Mark RSA operations with keysize < 2048 as non-approved in the SLI - FIPS: Service level indicator for libgcrypt [bsc#1225939] - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1137-1 Released: Thu Apr 3 17:11:02 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1638-1 Released: Wed May 21 12:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1236826,1239671,1241012,CVE-2025-32728 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows 'wall' to print messages in ssh ttys (bsc#1239671) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libgcrypt20-1.10.3-150600.3.6.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - findutils-4.8.0-150300.3.3.2 updated - permissions-20240826-150600.10.18.2 updated - pam-1.3.0-150000.6.76.1 updated - openssh-common-9.6p1-150600.6.26.1 updated - libsystemd0-254.24-150600.4.33.1 updated - openssh-fips-9.6p1-150600.6.26.1 updated - openssh-clients-9.6p1-150600.6.26.1 updated - openssh-server-9.6p1-150600.6.26.1 updated - openssh-9.6p1-150600.6.26.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:50 +0200 (CEST) Subject: SUSE-CU-2025:4399-1: Security update of suse/manager/5.0/x86_64/proxy-tftpd Message-ID: <20250618071650.8091CFD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4399-1 Container Tags : suse/manager/5.0/x86_64/proxy-tftpd:5.0.4 , suse/manager/5.0/x86_64/proxy-tftpd:5.0.4.7.17.1 , suse/manager/5.0/x86_64/proxy-tftpd:latest Container Release : 7.17.1 Severity : important Type : security References : 1227637 1230959 1231472 1231748 1232326 1234128 1234713 1234798 1236136 1236165 1236282 1236619 1236858 1236878 1239883 1240009 1240343 1240343 1240366 1240414 1240607 1241020 1241078 1241189 1242060 1243313 1243317 CVE-2024-12133 CVE-2024-13176 CVE-2025-0395 CVE-2025-24528 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-31115 CVE-2025-3277 CVE-2025-47273 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:548-1 Released: Fri Feb 14 11:19:24 2025 Summary: Security update for libtasn1 Type: security Severity: important References: 1236878,CVE-2024-12133 This update for libtasn1 fixes the following issues: - CVE-2024-12133: the processing of input DER data containing a large number of SEQUENCE OF or SET OF elements takes quadratic time to complete. (bsc#1236878) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1130-1 Released: Thu Apr 3 15:08:55 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1234798,1240009,1240343 This update for ca-certificates-mozilla fixes the following issues: Update to 2.74 state of Mozilla SSL root CAs: - Removed: * SwissSign Silver CA - G2 - Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798): - Removed: * SecureSign RootCA11 * Security Communication RootCA3 - Added: * TWCA CYBER Root CA * TWCA Global Root CA G2 * SecureSign Root CA12 * SecureSign Root CA14 * SecureSign Root CA15 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1137-1 Released: Thu Apr 3 17:11:02 2025 Summary: Security update for xz Type: security Severity: important References: 1240414,CVE-2025-31115 This update for xz fixes the following issues: - CVE-2025-31115: Fixed heap use after free and writing to an address based on the null pointer plus an offset (bsc#1240414) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1217-1 Released: Sun Apr 13 12:16:40 2025 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1240343 This update for ca-certificates-mozilla fixes the following issues: - Reenable the distrusted certs for now. as these only distrust 'new issued' certs starting after a certain date, while old certs should still work. (bsc#1240343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - findutils-4.8.0-150300.3.3.2 updated - libtasn1-6-4.13-150000.4.11.1 updated - libtasn1-4.13-150000.4.11.1 updated - openssl-3-3.1.4-150600.5.27.1 updated - ca-certificates-mozilla-2.74-150200.41.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:55 +0200 (CEST) Subject: SUSE-CU-2025:4400-1: Security update of suse/manager/5.0/x86_64/server-attestation Message-ID: <20250618071655.AA8A0FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-attestation ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4400-1 Container Tags : suse/manager/5.0/x86_64/server-attestation:5.0.4 , suse/manager/5.0/x86_64/server-attestation:5.0.4.6.17.1 , suse/manager/5.0/x86_64/server-attestation:latest Container Release : 6.17.1 Severity : important Type : security References : 1175825 1230959 1231748 1232326 1240366 1240607 1240897 1241020 1241078 1241189 1241274 1241275 1241276 1243317 CVE-2020-8927 CVE-2025-21587 CVE-2025-27587 CVE-2025-29087 CVE-2025-29088 CVE-2025-30691 CVE-2025-30698 CVE-2025-3277 CVE-2025-3360 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-attestation was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3942-1 Released: Mon Dec 6 14:46:05 2021 Summary: Security update for brotli Type: security Severity: moderate References: 1175825,CVE-2020-8927 This update for brotli fixes the following issues: - CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1367-1 Released: Thu Apr 24 16:38:48 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: 38402 Released: Fri Apr 25 11:05:30 2025 Summary: Recommended update for freetype2 Type: recommended Severity: important References: This update for freetype2 fixes the following issue: - enable brotli support (jsc#PED-12258) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1487-1 Released: Mon Jun 16 14:00:35 2025 Summary: Security update for java-11-openjdk Type: security Severity: important References: 1241274,1241275,1241276,CVE-2025-21587,CVE-2025-30691,CVE-2025-30698 This update for java-11-openjdk fixes the following issues: Upgrade to upstream tag jdk-11.0.27+6 (April 2025 CPU) CVEs: + CVE-2025-21587: Fixed JSSE unauthorized access, deletion or modification of critical data (bsc#1241274) + CVE-2025-30691: Fixed Oracle Java SE Compiler Unauthorized Data Access (bsc#1241275) + CVE-2025-30698: Fixed Oracle Java 2D unauthorized data access and DoS (bsc#1241276) Changes: + JDK-8195675: Call to insertText with single character from custom Input Method ignored + JDK-8202926: Test java/awt/Focus/ /WindowUpdateFocusabilityTest/ /WindowUpdateFocusabilityTest.html fails + JDK-8216539: tools/jar/modularJar/Basic.java timed out + JDK-8268364: jmethod clearing should be done during unloading + JDK-8273914: Indy string concat changes order of operations + JDK-8294316: SA core file support is broken on macosx-x64 starting with macOS 12.x + JDK-8306408: Fix the format of several tables in building.md + JDK-8309841: Jarsigner should print a warning if an entry is removed + JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved + JDK-8320916: jdk/jfr/event/gc/stacktrace/ /TestParallelMarkSweepAllocationPendingStackTrace.java failed with 'OutOfMemoryError: GC overhead limit exceeded' + JDK-8327650: Test java/nio/channels/DatagramChannel/ /StressNativeSignal.java timed out + JDK-8328242: Add a log area to the PassFailJFrame + JDK-8331863: DUIterator_Fast used before it is constructed + JDK-8336012: Fix usages of jtreg-reserved properties + JDK-8337494: Clarify JarInputStream behavior + JDK-8337692: Better TLS connection support + JDK-8338430: Improve compiler transformations + JDK-8339560: Unaddressed comments during code review of JDK-8337664 + JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract + JDK-8339931: Update problem list for WindowUpdateFocusabilityTest.java + JDK-8340387: Update OS detection code to recognize Windows Server 2025 + JDK-8341424: GHA: Collect hs_errs from build time failures + JDK-8342562: Enhance Deflater operations + JDK-8342704: GHA: Report truncation is broken after JDK-8341424 + JDK-8343007: Enhance Buffered Image handling + JDK-8343474: [updates] Customize README.md to specifics of update project + JDK-8343599: Kmem limit and max values swapped when printing container information + JDK-8343786: [11u] GHA: Bump macOS and Xcode versions to macos-13 and XCode 14.3.1 + JDK-8344589: Update IANA Language Subtag Registry to Version 2024-11-19 + JDK-8345509: Bump update version of OpenJDK: 11.0.27 + JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs + JDK-8347427: JTabbedPane/8134116/Bug8134116.java has no license header + JDK-8347847: Enhance jar file support + JDK-8347965: (tz) Update Timezone Data to 2025a + JDK-8349603: [21u, 17u, 11u] Update GHA JDKs after Jan/25 updates + JDK-8352097: (tz) zone.tab update missed in 2025a backport + JDK-8354087: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.27 The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libbrotlicommon1-1.0.7-3.3.1 added - libbrotlidec1-1.0.7-3.3.1 added - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libglib-2_0-0-2.78.6-150600.4.11.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - patterns-base-fips-20200124-150600.32.6.1 updated - openssl-3-3.1.4-150600.5.27.1 updated - libfreetype6-2.10.4-150000.4.22.1 updated - java-11-openjdk-headless-11.0.27.0-150000.3.125.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:17:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:17:02 +0200 (CEST) Subject: SUSE-CU-2025:4401-1: Security update of suse/manager/5.0/x86_64/server-hub-xmlrpc-api Message-ID: <20250618071702.27E3CFD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-hub-xmlrpc-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4401-1 Container Tags : suse/manager/5.0/x86_64/server-hub-xmlrpc-api:5.0.4 , suse/manager/5.0/x86_64/server-hub-xmlrpc-api:5.0.4.6.17.1 , suse/manager/5.0/x86_64/server-hub-xmlrpc-api:latest Container Release : 6.17.1 Severity : important Type : security References : 1220893 1220895 1220896 1225936 1225939 1225941 1225942 1227637 1230959 1231472 1231748 1232234 1232234 1232326 1234128 1234452 1234713 1235481 1235873 1236033 1236136 1236165 1236177 1236282 1236588 1236590 1236619 1236858 1236960 1237230 1237496 1239883 1240366 1240607 1240897 1241605 1241678 1242060 1242842 1242938 1243259 1243317 CVE-2024-10041 CVE-2024-10041 CVE-2024-13176 CVE-2025-0167 CVE-2025-0395 CVE-2025-0725 CVE-2025-24528 CVE-2025-27587 CVE-2025-3360 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-hub-xmlrpc-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:358-1 Released: Wed Feb 5 10:06:22 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1235873 This update for permissions fixes the following issues: - Version update 20240826: * permissions: remove legacy and nonsensical entries. * permissions: remove traceroute entry. * permissions: remove outdated sudo directories. * permissions: remove legacy RPM directory entries. * permissions: remove some static /var/spool/* dirs. * permissions: remove unnecessary static dirs and devices (bsc#1235873). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:369-1 Released: Wed Feb 5 16:32:36 2025 Summary: Security update for curl Type: security Severity: moderate References: 1236588,1236590,CVE-2025-0167,CVE-2025-0725 This update for curl fixes the following issues: - CVE-2025-0725: Fixed gzip integer overflow (bsc#1236590) - CVE-2025-0167: Fixed netrc and default credential leak (bsc#1236588) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:401-1 Released: Mon Feb 10 10:38:28 2025 Summary: Security update for crypto-policies, krb5 Type: security Severity: moderate References: 1236619,CVE-2025-24528 This update for crypto-policies and krb5 fixes the following issues: Security issue fixed: - CVE-2025-24528: Fixed out-of-bounds write caused by overflow when calculating ulog block size can lead to process crash (bsc#1236619). Feature addition: - Add crypto-policies support; (jsc#PED-12018) * The default krb5.conf has been updated to include config snippets in the krb5.conf.d directory, where crypto-policies drops its. - Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); * This key derivation function is used by AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active directory. If these encryption types are allowed or not in FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:430-1 Released: Tue Feb 11 15:13:32 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1236136,CVE-2024-13176 This update for openssl-3 fixes the following issues: - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:501-1 Released: Thu Feb 13 10:53:21 2025 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1236960 This update for permissions fixes the following issues: - Version update 20240826. - Reintroduced nscd socket, this is a whitelisting for glibc (bsc#1236960). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:508-1 Released: Thu Feb 13 12:29:31 2025 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1231472 This update for findutils fixes the following issue: - fix crash when file system loop was encountered (bsc#1231472). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:582-1 Released: Tue Feb 18 15:55:29 2025 Summary: Security update for glibc Type: security Severity: low References: 1236282,CVE-2025-0395 This update for glibc fixes the following issues: - CVE-2025-0395: Fix underallocation of abort_msg_s struct (bsc#1236282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:626-1 Released: Fri Feb 21 12:18:09 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1236858 This update for crypto-policies fixes the following issue: - Remove dangling symlink for the libreswan config (bsc#1236858). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:915-1 Released: Wed Mar 19 08:04:05 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1220893,1220895,1220896,1225936,1225939,1225941,1225942 This update for libgcrypt fixes the following issues: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] - FIPS: Disallow rsa < 2048 [bsc#1225941] * Mark RSA operations with keysize < 2048 as non-approved in the SLI - FIPS: Service level indicator for libgcrypt [bsc#1225939] - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:969-1 Released: Thu Mar 20 14:28:47 2025 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1227637,1236165 This update for crypto-policies fixes the following issues: - Fix fips-mode-setup in EFI or Secure Boot mode (bsc#1227637). - tolerate fips dracut module presence w/o FIPS * Fixes the 'Inconsistent state detected' warning when disabling the FIPS mode (bsc#1236165). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1198-1 Released: Fri Apr 11 09:46:09 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: 1234128,1234713,1239883 This update for glibc fixes the following issues: - Fix the lost wakeup from a bug in signal stealing (bsc#1234128) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1242-1 Released: Mon Apr 14 12:43:18 2025 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1235481,1236033 This update for aaa_base fixes the following issues: - SP6 logrotate and rcsyslog binary (bsc#1236033) - Update detection for systemd in rc.status - Mountpoint for cgroup changed with cgroup2 - If a user switches the login shell respect the already set PATH environment (bsc#1235481) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1367-1 Released: Thu Apr 24 16:38:48 2025 Summary: Security update for glib2 Type: security Severity: moderate References: 1240897,CVE-2025-3360 This update for glib2 fixes the following issues: - CVE-2025-3360: Fixed integer overflow and buffer underread when parsing a very long and invalid ISO 8601 timestamp with g_date_time_new_from_iso8601() (bsc#1240897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1375-1 Released: Fri Apr 25 17:40:36 2025 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1232234,1234452 This update for apparmor fixes the following issues: - Allow pam_unix to execute unix_chkpwd with abi/3.0 (bsc#1234452, bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1511-1 Released: Wed May 7 21:35:57 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1606-1 Released: Tue May 20 15:53:14 2025 Summary: Recommended update for librdkafka Type: recommended Severity: moderate References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain circumstances (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1863-1 Released: Tue Jun 10 14:33:20 2025 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - add support EOL date for SP6 general support - fix use SOURCEURL_WITH for proper README url in all cases - do check rpm signatures The following package changes have been done: - crypto-policies-20230920.570ea89-150600.3.9.2 updated - glibc-2.38-150600.14.32.1 updated - liblzma5-5.4.1-150600.3.3.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libglib-2_0-0-2.78.6-150600.4.11.1 updated - libudev1-254.24-150600.4.33.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libgcrypt20-1.10.3-150600.3.6.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - findutils-4.8.0-150300.3.3.2 updated - libcurl4-8.6.0-150600.4.21.1 updated - permissions-20240826-150600.10.18.2 updated - pam-1.3.0-150000.6.76.1 updated - aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - libapparmor1-3.1.7-150600.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - libsystemd0-254.24-150600.4.33.1 updated - librdkafka1-0.11.6-150600.16.3.1 updated - systemd-254.24-150600.4.33.1 updated - container:sles15-image-15.6.0-47.21.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:17:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:17:11 +0200 (CEST) Subject: SUSE-CU-2025:4402-1: Security update of suse/manager/5.0/x86_64/server Message-ID: <20250618071711.178B1FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4402-1 Container Tags : suse/manager/5.0/x86_64/server:5.0.4 , suse/manager/5.0/x86_64/server:5.0.4.7.24.1 , suse/manager/5.0/x86_64/server:latest Container Release : 7.24.1 Severity : important Type : security References : 1222044 1230267 1230959 1231748 1232326 1234210 1235598 1235958 1235971 1236177 1236516 1236826 1237172 1237230 1237496 1237587 1237949 1238315 1238686 1239651 1239671 1239809 1239909 1240366 1240529 1240607 1241012 1241624 1242060 1242300 1242842 1242931 1242931 1242938 1242971 1243259 1243313 1243317 1243793 CVE-2023-45288 CVE-2025-22870 CVE-2025-2588 CVE-2025-27587 CVE-2025-32728 CVE-2025-4207 CVE-2025-4207 CVE-2025-4382 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802 CVE-2025-48734 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1527-1 Released: Fri May 9 17:21:39 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - Support the apk package and repository format (both v2 and v3) - New dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false) - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - Strip a mediahandler tag from baseUrl querystrings - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1534-1 Released: Mon May 12 18:00:59 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1538-1 Released: Tue May 13 07:39:45 2025 Summary: Recommended update for samba Type: recommended Severity: important References: 1234210 This update for samba fixes the following issues: - Fix Samba printers reporting invalid sid during print jobs (bsc#1234210). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1606-1 Released: Tue May 20 15:53:14 2025 Summary: Recommended update for librdkafka Type: recommended Severity: moderate References: 1242842 This update for librdkafka fixes the following issues: - Avoid endless loops under certain circumstances (bsc#1242842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1615-1 Released: Wed May 21 11:53:06 2025 Summary: Security update for grub2 Type: security Severity: moderate References: 1235958,1235971,1239651,1242971,CVE-2025-4382 This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z. Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged. Also the following issue were fixed: - CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971) - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1638-1 Released: Wed May 21 12:48:35 2025 Summary: Security update for openssh Type: security Severity: moderate References: 1236826,1239671,1241012,CVE-2025-32728 This update for openssh fixes the following issue: Security fixes: - CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012) Other fixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1 - Enable --with-logind to call the SetTTY dbus method in systemd. This allows 'wall' to print messages in ssh ttys (bsc#1239671) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1644-1 Released: Wed May 21 16:35:14 2025 Summary: Security update for postgresql17 Type: security Severity: moderate References: 1242931,CVE-2025-4207 This update for postgresql17 fixes the following issues: Upgrade to 17.5: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation (bsc#1242931) Changelog: https://www.postgresql.org/docs/release/17.5/ ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1648-1 Released: Wed May 21 22:43:46 2025 Summary: Recommended update for kbd Type: recommended Severity: moderate References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1721-1 Released: Tue May 27 17:59:31 2025 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issue: - Version update 0.394: * Update pci, usb and vendor ids * Fix usb.ids encoding and a couple of typos * Fix configure to honor --prefix ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1766-1 Released: Fri May 30 09:45:37 2025 Summary: Security update for postgresql16 Type: security Severity: moderate References: 1242931,CVE-2025-4207 This update for postgresql16 fixes the following issues: Upgrade to 16.9: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation (bsc#1242931) Changelog: https://www.postgresql.org/docs/release/16.9/ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1776-1 Released: Fri May 30 15:02:52 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,CVE-2025-47268 This update for iputils fixes the following issues: - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2025:1793-1 Released: Mon Jun 2 10:01:39 2025 Summary: Optional update for java modules Type: optional Severity: low References: This update for java modules and related fixes the following issue: - Rebuild for consistency across products, no source changes: - Packages being rebuilt: apiguardian assertj-core byte-buddy dom4j hamcrest jaxen jdom jopt-simple junit junit5 objectweb-asm open-test-reporting saxpath xom fasterxml-oss-parent ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1800-1 Released: Mon Jun 2 20:53:40 2025 Summary: Recommended update for python-pyzmq Type: recommended Severity: moderate References: 1241624 This update for python-pyzmq fixes the following issues: - Prevent open files leak by closing sockets on timeout (bsc#1241624) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1810-1 Released: Wed Jun 4 11:28:57 2025 Summary: Security update for python3-setuptools Type: security Severity: important References: 1243313,CVE-2025-47273 This update for python3-setuptools fixes the following issues: - CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1815-1 Released: Wed Jun 4 19:01:24 2025 Summary: Security update for apache-commons-beanutils Type: security Severity: important References: 1243793,CVE-2025-48734 This update for apache-commons-beanutils fixes the following issues: Update to 1.11.0 - CVE-2025-48734: Fixed possible arbitrary code execution vulnerability (bsc#1243793) Full changelog: https://commons.apache.org/proper/commons-beanutils/changes.html#a1.11.0 ----------------------------------------------------------------- Advisory ID: SUSE-Manager-5.0-2025-1986 Released: Wed Jun 18 04:08:38 2025 Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server Type: recommended Severity: moderate References: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server This is a codestream only update ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1988-1 Released: Wed Jun 18 04:10:06 2025 Summary: Security update for golang-github-prometheus-node_exporter Type: security Severity: moderate References: 1236516,1238686,CVE-2023-45288,CVE-2025-22870 This update for golang-github-prometheus-node_exporter fixes the following issues: golang-github-prometheus-node_exporter was updated to version 1.9.1: - Security issues fixed: * CVE-2025-22870: Bumped golang.org/x/net to version 0.37.0 (bsc#1238686) - Other bugs fixed: * pressure: Fixed missing IRQ on older kernels * Fix Darwin memory leak The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libfa1-1.14.1-150600.3.3.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libaugeas0-1.14.1-150600.3.3.1 updated - iputils-20221126-150500.3.11.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - libsolv-tools-base-0.7.32-150600.8.10.1 updated - libzypp-17.36.7-150600.3.53.1 updated - zypper-1.14.89-150600.10.31.1 updated - openssl-3-3.1.4-150600.5.27.1 updated - kbd-legacy-2.4.0-150400.5.9.1 updated - kbd-2.4.0-150400.5.9.1 updated - libsystemd0-254.24-150600.4.33.1 updated - systemd-254.24-150600.4.33.1 updated - libudev1-254.24-150600.4.33.1 updated - glibc-locale-base-2.38-150600.14.32.1 updated - libpq5-17.5-150600.13.13.1 updated - librdkafka1-0.11.6-150600.16.3.1 updated - libsolv-tools-0.7.32-150600.8.10.1 updated - openssh-common-9.6p1-150600.6.26.1 updated - release-notes-susemanager-5.0.4.1-150600.11.34.1 updated - glibc-locale-2.38-150600.14.32.1 updated - postgresql16-16.9-150600.16.18.1 updated - glibc-devel-2.38-150600.14.32.1 updated - openssh-fips-9.6p1-150600.6.26.1 updated - spacewalk-java-lib-5.0.25-150600.3.28.4 updated - golang-github-prometheus-node_exporter-1.9.1-150100.3.35.2 updated - hwdata-0.394-150000.3.77.2 updated - openssh-server-9.6p1-150600.6.26.1 updated - openssh-clients-9.6p1-150600.6.26.1 updated - python3-solv-0.7.32-150600.8.10.1 updated - postgresql16-server-16.9-150600.16.18.1 updated - susemanager-sync-data-5.0.12-150600.3.19.1 updated - openssh-9.6p1-150600.6.26.1 updated - grub2-2.12-150600.8.27.1 updated - grub2-i386-pc-2.12-150600.8.27.1 updated - postgresql16-contrib-16.9-150600.16.18.1 updated - samba-client-libs-4.19.8+git.422.34307c5a3aa-150600.3.15.1 updated - grub2-x86_64-efi-2.12-150600.8.27.1 updated - grub2-powerpc-ieee1275-2.12-150600.8.27.1 updated - grub2-arm64-efi-2.12-150600.8.27.1 updated - python3-setuptools-44.1.1-150400.9.12.1 updated - python3-pyzmq-17.1.2-150000.3.8.1 updated - jdom-1.1.3-150200.12.10.1 updated - dom4j-2.1.4-150200.12.12.1 updated - spacewalk-base-minimal-5.0.19-150600.3.21.4 updated - objectweb-asm-9.7-150200.3.17.1 updated - spacewalk-base-minimal-config-5.0.19-150600.3.21.4 updated - apache-commons-beanutils-1.11.0-150200.3.9.1 updated - spacewalk-base-5.0.19-150600.3.21.4 updated - spacewalk-java-postgresql-5.0.25-150600.3.28.4 updated - spacewalk-java-config-5.0.25-150600.3.28.4 updated - spacewalk-html-5.0.19-150600.3.21.4 updated - spacewalk-taskomatic-5.0.25-150600.3.28.4 updated - spacewalk-java-5.0.25-150600.3.28.4 updated - container:suse-manager-5.0-init-5.0.4-5.0.4-7.15.5 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:17:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:17:17 +0200 (CEST) Subject: SUSE-CU-2025:4403-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16 Message-ID: <20250618071717.35618FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4403-1 Container Tags : suse/manager/5.0/x86_64/server-migration-14-16:5.0.4 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.4.7.17.1 , suse/manager/5.0/x86_64/server-migration-14-16:latest Container Release : 7.17.1 Severity : important Type : security References : 1230959 1231748 1232234 1232326 1236177 1237496 1239618 1240366 1240607 1241453 1241551 1241605 1242060 1242931 1242931 1242931 1242938 1243259 1243317 CVE-2024-10041 CVE-2024-8176 CVE-2025-27587 CVE-2025-32414 CVE-2025-32415 CVE-2025-4207 CVE-2025-4207 CVE-2025-4207 CVE-2025-4802 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1201-1 Released: Fri Apr 11 12:15:58 2025 Summary: Security update for expat Type: security Severity: important References: 1239618,CVE-2024-8176 This update for expat fixes the following issues: - CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused by stack overflow by resolving use of recursion (bsc#1239618) Other fixes: - version update to 2.7.1 (jsc#PED-12500) Bug fixes: #980 #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: #976 #977 Autotools: Integrate files 'fuzz/xml_lpm_fuzzer.{cpp,proto}' with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 #935 #937 Autotools: Make generated CMake files look for libexpat. at SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29 #945 #962 #966 CMake: Drop support for CMake <3.13 #942 CMake: Small fuzzing related improvements #921 docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 #941 docs: Document need for C++11 compiler for use from C++ #959 tests/benchmark: Fix a (harmless) TOCTTOU #944 Windows: Fix installer target location of file xmlwf.xml for CMake #953 Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW #971 Address Cppcheck warnings #969 #970 Mass-migrate links from http:// to https:// #947 #958 .. #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1291-1 Released: Wed Apr 16 09:41:51 2025 Summary: Recommended update for timezone Type: recommended Severity: moderate References: This update for timezone fixes the following issues: - Version update 2025b * New zone for Aysen Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches for philippines historical data and china tzdata ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1334-1 Released: Thu Apr 17 09:03:05 2025 Summary: Security update for pam Type: security Severity: moderate References: 1232234,CVE-2024-10041 This update for pam fixes the following issues: - CVE-2024-10041: sensitive data exposure while performing authentications. (bsc#1232234) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1376-1 Released: Fri Apr 25 18:11:02 2025 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1241605 This update for libgcrypt fixes the following issues: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1377-1 Released: Fri Apr 25 19:43:34 2025 Summary: Recommended update for patterns-base Type: recommended Severity: moderate References: This update for patterns-base fixes the following issues: - add bpftool to patterns enhanced base. jsc#PED-8375 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1394-1 Released: Mon Apr 28 16:15:21 2025 Summary: Recommended update for glibc Type: recommended Severity: important References: This update for glibc fixes the following issues: - Add support for userspace livepatching for ppc64le (jsc#PED-11850) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1438-1 Released: Fri May 2 15:44:07 2025 Summary: Security update for libxml2 Type: security Severity: moderate References: 1241453,1241551,CVE-2025-32414,CVE-2025-32415 This update for libxml2 fixes the following issues: - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551) - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1550-1 Released: Fri May 16 02:16:11 2025 Summary: Security update for openssl-3 Type: security Severity: moderate References: 1230959,1231748,1232326,1240366,1240607,CVE-2025-27587 This update for openssl-3 fixes the following issues: Security: - CVE-2025-27587: Timing side channel vulnerability in the P-384 implementation when used with ECDSA in the PPC architecture (bsc#1240366). - Missing null pointer check before accessing handshake_func in ssl_lib.c (bsc#1240607). FIPS: - Disabling EMS in OpenSSL configuration prevents sshd from starting (bsc#1230959, bsc#1232326, bsc#1231748). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1644-1 Released: Wed May 21 16:35:14 2025 Summary: Security update for postgresql17 Type: security Severity: moderate References: 1242931,CVE-2025-4207 This update for postgresql17 fixes the following issues: Upgrade to 17.5: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation (bsc#1242931) Changelog: https://www.postgresql.org/docs/release/17.5/ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1661-1 Released: Thu May 22 18:03:01 2025 Summary: Security update for postgresql14 Type: security Severity: moderate References: 1242931,CVE-2025-4207 This update for postgresql14 fixes the following issues: Upgrade to 14.18: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation (bsc#1242931) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1766-1 Released: Fri May 30 09:45:37 2025 Summary: Security update for postgresql16 Type: security Severity: moderate References: 1242931,CVE-2025-4207 This update for postgresql16 fixes the following issues: Upgrade to 16.9: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation (bsc#1242931) Changelog: https://www.postgresql.org/docs/release/16.9/ The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libxml2-2-2.10.3-150500.5.26.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libopenssl3-3.1.4-150600.5.27.1 updated - libgcrypt20-1.10.3-150600.3.6.1 updated - libopenssl-3-fips-provider-3.1.4-150600.5.27.1 updated - krb5-1.20.1-150600.11.11.2 updated - patterns-base-fips-20200124-150600.32.6.1 updated - pam-1.3.0-150000.6.76.1 updated - timezone-2025b-150600.91.6.2 updated - libexpat1-2.7.1-150400.3.28.1 updated - libsystemd0-254.24-150600.4.33.1 updated - glibc-locale-base-2.38-150600.14.32.1 updated - libpq5-17.5-150600.13.13.1 updated - glibc-locale-2.38-150600.14.32.1 updated - postgresql14-14.18-150600.16.17.1 updated - postgresql16-16.9-150600.16.18.1 updated - postgresql14-server-14.18-150600.16.17.1 updated - postgresql16-server-16.9-150600.16.18.1 updated - postgresql16-contrib-16.9-150600.16.18.1 updated - postgresql14-contrib-14.18-150600.16.17.1 updated - container:suse-manager-5.0-init-5.0.4-5.0.4-7.15.5 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:17 +0200 (CEST) Subject: SUSE-CU-2025:4393-1: Security update of bci/spack Message-ID: <20250618071617.4B93BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4393-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.1 , bci/spack:latest Container Release : 13.1 Severity : important Type : security References : 1236177 1237496 1242938 1243259 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) The following package changes have been done: - libncurses6-6.1-150000.5.30.1 updated - libsystemd0-254.24-150600.4.33.1 updated - tack-6.1-150000.5.30.1 updated - ncurses-devel-6.1-150000.5.30.1 updated - glibc-devel-2.38-150600.14.32.1 updated - container:registry.suse.com-bci-bci-base-15.7-626120961c7a8016733514e970276dec30ade811d4f93e3382a3caac36480ef4-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 07:16:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 09:16:18 +0200 (CEST) Subject: SUSE-CU-2025:4394-1: Security update of suse/valkey Message-ID: <20250618071618.83BFDFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4394-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-8.1 , suse/valkey:latest Container Release : 8.1 Severity : important Type : security References : 1236177 1237496 1241708 1242060 1242938 1243061 1243259 1243804 1243913 CVE-2025-21605 CVE-2025-27151 CVE-2025-49112 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1942-1 Released: Fri Jun 13 10:33:45 2025 Summary: Security update for valkey Type: security Severity: important References: 1241708,1243061,1243804,1243913,CVE-2025-21605,CVE-2025-27151,CVE-2025-49112 This update for valkey fixes the following issues: - CVE-2025-27151: Absence of filename size check may cause a stack overflow (bsc#1243804) - CVE-2025-49112: setDeferredReply integer underflow (bsc#1243913) - CVE-2025-21605: Output buffer denial of service (bsc#1241708) The following package changes have been done: - libsystemd0-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - valkey-8.0.2-150700.3.5.1 updated - container:suse-sle15-15.7-626120961c7a8016733514e970276dec30ade811d4f93e3382a3caac36480ef4-0 updated - container:registry.suse.com-bci-bci-micro-15.7-82739925ba65b8810dadaa4c56431db9d1b9fa413470d2633c47c756a7ba40df-0 updated From sle-container-updates at lists.suse.com Wed Jun 18 15:37:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 17:37:32 +0200 (CEST) Subject: SUSE-CU-2025:4426-1: Security update of bci/bci-init Message-ID: <20250618153732.D14D7F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4426-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.1 , bci/bci-init:latest Container Release : 41.1 Severity : important Type : security References : 1236177 1237230 1237496 1241678 1242938 1243259 CVE-2024-10041 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1511-1 Released: Wed May 7 21:35:57 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1866-1 Released: Tue Jun 10 16:19:33 2025 Summary: Recommended update for kbd Type: recommended Severity: important References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230) The following package changes have been done: - kbd-2.4.0-150700.15.3.1 updated - libapparmor1-3.1.7-150600.5.9.1 updated - libsystemd0-254.24-150600.4.33.1 updated - systemd-254.24-150600.4.33.1 updated From sle-container-updates at lists.suse.com Wed Jun 18 15:38:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 17:38:51 +0200 (CEST) Subject: SUSE-CU-2025:4433-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20250618153851.1A350F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4433-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.15 , suse/manager/4.3/proxy-tftpd:4.3.15.9.53.26 , suse/manager/4.3/proxy-tftpd:latest Container Release : 9.53.26 Severity : moderate Type : security References : 1244039 CVE-2024-47081 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). The following package changes have been done: - python3-requests-2.25.1-150300.3.15.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:03:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:03:29 +0200 (CEST) Subject: SUSE-CU-2025:4434-1: Security update of containers/milvus Message-ID: <20250619070329.55296FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/milvus ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4434-1 Container Tags : containers/milvus:2.4 , containers/milvus:2.4.6 , containers/milvus:2.4.6-7.132 Container Release : 7.132 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container containers/milvus was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-9915f065a551ffb0d36733cc7815ef280d67263747176daae70f34a7daf3aeb2-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a05744ce2c3f4696496bed0ea75f9e909b09a727f3d3407cd155bc24e1d01689-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:05:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:05:02 +0200 (CEST) Subject: SUSE-CU-2025:4435-1: Security update of containers/ollama Message-ID: <20250619070502.D2862FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/ollama ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4435-1 Container Tags : containers/ollama:0 , containers/ollama:0.6.8 , containers/ollama:0.6.8-10.23 Container Release : 10.23 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container containers/ollama was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a05744ce2c3f4696496bed0ea75f9e909b09a727f3d3407cd155bc24e1d01689-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:06:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:06:44 +0200 (CEST) Subject: SUSE-CU-2025:4436-1: Security update of containers/open-webui Message-ID: <20250619070644.8F768FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4436-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.15 Container Release : 10.15 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:08:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:08:22 +0200 (CEST) Subject: SUSE-IU-2025:1585-1: Recommended update of suse/sle-micro/base-5.5 Message-ID: <20250619070822.02D05FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1585-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.177 , suse/sle-micro/base-5.5:latest Image Release : 5.8.177 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2008-1 Released: Wed Jun 18 16:03:56 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150500.6.52.1 updated - zypper-1.14.90-150500.6.32.3 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:10:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:10:30 +0200 (CEST) Subject: SUSE-IU-2025:1588-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250619071030.A5A86FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1588-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.406 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.406 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.308 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:19:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:19:52 +0200 (CEST) Subject: SUSE-CU-2025:4440-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250619071952.63A7CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4440-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.4 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:21:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:21:22 +0200 (CEST) Subject: SUSE-CU-2025:4441-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20250619072122.926CAF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4441-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.45 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.45 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2008-1 Released: Wed Jun 18 16:03:56 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150500.6.52.1 updated - zypper-1.14.90-150500.6.32.3 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:22:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:22:56 +0200 (CEST) Subject: SUSE-CU-2025:4443-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250619072256.D0F07F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4443-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.48 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.48 , suse/ltss/sle15.4/sle15:latest Container Release : 2.48 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:26:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:26:01 +0200 (CEST) Subject: SUSE-CU-2025:4444-1: Recommended update of suse/ltss/sle15.5/sle15 Message-ID: <20250619072601.C700BF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4444-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.5 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.5 , suse/ltss/sle15.5/sle15:latest Container Release : 5.5 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2008-1 Released: Wed Jun 18 16:03:56 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150500.6.52.1 updated - zypper-1.14.90-150500.6.32.3 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:26:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:26:02 +0200 (CEST) Subject: SUSE-CU-2025:4445-1: Security update of suse/ltss/sle15.5/sle15 Message-ID: <20250619072602.A4899F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4445-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.6 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.6 , suse/ltss/sle15.5/sle15:latest Container Release : 5.6 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:26:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:26:56 +0200 (CEST) Subject: SUSE-CU-2025:4446-1: Security update of bci/bci-init Message-ID: <20250619072656.69D53F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4446-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.3 Container Release : 44.3 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:27:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:27:47 +0200 (CEST) Subject: SUSE-CU-2025:4447-1: Security update of bci/nodejs Message-ID: <20250619072747.2459AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4447-1 Container Tags : bci/node:20 , bci/node:20.18.2 , bci/node:20.18.2-54.3 , bci/nodejs:20 , bci/nodejs:20.18.2 , bci/nodejs:20.18.2-54.3 Container Release : 54.3 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:29:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:29:51 +0200 (CEST) Subject: SUSE-CU-2025:4448-1: Security update of suse/sle15 Message-ID: <20250619072951.BE27CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4448-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.4 , suse/sle15:15.6 , suse/sle15:15.6.47.23.4 Container Release : 47.23.4 Severity : important Type : security References : 1239012 1239543 1240132 1241463 1243226 1243887 1243901 1244105 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - libzypp-17.37.5-150600.3.60.1 updated - pam-1.3.0-150000.6.83.1 updated - zypper-1.14.90-150600.10.34.3 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:30:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:30:53 +0200 (CEST) Subject: SUSE-CU-2025:4449-1: Security update of bci/spack Message-ID: <20250619073053.980F4F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4449-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.3 Container Release : 11.3 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:30:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:30:57 +0200 (CEST) Subject: SUSE-CU-2025:4450-1: Security update of suse/389-ds Message-ID: <20250619073057.7DE93F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4450-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.3 , suse/389-ds:latest Container Release : 61.3 Severity : important Type : security References : 1241020 1241078 1241189 1243226 1243317 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:30:59 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:30:59 +0200 (CEST) Subject: SUSE-CU-2025:4451-1: Security update of bci/dotnet-aspnet Message-ID: <20250619073059.99602F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4451-1 Container Tags : bci/dotnet-aspnet:8.0 , bci/dotnet-aspnet:8.0.16 , bci/dotnet-aspnet:8.0.16-61.2 Container Release : 61.2 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:registry.suse.com-bci-bci-base-15.7-326ae997c362daa3b5b65be5c8d31f20bb0d8f24682614e3eb6ff9b79092c7e2-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:31:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:31:04 +0200 (CEST) Subject: SUSE-CU-2025:4453-1: Security update of bci/bci-base-fips Message-ID: <20250619073104.0CC0BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-base-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4453-1 Container Tags : bci/bci-base-fips:15.7 , bci/bci-base-fips:15.7-5.3 , bci/bci-base-fips:latest Container Release : 5.3 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/bci-base-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:registry.suse.com-bci-bci-base-15.7-326ae997c362daa3b5b65be5c8d31f20bb0d8f24682614e3eb6ff9b79092c7e2-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:31:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:31:06 +0200 (CEST) Subject: SUSE-CU-2025:4455-1: Security update of suse/bind Message-ID: <20250619073106.D8DFEF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4455-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-61.4 , suse/bind:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:31:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:31:08 +0200 (CEST) Subject: SUSE-CU-2025:4456-1: Security update of suse/registry Message-ID: <20250619073108.77BAAF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4456-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.3 , suse/registry:latest Container Release : 5.3 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:31:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:31:13 +0200 (CEST) Subject: SUSE-CU-2025:4457-1: Security update of bci/dotnet-sdk Message-ID: <20250619073113.4F15AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4457-1 Container Tags : bci/dotnet-sdk:8.0 , bci/dotnet-sdk:8.0.16 , bci/dotnet-sdk:8.0.16-61.3 Container Release : 61.3 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:31:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:31:15 +0200 (CEST) Subject: SUSE-CU-2025:4458-1: Security update of bci/dotnet-runtime Message-ID: <20250619073115.5EC66F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4458-1 Container Tags : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0.16 , bci/dotnet-runtime:8.0.16-61.2 Container Release : 61.2 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:registry.suse.com-bci-bci-base-15.7-326ae997c362daa3b5b65be5c8d31f20bb0d8f24682614e3eb6ff9b79092c7e2-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:05 +0200 (CEST) Subject: SUSE-CU-2025:4458-1: Security update of bci/dotnet-runtime Message-ID: <20250619074205.83D1BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4458-1 Container Tags : bci/dotnet-runtime:8.0 , bci/dotnet-runtime:8.0.16 , bci/dotnet-runtime:8.0.16-61.2 Container Release : 61.2 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:registry.suse.com-bci-bci-base-15.7-326ae997c362daa3b5b65be5c8d31f20bb0d8f24682614e3eb6ff9b79092c7e2-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:10 +0200 (CEST) Subject: SUSE-CU-2025:4460-1: Recommended update of bci/gcc Message-ID: <20250619074210.E8F72F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4460-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.3 , bci/gcc:latest Container Release : 10.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:14 +0200 (CEST) Subject: SUSE-CU-2025:4462-1: Security update of suse/git Message-ID: <20250619074214.95037F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4462-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.5 , suse/git:latest Container Release : 61.5 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:18 +0200 (CEST) Subject: SUSE-CU-2025:4465-1: Security update of bci/kiwi Message-ID: <20250619074218.9E3D3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4465-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.3 , bci/kiwi:latest Container Release : 16.3 Severity : moderate Type : security References : 1244039 CVE-2024-47081 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). The following package changes have been done: - python3-requests-2.25.1-150300.3.15.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:22 +0200 (CEST) Subject: SUSE-CU-2025:4466-1: Security update of suse/kubectl Message-ID: <20250619074222.7F08AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4466-1 Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.1 , suse/kubectl:1.33.1-1.3.4 , suse/kubectl:latest , suse/kubectl:stable , suse/kubectl:stable-1.3.4 Container Release : 3.4 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:42:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:42:24 +0200 (CEST) Subject: SUSE-CU-2025:4467-1: Security update of bci/bci-micro Message-ID: <20250619074224.3B843F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4467-1 Container Tags : bci/bci-micro:15.7 , bci/bci-micro:15.7-42.1 , bci/bci-micro:latest Container Release : 42.1 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/bci-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:03 +0200 (CEST) Subject: SUSE-CU-2025:4469-1: Security update of bci/openjdk-devel Message-ID: <20250619074303.B90D8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4469-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.8 , bci/openjdk-devel:latest Container Release : 10.8 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243226 1243317 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:bci-openjdk-21-15.7.21-10.8 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:06 +0200 (CEST) Subject: SUSE-CU-2025:4470-1: Security update of bci/php-apache Message-ID: <20250619074306.9AFCBF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4470-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.3 , bci/php-apache:latest Container Release : 10.3 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:09 +0200 (CEST) Subject: SUSE-CU-2025:4471-1: Security update of bci/php-fpm Message-ID: <20250619074309.B38F2F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4471-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.3 , bci/php-fpm:latest Container Release : 10.3 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:12 +0200 (CEST) Subject: SUSE-CU-2025:4472-1: Security update of bci/php Message-ID: <20250619074312.C9DF3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4472-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.3 , bci/php:latest Container Release : 10.3 Severity : important Type : security References : 1242060 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:17 +0200 (CEST) Subject: SUSE-CU-2025:4475-1: Security update of bci/python Message-ID: <20250619074317.BB7F0F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4475-1 Container Tags : bci/python:3.13 , bci/python:3.13.0 , bci/python:3.13.0-71.3 , bci/python:latest Container Release : 71.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:21 +0200 (CEST) Subject: SUSE-CU-2025:4477-1: Security update of bci/python Message-ID: <20250619074321.5942CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4477-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.3 Container Release : 71.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:25 +0200 (CEST) Subject: SUSE-CU-2025:4479-1: Security update of suse/mariadb Message-ID: <20250619074325.6851CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4479-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.4 , suse/mariadb:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:27 +0200 (CEST) Subject: SUSE-CU-2025:4480-1: Security update of suse/rmt-server Message-ID: <20250619074327.46AFBF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4480-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.21 , suse/rmt-server:2.21-71.2 , suse/rmt-server:latest Container Release : 71.2 Severity : important Type : security References : 1236177 1237496 1241020 1241078 1241189 1242060 1242938 1243259 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-326ae997c362daa3b5b65be5c8d31f20bb0d8f24682614e3eb6ff9b79092c7e2-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:30 +0200 (CEST) Subject: SUSE-CU-2025:4481-1: Security update of suse/rmt-server Message-ID: <20250619074330.0A415F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4481-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.21 , suse/rmt-server:2.21-71.3 , suse/rmt-server:latest Container Release : 71.3 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:33 +0200 (CEST) Subject: SUSE-CU-2025:4482-1: Recommended update of bci/rust Message-ID: <20250619074333.B00F9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4482-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.8 , bci/rust:oldstable , bci/rust:oldstable-2.2.8 Container Release : 2.8 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:37 +0200 (CEST) Subject: SUSE-CU-2025:4483-1: Recommended update of bci/rust Message-ID: <20250619074337.2A040F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4483-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.3.3 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.3 Container Release : 3.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:42 +0200 (CEST) Subject: SUSE-CU-2025:4485-1: Security update of suse/sle15 Message-ID: <20250619074342.2699FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4485-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.3 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.3 , suse/sle15:latest Container Release : 5.8.3 Severity : important Type : security References : 1173375 1222044 1230267 1235598 1236177 1237172 1237496 1237587 1237949 1238315 1239012 1239543 1239809 1239909 1240132 1240529 1241020 1241078 1241189 1241463 1242060 1242938 1243259 1243317 1243360 1243887 1243901 1243960 1244105 CVE-2025-2588 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1527-1 Released: Fri May 9 17:21:39 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - Support the apk package and repository format (both v2 and v3) - New dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false) - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - Strip a mediahandler tag from baseUrl querystrings - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1534-1 Released: Mon May 12 18:00:59 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1577-1 Released: Mon May 19 10:24:04 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1173375 This update for container-suseconnect fixes the following issues: - update to 2.5.1: * Bump github.com/mssola/capture from 1.0.0 to 1.1.0 * Log everything to stderr * Code formatting * Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 * Also allow optionally to pass down the system_token * Various golangci-lint v2.1x warnings fixed * Remove use of urfave/cli and replace it with flag - remove unnecessary packaging buildrequires ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1736-1 Released: Thu May 29 11:34:51 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243360 This update for container-suseconnect fixes the following issues: - Version update v2.5.3 (bsc#1243360): - only handle command line options for the default - parse and ignore the previously removed log-credentials-errors - Restore usage output on unhandled command line options - Switch to go stable and update mod to 1.24.0 - Various golangci-lint v2.1x warnings fixed - Also allow optionally to pass down the system_token - Log everything to stderr - Code formatting - remove unnecessary packaging buildrequires ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1943-1 Released: Fri Jun 13 10:33:55 2025 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1243960 This update for container-suseconnect fixes the following issues: - Fix the issue with retrieving the repository index file for service 'container-suseconnect-zypp' (bsc#1243960) - Switch to sha256 from md5 - use go's native fips module on tumbleweed ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - container-suseconnect-2.5.4-150000.4.64.1 updated - glibc-2.38-150600.14.32.1 updated - krb5-1.20.1-150600.11.11.2 updated - libaugeas0-1.14.1-150600.3.3.1 updated - libfa1-1.14.1-150600.3.3.1 updated - libncurses6-6.1-150000.5.30.1 updated - libsolv-tools-base-0.7.32-150600.8.10.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libudev1-254.24-150600.4.33.1 updated - libzypp-17.37.5-150600.3.60.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - zypper-1.14.90-150600.10.34.3 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:43 +0200 (CEST) Subject: SUSE-CU-2025:4486-1: Security update of suse/sle15 Message-ID: <20250619074343.26869F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4486-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.4 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.4 , suse/sle15:latest Container Release : 5.8.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:47 +0200 (CEST) Subject: SUSE-CU-2025:4487-1: Security update of bci/spack Message-ID: <20250619074347.0CDB8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4487-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.3 , bci/spack:latest Container Release : 13.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243226 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:59:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:59:55 +0200 (CEST) Subject: SUSE-CU-2025:4487-1: Security update of bci/spack Message-ID: <20250619075955.88151F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4487-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.3 , bci/spack:latest Container Release : 13.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243226 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - terminfo-base-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:59:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:59:58 +0200 (CEST) Subject: SUSE-CU-2025:4488-1: Security update of suse/stunnel Message-ID: <20250619075958.A29BCF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4488-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-61.4 , suse/stunnel:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Thu Jun 19 08:01:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 10:01:29 +0200 (CEST) Subject: SUSE-CU-2025:4489-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250619080129.433DAFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4489-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.36 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.36 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:sles15-ltss-image-15.4.0-2.48 updated From sle-container-updates at lists.suse.com Thu Jun 19 08:02:29 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 10:02:29 +0200 (CEST) Subject: SUSE-CU-2025:4490-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250619080229.06878F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4490-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.45 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.45 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:sles15-ltss-image-15.4.0-2.48 updated From sle-container-updates at lists.suse.com Thu Jun 19 08:03:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 10:03:26 +0200 (CEST) Subject: SUSE-CU-2025:4491-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250619080326.F409EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4491-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.25 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.25 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:sles15-ltss-image-15.4.0-2.48 updated From sle-container-updates at lists.suse.com Thu Jun 19 08:04:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 10:04:28 +0200 (CEST) Subject: SUSE-CU-2025:4492-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20250619080428.53B3AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4492-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.15 , suse/manager/4.3/proxy-ssh:4.3.15.9.53.25 , suse/manager/4.3/proxy-ssh:latest Container Release : 9.53.25 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:sles15-ltss-image-15.4.0-2.48 updated From sle-container-updates at lists.suse.com Wed Jun 18 15:32:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 18 Jun 2025 17:32:49 +0200 (CEST) Subject: SUSE-CU-2025:4419-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250618153249.96EBCFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4419-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.59 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.59 Severity : important Type : security References : 1220112 1223096 1226498 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242006 1242012 1242035 1242044 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243805 1243963 CVE-2023-53146 CVE-2024-28956 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2000-1 Released: Wed Jun 18 13:08:14 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242006,1242012,1242035,1242044,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242944,1242945,1242948,1 242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243805,1243963,CVE-2023-53146,CVE-2024-28956,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070, CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-202 5-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982 ,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Squashfs: check return result of sb_min_blocksize (git-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - cBPF: Refresh fixes for cBPF issue (bsc#1242778) - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kernel-obs-qa: Use srchash for dependency as well - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: Update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvme: Update patch nvme-re-read-ANA-log-page-after-ns-scan-completes.patch (git-fixes bsc#1235149). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). The following package changes have been done: - kernel-default-6.4.0-150600.23.53.1 updated From sle-container-updates at lists.suse.com Thu Jun 19 07:43:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 19 Jun 2025 09:43:39 +0200 (CEST) Subject: SUSE-CU-2025:4484-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250619074339.D4F7BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4484-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.1 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.1 Severity : important Type : security References : 1207948 1215199 1220419 1222649 1222656 1223096 1223809 1224013 1224489 1224597 1224757 1225742 1225770 1226871 1227858 1228659 1229311 1230497 1230581 1230764 1230769 1231016 1231103 1231293 1231910 1232364 1232389 1232493 1232649 1232848 1232882 1232895 1233060 1233192 1233479 1233551 1233557 1234074 1234157 1234222 1234480 1234698 1234828 1234936 1235149 1235436 1235455 1235501 1235524 1235526 1235550 1235589 1235591 1235621 1235637 1235711 1235712 1235715 1235729 1235733 1235870 1235973 1236086 1236111 1236142 1236206 1236208 1236333 1236394 1236704 1237111 1237164 1237312 1237313 1237530 1237545 1237546 1237704 1237757 1237874 1237875 1237882 1237885 1237897 1237906 1238052 1238212 1238471 1238473 1238506 1238527 1238528 1238532 1238565 1238585 1238714 1238716 1238737 1238738 1238742 1238743 1238745 1238746 1238754 1238763 1238774 1238775 1238780 1238782 1238862 1238866 1238911 1238961 1238970 1238972 1238983 1238990 1238992 1238997 1239015 1239016 1239036 1239045 1239064 1239066 1239079 1239105 1239108 1239117 1239174 1239314 1239346 1239349 1239467 1239468 1239470 1239471 1239473 1239474 1239475 1239476 1239477 1239478 1239479 1239481 1239482 1239483 1239484 1239486 1239487 1239508 1239510 1239512 1239518 1239573 1239594 1239595 1239600 1239605 1239644 1239684 1239691 1239707 1239906 1239925 1239934 1239986 1239994 1239997 1240167 1240168 1240169 1240171 1240172 1240173 1240174 1240175 1240176 1240177 1240179 1240181 1240182 1240183 1240184 1240185 1240186 1240187 1240188 1240189 1240191 1240192 1240333 1240334 1240375 1240419 1240427 1240557 1240575 1240576 1240581 1240582 1240583 1240584 1240585 1240587 1240590 1240591 1240592 1240593 1240594 1240595 1240596 1240600 1240612 1240616 1240639 1240643 1240647 1240655 1240691 1240696 1240700 1240701 1240703 1240708 1240709 1240711 1240712 1240713 1240714 1240715 1240716 1240717 1240718 1240719 1240720 1240722 1240727 1240739 1240740 1240742 1240779 1240783 1240784 1240785 1240795 1240796 1240797 1240799 1240800 1240801 1240802 1240803 1240804 1240805 1240806 1240808 1240809 1240811 1240812 1240813 1240815 1240816 1240819 1240821 1240825 1240829 1240873 1240934 1240936 1240937 1240938 1240940 1240942 1240943 1240944 1240966 1240978 1240979 1241010 1241038 1241051 1241123 1241148 1241151 1241166 1241167 1241175 1241193 1241204 1241250 1241265 1241266 1241280 1241282 1241305 1241319 1241332 1241333 1241341 1241343 1241344 1241347 1241351 1241357 1241361 1241369 1241373 1241376 1241388 1241394 1241402 1241412 1241413 1241416 1241419 1241424 1241426 1241433 1241436 1241441 1241442 1241443 1241448 1241451 1241452 1241456 1241458 1241459 1241492 1241512 1241525 1241526 1241528 1241533 1241535 1241537 1241541 1241545 1241547 1241548 1241550 1241568 1241573 1241574 1241575 1241581 1241590 1241591 1241593 1241596 1241597 1241598 1241599 1241601 1241626 1241627 1241628 1241638 1241640 1241648 1241657 1242006 1242012 1242044 1242119 1242125 1242172 1242203 1242205 1242283 1242307 1242313 1242314 1242315 1242321 1242326 1242327 1242328 1242332 1242333 1242335 1242336 1242342 1242343 1242344 1242345 1242346 1242347 1242348 1242414 1242417 1242502 1242506 1242507 1242509 1242510 1242513 1242520 1242523 1242526 1242528 1242533 1242534 1242535 1242536 1242537 1242538 1242539 1242540 1242546 1242556 1242585 1242596 1242710 1242762 1242763 1242778 1242786 1242831 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242875 1242924 1242944 1242951 1242962 1242985 1242993 1243020 1243044 1243056 1243077 1243090 1243115 1243116 1243215 1243317 1243341 1243342 1243513 1243519 1243539 1243541 1243547 1243657 1243658 1243737 1243805 1243817 1243919 1243963 CVE-2023-52927 CVE-2023-53034 CVE-2024-27018 CVE-2024-27415 CVE-2024-28956 CVE-2024-35840 CVE-2024-35910 CVE-2024-38606 CVE-2024-41005 CVE-2024-43820 CVE-2024-46713 CVE-2024-46763 CVE-2024-46782 CVE-2024-46865 CVE-2024-47408 CVE-2024-47794 CVE-2024-49570 CVE-2024-49571 CVE-2024-49924 CVE-2024-49994 CVE-2024-50038 CVE-2024-50056 CVE-2024-50083 CVE-2024-50106 CVE-2024-50126 CVE-2024-50140 CVE-2024-50223 CVE-2024-50290 CVE-2024-53057 CVE-2024-53063 CVE-2024-53124 CVE-2024-53139 CVE-2024-53140 CVE-2024-53163 CVE-2024-53680 CVE-2024-54458 CVE-2024-54683 CVE-2024-56638 CVE-2024-56640 CVE-2024-56641 CVE-2024-56702 CVE-2024-56703 CVE-2024-56718 CVE-2024-56719 CVE-2024-56751 CVE-2024-56758 CVE-2024-56770 CVE-2024-57900 CVE-2024-57924 CVE-2024-57947 CVE-2024-57974 CVE-2024-57998 CVE-2024-58001 CVE-2024-58018 CVE-2024-58019 CVE-2024-58020 CVE-2024-58068 CVE-2024-58070 CVE-2024-58071 CVE-2024-58074 CVE-2024-58083 CVE-2024-58088 CVE-2024-58091 CVE-2024-58093 CVE-2024-58094 CVE-2024-58095 CVE-2024-58096 CVE-2024-58097 CVE-2025-21635 CVE-2025-21648 CVE-2025-21659 CVE-2025-21683 CVE-2025-21696 CVE-2025-21701 CVE-2025-21702 CVE-2025-21703 CVE-2025-21706 CVE-2025-21707 CVE-2025-21717 CVE-2025-21729 CVE-2025-21739 CVE-2025-21753 CVE-2025-21755 CVE-2025-21758 CVE-2025-21759 CVE-2025-21760 CVE-2025-21761 CVE-2025-21762 CVE-2025-21763 CVE-2025-21764 CVE-2025-21765 CVE-2025-21766 CVE-2025-21768 CVE-2025-21772 CVE-2025-21782 CVE-2025-21787 CVE-2025-21792 CVE-2025-21796 CVE-2025-21800 CVE-2025-21806 CVE-2025-21808 CVE-2025-21812 CVE-2025-21814 CVE-2025-21821 CVE-2025-21832 CVE-2025-21833 CVE-2025-21836 CVE-2025-21837 CVE-2025-21844 CVE-2025-21846 CVE-2025-21847 CVE-2025-21848 CVE-2025-21850 CVE-2025-21852 CVE-2025-21853 CVE-2025-21854 CVE-2025-21855 CVE-2025-21856 CVE-2025-21857 CVE-2025-21858 CVE-2025-21859 CVE-2025-21861 CVE-2025-21862 CVE-2025-21863 CVE-2025-21864 CVE-2025-21865 CVE-2025-21866 CVE-2025-21867 CVE-2025-21869 CVE-2025-21870 CVE-2025-21871 CVE-2025-21873 CVE-2025-21875 CVE-2025-21876 CVE-2025-21877 CVE-2025-21878 CVE-2025-21881 CVE-2025-21882 CVE-2025-21883 CVE-2025-21884 CVE-2025-21885 CVE-2025-21886 CVE-2025-21887 CVE-2025-21888 CVE-2025-21889 CVE-2025-21890 CVE-2025-21891 CVE-2025-21892 CVE-2025-21893 CVE-2025-21894 CVE-2025-21895 CVE-2025-21904 CVE-2025-21905 CVE-2025-21906 CVE-2025-21908 CVE-2025-21909 CVE-2025-21910 CVE-2025-21912 CVE-2025-21913 CVE-2025-21914 CVE-2025-21915 CVE-2025-21916 CVE-2025-21917 CVE-2025-21918 CVE-2025-21919 CVE-2025-21922 CVE-2025-21923 CVE-2025-21924 CVE-2025-21925 CVE-2025-21926 CVE-2025-21927 CVE-2025-21928 CVE-2025-21929 CVE-2025-21930 CVE-2025-21931 CVE-2025-21934 CVE-2025-21935 CVE-2025-21936 CVE-2025-21937 CVE-2025-21941 CVE-2025-21943 CVE-2025-21948 CVE-2025-21950 CVE-2025-21951 CVE-2025-21953 CVE-2025-21956 CVE-2025-21957 CVE-2025-21960 CVE-2025-21961 CVE-2025-21962 CVE-2025-21963 CVE-2025-21964 CVE-2025-21966 CVE-2025-21968 CVE-2025-21969 CVE-2025-21970 CVE-2025-21971 CVE-2025-21972 CVE-2025-21973 CVE-2025-21974 CVE-2025-21975 CVE-2025-21978 CVE-2025-21979 CVE-2025-21980 CVE-2025-21981 CVE-2025-21985 CVE-2025-21989 CVE-2025-21990 CVE-2025-21991 CVE-2025-21992 CVE-2025-21993 CVE-2025-21995 CVE-2025-21996 CVE-2025-21999 CVE-2025-22001 CVE-2025-22003 CVE-2025-22007 CVE-2025-22008 CVE-2025-22009 CVE-2025-22010 CVE-2025-22013 CVE-2025-22014 CVE-2025-22015 CVE-2025-22016 CVE-2025-22017 CVE-2025-22018 CVE-2025-22020 CVE-2025-22021 CVE-2025-22025 CVE-2025-22027 CVE-2025-22030 CVE-2025-22033 CVE-2025-22036 CVE-2025-22044 CVE-2025-22045 CVE-2025-22050 CVE-2025-22053 CVE-2025-22056 CVE-2025-22057 CVE-2025-22058 CVE-2025-22060 CVE-2025-22062 CVE-2025-22063 CVE-2025-22064 CVE-2025-22065 CVE-2025-22070 CVE-2025-22075 CVE-2025-22080 CVE-2025-22085 CVE-2025-22086 CVE-2025-22088 CVE-2025-22090 CVE-2025-22091 CVE-2025-22093 CVE-2025-22094 CVE-2025-22097 CVE-2025-22102 CVE-2025-22103 CVE-2025-22104 CVE-2025-22105 CVE-2025-22106 CVE-2025-22107 CVE-2025-22108 CVE-2025-22109 CVE-2025-22112 CVE-2025-22116 CVE-2025-22121 CVE-2025-22125 CVE-2025-22126 CVE-2025-22128 CVE-2025-2312 CVE-2025-23129 CVE-2025-23131 CVE-2025-23133 CVE-2025-23134 CVE-2025-23136 CVE-2025-23138 CVE-2025-23140 CVE-2025-23145 CVE-2025-23150 CVE-2025-23154 CVE-2025-23160 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37755 CVE-2025-37773 CVE-2025-37780 CVE-2025-37785 CVE-2025-37787 CVE-2025-37789 CVE-2025-37790 CVE-2025-37797 CVE-2025-37798 CVE-2025-37799 CVE-2025-37803 CVE-2025-37804 CVE-2025-37809 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37842 CVE-2025-37860 CVE-2025-37870 CVE-2025-37879 CVE-2025-37886 CVE-2025-37887 CVE-2025-37949 CVE-2025-37957 CVE-2025-37958 CVE-2025-37960 CVE-2025-37974 CVE-2025-38152 CVE-2025-38637 CVE-2025-39728 CVE-2025-40325 CVE-2025-4802 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1951-1 Released: Fri Jun 13 15:54:31 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1207948,1215199,1220419,1222649,1222656,1223096,1223809,1224013,1224489,1224597,1224757,1225742,1225770,1226871,1227858,1228659,1229311,1230497,1230581,1230764,1230769,1231016,1231103,1231293,1231910,1232364,1232389,1232493,1232649,1232848,1232882,1232895,1233060,1233192,1233479,1233551,1233557,1234074,1234157,1234222,1234480,1234698,1234828,1234936,1235149,1235436,1235455,1235501,1235524,1235526,1235550,1235589,1235591,1235621,1235637,1235711,1235712,1235715,1235729,1235733,1235870,1235973,1236086,1236111,1236142,1236206,1236208,1236333,1236394,1236704,1237111,1237164,1237312,1237313,1237530,1237545,1237546,1237704,1237757,1237874,1237875,1237882,1237885,1237897,1237906,1238052,1238212,1238471,1238473,1238506,1238527,1238528,1238532,1238565,1238585,1238714,1238716,1238737,1238738,1238742,1238743,1238745,1238746,1238754,1238763,1238774,1238775,1238780,1238782,1238862,1238866,1238911,1238961,1238970,1238972,1238983,1238990,1238992,1238997,1239015,1239016,1239036,1239045,1 239064,1239066,1239079,1239105,1239108,1239117,1239174,1239314,1239346,1239349,1239467,1239468,1239470,1239471,1239473,1239474,1239475,1239476,1239477,1239478,1239479,1239481,1239482,1239483,1239484,1239486,1239487,1239508,1239510,1239512,1239518,1239573,1239594,1239595,1239600,1239605,1239644,1239684,1239691,1239707,1239906,1239925,1239934,1239986,1239994,1239997,1240167,1240168,1240169,1240171,1240172,1240173,1240174,1240175,1240176,1240177,1240179,1240181,1240182,1240183,1240184,1240185,1240186,1240187,1240188,1240189,1240191,1240192,1240333,1240334,1240375,1240419,1240427,1240557,1240575,1240576,1240581,1240582,1240583,1240584,1240585,1240587,1240590,1240591,1240592,1240593,1240594,1240595,1240596,1240600,1240612,1240616,1240639,1240643,1240647,1240655,1240691,1240696,1240700,1240701,1240703,1240708,1240709,1240711,1240712,1240713,1240714,1240715,1240716,1240717,1240718,1240719,1240720,1240722,1240727,1240739,1240740,1240742,1240779,1240783,1240784,1240785,1240795,1240796,124079 7,1240799,1240800,1240801,1240802,1240803,1240804,1240805,1240806,1240808,1240809,1240811,1240812,1240813,1240815,1240816,1240819,1240821,1240825,1240829,1240873,1240934,1240936,1240937,1240938,1240940,1240942,1240943,1240944,1240966,1240978,1240979,1241010,1241038,1241051,1241123,1241148,1241151,1241166,1241167,1241175,1241193,1241204,1241250,1241265,1241266,1241280,1241282,1241305,1241319,1241332,1241333,1241341,1241343,1241344,1241347,1241351,1241357,1241361,1241369,1241373,1241376,1241388,1241394,1241402,1241412,1241413,1241416,1241419,1241424,1241426,1241433,1241436,1241441,1241442,1241443,1241448,1241451,1241452,1241456,1241458,1241459,1241492,1241512,1241525,1241526,1241528,1241533,1241535,1241537,1241541,1241545,1241547,1241548,1241550,1241568,1241573,1241574,1241575,1241581,1241590,1241591,1241593,1241596,1241597,1241598,1241599,1241601,1241626,1241627,1241628,1241638,1241640,1241648,1241657,1242006,1242012,1242044,1242119,1242125,1242172,1242203,1242205,1242283,1242307,124 2313,1242314,1242315,1242321,1242326,1242327,1242328,1242332,1242333,1242335,1242336,1242342,1242343,1242344,1242345,1242346,1242347,1242348,1242414,1242417,1242502,1242506,1242507,1242509,1242510,1242513,1242520,1242523,1242526,1242528,1242533,1242534,1242535,1242536,1242537,1242538,1242539,1242540,1242546,1242556,1242585,1242596,1242710,1242762,1242763,1242778,1242786,1242831,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242875,1242924,1242944,1242951,1242962,1242985,1242993,1243020,1243044,1243056,1243077,1243090,1243115,1243116,1243215,1243341,1243342,1243513,1243519,1243539,1243541,1243547,1243657,1243658,1243737,1243805,1243817,1243919,1243963,CVE-2023-52927,CVE-2023-53034,CVE-2024-27018,CVE-2024-27415,CVE-2024-28956,CVE-2024-35840,CVE-2024-35910,CVE-2024-38606,CVE-2024-41005,CVE-2024-43820,CVE-2024-46713,CVE-2024-46763,CVE-2024-46782,CVE-2024-46865,CVE-2024-47408,CVE-2024-47794,CVE-2024-49570,CVE-2024-49571,CVE-2024-49924,CVE-2024-49994,CVE-2024-500 38,CVE-2024-50056,CVE-2024-50083,CVE-2024-50106,CVE-2024-50126,CVE-2024-50140,CVE-2024-50223,CVE-2024-50290,CVE-2024-53057,CVE-2024-53063,CVE-2024-53124,CVE-2024-53139,CVE-2024-53140,CVE-2024-53163,CVE-2024-53680,CVE-2024-54458,CVE-2024-54683,CVE-2024-56638,CVE-2024-56640,CVE-2024-56641,CVE-2024-56702,CVE-2024-56703,CVE-2024-56718,CVE-2024-56719,CVE-2024-56751,CVE-2024-56758,CVE-2024-56770,CVE-2024-57900,CVE-2024-57924,CVE-2024-57947,CVE-2024-57974,CVE-2024-57998,CVE-2024-58001,CVE-2024-58018,CVE-2024-58019,CVE-2024-58020,CVE-2024-58068,CVE-2024-58070,CVE-2024-58071,CVE-2024-58074,CVE-2024-58083,CVE-2024-58088,CVE-2024-58091,CVE-2024-58093,CVE-2024-58094,CVE-2024-58095,CVE-2024-58096,CVE-2024-58097,CVE-2025-21635,CVE-2025-21648,CVE-2025-21659,CVE-2025-21683,CVE-2025-21696,CVE-2025-21701,CVE-2025-21702,CVE-2025-21703,CVE-2025-21706,CVE-2025-21707,CVE-2025-21717,CVE-2025-21729,CVE-2025-21739,CVE-2025-21753,CVE-2025-21755,CVE-2025-21758,CVE-2025-21759,CVE-2025-21760,CVE-2025-21761,CVE- 2025-21762,CVE-2025-21763,CVE-2025-21764,CVE-2025-21765,CVE-2025-21766,CVE-2025-21768,CVE-2025-21772,CVE-2025-21782,CVE-2025-21787,CVE-2025-21792,CVE-2025-21796,CVE-2025-21800,CVE-2025-21806,CVE-2025-21808,CVE-2025-21812,CVE-2025-21814,CVE-2025-21821,CVE-2025-21832,CVE-2025-21833,CVE-2025-21836,CVE-2025-21837,CVE-2025-21844,CVE-2025-21846,CVE-2025-21847,CVE-2025-21848,CVE-2025-21850,CVE-2025-21852,CVE-2025-21853,CVE-2025-21854,CVE-2025-21855,CVE-2025-21856,CVE-2025-21857,CVE-2025-21858,CVE-2025-21859,CVE-2025-21861,CVE-2025-21862,CVE-2025-21863,CVE-2025-21864,CVE-2025-21865,CVE-2025-21866,CVE-2025-21867,CVE-2025-21869,CVE-2025-21870,CVE-2025-21871,CVE-2025-21873,CVE-2025-21875,CVE-2025-21876,CVE-2025-21877,CVE-2025-21878,CVE-2025-21881,CVE-2025-21882,CVE-2025-21883,CVE-2025-21884,CVE-2025-21885,CVE-2025-21886,CVE-2025-21887,CVE-2025-21888,CVE-2025-21889,CVE-2025-21890,CVE-2025-21891,CVE-2025-21892,CVE-2025-21893,CVE-2025-21894,CVE-2025-21895,CVE-2025-21904,CVE-2025-21905,CVE-2025-21 906,CVE-2025-21908,CVE-2025-21909,CVE-2025-21910,CVE-2025-21912,CVE-2025-21913,CVE-2025-21914,CVE-2025-21915,CVE-2025-21916,CVE-2025-21917,CVE-2025-21918,CVE-2025-21919,CVE-2025-21922,CVE-2025-21923,CVE-2025-21924,CVE-2025-21925,CVE-2025-21926,CVE-2025-21927,CVE-2025-21928,CVE-2025-21929,CVE-2025-21930,CVE-2025-21931,CVE-2025-21934,CVE-2025-21935,CVE-2025-21936,CVE-2025-21937,CVE-2025-21941,CVE-2025-21943,CVE-2025-21948,CVE-2025-21950,CVE-2025-21951,CVE-2025-21953,CVE-2025-21956,CVE-2025-21957,CVE-2025-21960,CVE-2025-21961,CVE-2025-21962,CVE-2025-21963,CVE-2025-21964,CVE-2025-21966,CVE-2025-21968,CVE-2025-21969,CVE-2025-21970,CVE-2025-21971,CVE-2025-21972,CVE-2025-21973,CVE-2025-21974,CVE-2025-21975,CVE-2025-21978,CVE-2025-21979,CVE-2025-21980,CVE-2025-21981,CVE-2025-21985,CVE-2025-21989,CVE-2025-21990,CVE-2025-21991,CVE-2025-21992,CVE-2025-21993,CVE-2025-21995,CVE-2025-21996,CVE-2025-21999,CVE-2025-22001,CVE-2025-22003,CVE-2025-22007,CVE-2025-22008,CVE-2025-22009,CVE-2025-22010,CVE -2025-22013,CVE-2025-22014,CVE-2025-22015,CVE-2025-22016,CVE-2025-22017,CVE-2025-22018,CVE-2025-22020,CVE-2025-22021,CVE-2025-22025,CVE-2025-22027,CVE-2025-22030,CVE-2025-22033,CVE-2025-22036,CVE-2025-22044,CVE-2025-22045,CVE-2025-22050,CVE-2025-22053,CVE-2025-22056,CVE-2025-22057,CVE-2025-22058,CVE-2025-22060,CVE-2025-22062,CVE-2025-22063,CVE-2025-22064,CVE-2025-22065,CVE-2025-22070,CVE-2025-22075,CVE-2025-22080,CVE-2025-22085,CVE-2025-22086,CVE-2025-22088,CVE-2025-22090,CVE-2025-22091,CVE-2025-22093,CVE-2025-22094,CVE-2025-22097,CVE-2025-22102,CVE-2025-22103,CVE-2025-22104,CVE-2025-22105,CVE-2025-22106,CVE-2025-22107,CVE-2025-22108,CVE-2025-22109,CVE-2025-22112,CVE-2025-22116,CVE-2025-22121,CVE-2025-22125,CVE-2025-22126,CVE-2025-22128,CVE-2025-2312,CVE-2025-23129,CVE-2025-23131,CVE-2025-23133,CVE-2025-23134,CVE-2025-23136,CVE-2025-23138,CVE-2025-23140,CVE-2025-23145,CVE-2025-23150,CVE-2025-23154,CVE-2025-23160,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37 755,CVE-2025-37773,CVE-2025-37780,CVE-2025-37785,CVE-2025-37787,CVE-2025-37789,CVE-2025-37790,CVE-2025-37797,CVE-2025-37798,CVE-2025-37799,CVE-2025-37803,CVE-2025-37804,CVE-2025-37809,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-2025-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37842,CVE-2025-37860,CVE-2025-37870,CVE-2025-37879,CVE-2025-37886,CVE-2025-37887,CVE-2025-37949,CVE-2025-37957,CVE-2025-37958,CVE-2025-37960,CVE-2025-37974,CVE-2025-38152,CVE-2025-38637,CVE-2025-39728,CVE-2025-40325 The SUSE Linux Enterprise 15 SP7 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52927: netfilter: allow exp not to be removed in nf_ct_find_expectation (bsc#1239644). - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-35840: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (bsc#1224597). - CVE-2024-35910: tcp: properly terminate timers for kernel sockets (bsc#1224489). - CVE-2024-41005: netpoll: Fix race condition in netpoll_owner_active (bsc#1227858). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-46782: ila: call nf_unregister_net_hooks() sooner (bsc#1230769). - CVE-2024-47408: net/smc: check smcd_v2_ext_offset when receiving proposal msg (bsc#1235711). - CVE-2024-47794: kABI: bpf: Prevent tailcall infinite loop caused by freplace kABI workaround (bsc#1235712). - CVE-2024-49570: drm/xe/tracing: Fix a potential TP_printk UAF (bsc#1238782). - CVE-2024-49571: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg (bsc#1235733). - CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910). - CVE-2024-50056: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c (bsc#1232389). - CVE-2024-50140: net: sched: use RCU read-side critical section in taprio_dump() (bsc#1233060). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (bsc#1233551). - CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074). - CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157). - CVE-2024-53140: netlink: terminate outstanding dump on socket close (bsc#1234222). - CVE-2024-53680: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() (bsc#1235715). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2024-54683: netfilter: IDLETIMER: Fix for possible ABBA deadlock (bsc#1235729). - CVE-2024-56638: kABI fix for 'netfilter: nft_inner: incorrect percpu area handling under softirq' (bsc#1235524). - CVE-2024-56640: net/smc: fix LGR and link use-after-free issue (bsc#1235436). - CVE-2024-56703: ipv6: Fix soft lockups in fib6_select_path under high next hop churn (bsc#1235455). - CVE-2024-56718: net/smc: protect link down work from execute after lgr freed (bsc#1235589). - CVE-2024-56719: net: stmmac: fix TSO DMA API usage causing oops (bsc#1235591). - CVE-2024-56751: ipv6: release nexthop on device removal (bsc#1234936). - CVE-2024-56758: btrfs: check folio mapping after unlock in relocate_one_folio() (bsc#1235621). - CVE-2024-56770: net/sched: netem: account for backlog updates from child qdisc (bsc#1235637). - CVE-2024-57900: ila: serialize calls to nf_register_net_hooks() (bsc#1235973). - CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086). - CVE-2024-57947: netfilter: nf_set_pipapo: fix initial map fill (bsc#1236333). - CVE-2024-57974: udp: Deal with race between UDP socket address change and rehash (bsc#1238532). - CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990). - CVE-2024-58019: nvkm/gsp: correctly advance the read pointer of GSP message queue (bsc#1238997). - CVE-2024-58068: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (bsc#1238961). - CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (bsc#1238983). - CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970). - CVE-2024-58074: drm/i915: Grab intel_display from the encoder to avoid potential (bsc#1238972). - CVE-2024-58083: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (bsc#1239036). - CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage (bsc#1239510). - CVE-2024-58091: drm/fbdev-dma: Add shadow buffering for deferred I/O (bsc#1240174). - CVE-2025-21635: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy (bsc#1236111). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21659: netdev: prevent accessing NAPI instances from another namespace (bsc#1236206). - CVE-2025-21683: bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704). - CVE-2025-21696: mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111). - CVE-2025-21701: net: avoid race between device unregistration and ethnl ops (bsc#1237164). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21706: mptcp: pm: only set fullmesh for subflow endp (bsc#1238528). - CVE-2025-21707: mptcp: consolidate suboption status (bsc#1238862). - CVE-2025-21717: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq (bsc#1238866). - CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874). - CVE-2025-21739: kABI: ufshcd: add ufshcd_dealloc_host back (bsc#1238506). - CVE-2025-21753: btrfs: fix use-after-free when attempting to join an aborted transaction (bsc#1237875). - CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882). - CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737). - CVE-2025-21759: ipv6: mcast: extend RCU protection in igmp6_send() (bsc#1238738). - CVE-2025-21760: ndisc: extend RCU protection in ndisc_send_skb() (bsc#1238763). - CVE-2025-21761: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (bsc#1238775). - CVE-2025-21762: arp: use RCU protection in arp_xmit() (bsc#1238780). - CVE-2025-21763: neighbour: use RCU protection in __neigh_notify() (bsc#1237897). - CVE-2025-21765: ipv6: use RCU protection in ip6_default_advmss() (bsc#1237906). - CVE-2025-21766: ipv4: use RCU protection in __ip_rt_update_pmtu() (bsc#1238754). - CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21792: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (bsc#1238745). - CVE-2025-21800: net/mlx5: HWS, fix definer's HWS_SET32 macro for negative offset (bsc#1238743). - CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746). - CVE-2025-21808: net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742). - CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21833: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (bsc#1239108). - CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066). - CVE-2025-21837: io_uring/uring_cmd: unconditionally copy SQEs at prep time (bsc#1239064). - CVE-2025-21844: smb: client: Add check for next_buffer in receive_encrypted_standard() (bsc#1239512). - CVE-2025-21848: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() (bsc#1239479). - CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470). - CVE-2025-21856: s390/ism: add release function for struct device (bsc#1239486). - CVE-2025-21857: net/sched: cls_api: fix error handling causing NULL dereference (bsc#1239478). - CVE-2025-21861: mm/migrate_device: do not add folio to be freed to LRU in migrate_device_finalize() (bsc#1239483). - CVE-2025-21862: drop_monitor: fix incorrect initialization order (bsc#1239474). - CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475). - CVE-2025-21864: kABI fix for tcp: drop secpath at the same time as we currently drop (bsc#1239482). - CVE-2025-21865: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl() (bsc#1239481). - CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181). - CVE-2025-21870: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers (bsc#1240191). - CVE-2025-21871: tee: optee: Fix supplicant wait loop (bsc#1240183). - CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184). - CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168). - CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185). - CVE-2025-21882: net/mlx5: Fix vport QoS cleanup on error (bsc#1240187). - CVE-2025-21883: ice: Fix deinitializing VF in error path (bsc#1240189). - CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171). - CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176). - CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167). - CVE-2025-21890: idpf: fix checksums set in idpf_rx_rsc() (bsc#1240173). - CVE-2025-21891: ipvlan: ensure network headers are in skb linear part (bsc#1240186). - CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581). - CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585). - CVE-2025-21904: caif_virtio: fix wrong pointer check in cfv_probe() (bsc#1240576). - CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587). - CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600). - CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639). - CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720). - CVE-2025-21925: llc: do not use skb_get() before dev_queue_xmit() (bsc#1240713). - CVE-2025-21926: net: gso: fix ownership in __udp_gso_segment (bsc#1240712). - CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709). - CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742). - CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815). - CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816). - CVE-2025-21962: cifs: Fix integer overflow while processing closetimeo mount option (bsc#1240655). - CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717). - CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740). - CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784). - CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819). - CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813). - CVE-2025-21973: eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} (bsc#1240803). - CVE-2025-21974: eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() (bsc#1240800). - CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812). - CVE-2025-21980: sched: address a potential NULL pointer dereference in the GRED scheduler (bsc#1240809). - CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612). - CVE-2025-21985: drm/amd/display: Fix out-of-bound accesses (bsc#1240811). - CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795). - CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797). - CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802). - CVE-2025-22015: mm/migrate: fix shmem xarray update during migration (bsc#1240944). - CVE-2025-22016: dpll: fix xa_alloc_cyclic() error handling (bsc#1240934). - CVE-2025-22017: devlink: fix xa_alloc_cyclic() error handling (bsc#1240936). - CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22036: exfat: fix random stack corruption after get_block (bsc#1241426). - CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433). - CVE-2025-22053: net: ibmveth: make veth_pool_store stop hanging (bsc#1241373). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22058: udp: Fix memory accounting leak (bsc#1241332). - CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22064: netfilter: nf_tables: do not unregister hook when table is dormant (bsc#1241413). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22080: fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416). - CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537). - CVE-2025-22094: powerpc/perf: Fix ref-counting on the PMU 'vpa_pmu' (bsc#1241512). - CVE-2025-22102: Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps (bsc#1241550). - CVE-2025-22105, CVE-2025-37860: Add missing bugzilla references (bsc#1241452 bsc#1241548). - CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (bsc#1241575). - CVE-2025-22109: ax25: Remove broken autobind (bsc#1241573). - CVE-2025-22121: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593). - CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684). - CVE-2025-23133: wifi: ath11k: update channel list in reg notifier instead reg worker (bsc#1241451). - CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23154: io_uring/net: fix io_req_post_cqe abuse by send bundle (bsc#1242533). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37747: kABI workaround for perf-Fix-hang-while-freeing-sigtrap-event (References: bsc#1242520). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37798: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (bsc#1242414). - CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (bsc#1242283). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). - CVE-2025-39728: clk: samsung: Fix UBSAN panic in samsung_clk_init() (bsc#1241626). The following non-security bugs were fixed: - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes). - ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes). - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid (bsc#1237530). - ACPI: resource: IRQ override for Eluktronics MECH-17 (stable-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: hda/realtek - Enable speaker for HP platform (git-fixes). - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Always honor no_shutup_pins (git-fixes). - ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA (stable-fixes). - ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx (stable-fixes). - ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes). - ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx (stable-fixes). - ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315 (stable-fixes). - ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0 (stable-fixes). - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes). - ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes). - ALSA: pcm: Drop superfluous NULL check in snd_pcm_format_set_silence() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: timer: Do not take register_mutex with copy_from/to_user() (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044). - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names (stable-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes). - ALSA: usb-audio: separate DJM-A9 cap lvl options (git-fixes). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes). - ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks() (git-fixes). - ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module (stable-fixes). - ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes). - ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry (git-fixes). - ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model (stable-fixes). - ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes). - ASoC: arizona/madera: use fsleep() in up/down DAPM event delays (stable-fixes). - ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe() (git-fixes). - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes). - ASoC: cs35l41: check the return value from spi_setup() (git-fixes). - ASoC: cs42l43: Fix maximum ADC Volume (git-fixes). - ASoC: cs42l43: Reset clamp override on jack removal (git-fixes). - ASoC: dwc: always enable/disable i2s irqs (git-fixes). - ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event (git-fixes). - ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: ops: Consistently treat platform_max as control value (git-fixes). - ASoC: q6apm-dai: make use of q6apm_get_hw_pointer (git-fixes). - ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs (git-fixes). - ASoC: q6apm: add q6apm_get_hw_pointer helper (git-fixes). - ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - ASoC: rt722-sdca: add missing readable registers (git-fixes). - ASoC: simple-card-utils.c: add missing dlc->of_node (stable-fixes). - ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction (git-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes). - ASoC: tas2764: Fix power control mask (stable-fixes). - ASoC: tas2764: Set the SDOUT polarity correctly (stable-fixes). - ASoC: tas2770: Fix volume scale (stable-fixes). - ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible (git-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: Fix error code in chan_alloc_skb_cb() (git-fixes). - Bluetooth: HCI: Add definition of hci_rp_remote_name_req_cancel (git-fixes). - Bluetooth: Improve setsockopt() handling of malformed user input (git-fixes). - Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (stable-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths (git-fixes). - Bluetooth: btnxpuart: Fix kernel panic during FW release (git-fixes). - Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes). - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters (git-fixes). - Bluetooth: hci_event: Fix enabling passive scanning (git-fixes). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes). - Bluetooth: hci_uart: Fix another race during initialization (git-fixes). - Bluetooth: hci_uart: fix race during initialization (stable-fixes). - Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes). - Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes). - Bluetooth: qca: simplify WCN399x NVM loading (stable-fixes). - Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes). - Documentation: qat: fix auto_reset attribute details (git-fixes). - Documentation: qat: fix auto_reset section (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Drivers: hv: vmbus: Do not release fb_mmio resource in vmbus_free_mmio() (git-fixes). - EDAC/i10nm: Add Intel Clearwater Forest server support (jsc#PED-10190). - Fix mismerge from SLE15-SP6 to SLE15-SP7 (bsc#1241591) - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: Enable playstation driver independently of sony driver (git-fixes). - HID: apple: disable Fn key handling on the Omoton KB066 (git-fixes). - HID: apple: fix up the F6 key on the Omoton KB066 keyboard (stable-fixes). - HID: hid-apple: Apple Magic Keyboard a3203 USB-C support (stable-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - HID: ignore non-functional sensor in HP 5MP Camera (stable-fixes). - HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() (git-fixes). - HID: intel-ish-hid: Send clock sync message immediately after reset (stable-fixes). - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell (stable-fixes). - HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: topre: Fix n-key rollover on Realforce R3S TKL boards (stable-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - IB/mad: Check available slots before posting receive WRs (git-fixes) - Input: ads7846 - fix gpiod allocation (git-fixes). - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: cyttsp5 - fix power control issue on wakeup (git-fixes). - Input: i8042 - add required quirks for missing old boardnames (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for more devices (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for several devices (stable-fixes). - Input: iqs7222 - add support for Azoteq IQS7222D (git-fixes). - Input: iqs7222 - add support for IQS7222D v1.1 and v1.2 (git-fixes). - Input: iqs7222 - preserve system status register (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers (stable-fixes). - Input: xpad - add multiple supported devices (stable-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - add support for TECNO Pocket Go (stable-fixes). - Input: xpad - add support for ZOTAC Gaming Zone (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - Input: xpad - rename QH controller to Legion Go S (stable-fixes). - KVM: PPC: Book3S HV: Fix IRQ map warnings with XICS on pSeries KVM Guest (bsc#1242205 ltc#212592). - KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests (jsc#PED-10539 git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Do not change target vCPU state on AP Creation VMGEXIT error (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Refuse to attempt VRMUN if an SEV-ES+ guest had an invalid VMSA (git-fixes). - KVM: SVM: Save host DR masks on CPUs with DebugSwap (jsc#PED-348). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: update patch KVM-PPC-Enable-CAP_SPAPR_TCE_VFIO-on-pSeries-KVM-gue.patch (jsc#PED-10539 git-fixes bsc#1240419 ltc#212279). - KVM: x86/mmu: Check and free obsolete roots in kvm_mmu_reload() (git-fixes). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Check that the high 32bits are clear in kvm_arch_vcpu_ioctl_run() (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - KVM: x86: block KVM_CAP_SYNC_REGS if guest state is protected (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961) - PCI/ACS: Fix 'pci=config_acs=' parameter (git-fixes). - PCI/ASPM: Fix link state exit during switch upstream function removal (git-fixes). - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes). - PCI/portdrv: Only disable pciehp interrupts early when needed (git-fixes). - PCI: Avoid reset when disabled via sysfs (git-fixes). - PCI: Drop patch that caused a regression (bsc#1241123). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_alloc_child_bus() (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - PCI: Remove stray put_device() in pci_register_host_bridge() (git-fixes). - PCI: brcmstb: Fix error path after a call to regulator_bulk_get() (git-fixes). - PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() (git-fixes). - PCI: brcmstb: Fix potential premature regulator disabling (git-fixes). - PCI: brcmstb: Set generation limit before PCIe link up (git-fixes). - PCI: brcmstb: Use internal register to change link capability (git-fixes). - PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload (git-fixes). - PCI: dwc: ep: Return -ENOMEM for allocation failures (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: pciehp: Do not enable HPIE when resuming in poll mode (git-fixes). - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes). - PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe (git-fixes). - PM: sleep: Adjust check before setting power.must_resume (git-fixes). - PM: sleep: Fix handling devices with direct_complete set on errors (git-fixes). - RAS: Avoid build errors when CONFIG_DEBUG_FS=n (jsc#PED-7619). - RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx (git-fixes) - RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path (git-fixes) - RDMA/bnxt_re: Fix allocation of QP table (git-fixes) - RDMA/bnxt_re: Fix budget handling of notification queue (git-fixes) - RDMA/bnxt_re: Fix reporting maximum SRQs on P7 chips (git-fixes) - RDMA/bnxt_re: Remove unusable nq variable (git-fixes) - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes) - RDMA/core: Do not expose hw_counters outside of init net namespace (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/core: Fix use-after-free when rename device name (git-fixes) - RDMA/core: Silence oversized kvmalloc() warning (git-fixes) - RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() (git-fixes) - RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() (git-fixes) - RDMA/hns: Fix invalid sq params not being blocked (git-fixes) - RDMA/hns: Fix missing xa_destroy() (git-fixes) - RDMA/hns: Fix soft lockup during bt pages loop (git-fixes) - RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() (git-fixes) - RDMA/hns: Fix wrong maximum DMA segment size (git-fixes) - RDMA/hns: Fix wrong value of max_sge_rd (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mana_ib: Ensure variable err is initialized (git-fixes). - RDMA/mana_ib: Prefer struct_size over open coded arithmetic (bsc#1239016). - RDMA/mlx5: Fix MR cache initialization error flow (git-fixes) - RDMA/mlx5: Fix cache entry update on dereg error (git-fixes) - RDMA/mlx5: Fix calculation of total invalidated pages (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow (git-fixes) - RDMA/mlx5: Fix page_size variable overflow (git-fixes) - RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests (git-fixes) - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes) - RDMA: update patch RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch (git-fixes bsc#1239925). - Squashfs: check return result of sb_min_blocksize (git-fixes). - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() (git-fixes). - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes). - USB: VLI disk crashes if LPM is used (stable-fixes). - USB: gadget: core: create sysfs link between udc and gadget (git-fixes). - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes). - USB: serial: ftdi_sio: add support for Altera USB Blaster 3 (stable-fixes). - USB: serial: option: add Sierra Wireless EM9291 (stable-fixes). - USB: serial: option: add Telit Cinterion FE990B compositions (stable-fixes). - USB: serial: option: fix Telit Cinterion FE990A name (stable-fixes). - USB: serial: option: match on interface class for Telit FN990B (stable-fixes). - USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes). - USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - USB: wdm: add annotation (git-fixes). - USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes). - USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes). - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes). - Update config. Enable HiSi accel VFIO PCI (jsc#PED-12622) - Update config. Enable SPI DW mmio driver (jsc#PED-12622) - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - accel/ivpu: Fix PM related deadlocks in MS IOCTLs (git-fixes). - accel/ivpu: Fix deadlock in ivpu_ms_cleanup() (git-fixes). - accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() (git-fixes). - accel/ivpu: Increase DMA address range (PED-12367). - accel/qaic: Fix integer overflow in qaic_validate_req() (git-fixes). - accel/qaic: Fix possible data corruption in BOs > 2G (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - af_unix: Remove put_pid()/put_cred() in copy_peercred() (bsc#1240334). - affs: do not write overlarge OFS data block size fields (git-fixes). - affs: generate OFS sequence numbers starting at 1 (git-fixes). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes). - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes) - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778). - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add MIDR_CORTEX_A76AE (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to (git-fixes) - arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi (git-fixes) - arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board (git-fixes) - arm64: dts: rockchip: Fix PWM pinctrl names (git-fixes) - arm64: dts: rockchip: Remove bluetooth node from rock-3a (git-fixes) - arm64: dts: rockchip: Remove undocumented sdmmc property from (git-fixes) - arm64: dts: rockchip: add rs485 support on uart5 of (git-fixes) - arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou (git-fixes) - arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou (git-fixes) - arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe (git-fixes) - arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() (git-fixes) - arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre (git-fixes) - arm64: insn: Add support for encoding DSB (bsc#1242778). - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: mm: Correct the update of max_pfn (git-fixes) - arm64: mm: Populate vmemmap at the page level if not section aligned (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778). - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778). - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778). - arm64: tegra: Remove the Orin NX/Nano suspend key (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - asus-laptop: Fix an uninitialized variable (git-fixes). - ata: ahci: Add mask_port_map module parameter (git-fixes). - ata: libata-sata: Save all fields from sense data descriptor (git-fixes). - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf (git-fixes). - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes). - ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes). - ata: libata-scsi: Improve CDL control (git-fixes). - ata: libata-scsi: Remove redundant sense_buffer memsets (git-fixes). - ata: libata: Fix NCQ Non-Data log not supported print (git-fixes). - ata: pata_parport: add custom version of wait_after_reset (git-fixes). - ata: pata_parport: fit3: implement IDE command set registers (git-fixes). - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes). - ata: pata_serverworks: Do not use the term blacklist (git-fixes). - ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() (git-fixes). - ata: sata_sil: Rename sil_blacklist to sil_quirks (git-fixes). - ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes). - auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes). - auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes). - auxdisplay: panel: Fix an API misuse in panel.c (git-fixes). - backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() (git-fixes). - badblocks: Fix error shitf ops (git-fixes). - badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes). - badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes). - badblocks: fix the using of MAX_BADBLOCKS (git-fixes). - badblocks: return error directly when setting badblocks exceeds 512 (git-fixes). - badblocks: return error if any badblock set fails (git-fixes). - batman-adv: Ignore own maximum aggregation size during RX (git-fixes). - bitmap: Align documentation between bitmap_gather() and bitmap_scatter() (git-fixes). - bitmap: introduce generic optimized bitmap_size() (git-fixes). - blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes). - block: change blk_mq_add_to_batch() third argument type to bool (git-fixes). - block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes). - block: fix conversion of GPT partition name to 7-bit (git-fixes). - block: fix resource leak in blk_register_queue() error path (git-fixes). - block: integrity: Do not call set_page_dirty_lock() (git-fixes). - block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix ethtool selftest output in one of the failure cases (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes). - bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes). - bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() (git-fixes). - bnxt_en: fix module unload sequence (git-fixes). - bnxt_en: improve TX timestamping FIFO configuration (git-fixes). - bonding: fix incorrect MAC address setting to receive NS messages (git-fixes). - bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes). - bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - bpf: add find_containing_subprog() utility function (bsc#1241590). - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: check changes_pkt_data property for extension programs (bsc#1241590). - bpf: consider that tail calls invalidate packet pointers (bsc#1241590). - bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590). - bpf: fix potential error return (git-fixes). - bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590). - bpf: track changes_pkt_data property for global functions (bsc#1241590). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - broadcom: fix supported flag check in periodic output function (git-fixes). - btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: check delayed refs when we're checking if a ref exists (bsc#1239605). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: do not use btrfs_bio_ctrl for extent buffer writing (bsc#1239045). - btrfs: drop the backref cache during relocation if we commit (bsc#1239605). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151). - btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204). - btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204). - btrfs: remove the mirror_num argument to btrfs_submit_compressed_read (bsc#1239045). - btrfs: subpage: fix error handling in end_bio_subpage_eb_writepage (bsc#1239045). - btrfs: use a separate end_io handler for extent_buffer writing (bsc#1239045). - bus: mhi: host: Fix race between unprepare and queue_buf (git-fixes). - bus: qcom-ssc-block-bus: Fix the error handling path of qcom_ssc_block_bus_probe() (git-fixes). - bus: qcom-ssc-block-bus: Remove some duplicated iounmap() calls (git-fixes). - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: flexcan: disable transceiver during system PM (git-fixes). - can: flexcan: only change CAN state when link up in system PM (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: rcar_canfd: Fix page entries in the AFL list (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - can: ucan: fix out of bound read in strscpy() source (git-fixes). - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes). - cgroup/cpuset: Fix error handling in remote_partition_disable() (bsc#1241166). - cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() (bsc#1241166). - cgroup/cpuset: Fix spelling errors in file kernel/cgroup/cpuset.c (bsc#1241166). - char: misc: register chrdev region with all possible minors (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: Fix integer overflow while processing actimeo mount option (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - clockevents/drivers/i8253: Fix stop sequence for timer 0 (git-fixes). - coredump: Fixes core_pipe_limit sysctl proc_handler (git-fixes). - counter: fix privdata alignment (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - cpufreq/amd-pstate: Fix max_perf updation with schedutil (bsc#1239707). - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052). - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052). - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052). - cpumask: add cpumask_weight_andnot() (bsc#1239015). - cpumask: define cleanup function for cpumasks (bsc#1239015). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes). - crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes). - crypto: ccp - Add support for PCI device 0x1134 (stable-fixes). - crypto: ccp - Fix check for the primary ASP device (git-fixes). - crypto: ccp - Fix uAPI definitions of PSP errors (git-fixes). - crypto: hisilicon/sec2 - fix for aead auth key length (git-fixes). - crypto: hisilicon/sec2 - fix for aead authsize alignment (git-fixes). - crypto: hisilicon/sec2 - fix for sec spec check (git-fixes). - crypto: iaa - Add global_stats file and remove individual stat files (jsc#PED-12416). - crypto: iaa - Change desc->priv to 0 (jsc#PED-12416). - crypto: iaa - Change iaa statistics to atomic64_t (jsc#PED-12416). - crypto: iaa - Fix comp/decomp delay statistics (jsc#PED-12416). - crypto: iaa - Remove comp/decomp delay statistics (jsc#PED-12416). - crypto: iaa - Remove header table code (jsc#PED-12416). - crypto: iaa - Remove potential infinite loop in check_completion() (jsc#PED-12416). - crypto: iaa - Remove unnecessary debugfs_create_dir() error check in iaa_crypto_debugfs_init() (jsc#PED-12416). - crypto: iaa - Remove unneeded newline in update_max_adecomp_delay_ns() (jsc#PED-12416). - crypto: iaa - Test the correct request flag (git-fixes). - crypto: iaa - Use cpumask_weight() when rebalancing (jsc#PED-12416). - crypto: iaa - Use kmemdup() instead of kzalloc() and memcpy() (jsc#PED-12416). - crypto: iaa - fix decomp_bytes_in stats (jsc#PED-12416). - crypto: iaa - fix the missing CRYPTO_ALG_ASYNC in cra_flags (jsc#PED-12416). - crypto: iaa - remove unneeded semicolon (jsc#PED-12416). - crypto: nx - Fix uninitialised hv_nxc on error (git-fixes). - crypto: qat - Avoid -Wflex-array-member-not-at-end warnings (jsc#PED-12416). - crypto: qat - Constify struct pm_status_row (jsc#PED-12416). - crypto: qat - Fix missing destroy_workqueue in adf_init_aer() (jsc#PED-12416). - crypto: qat - Fix spelling mistake 'Invalide' -> 'Invalid' (jsc#PED-12416). - crypto: qat - Fix typo 'accelaration' (jsc#PED-12416). - crypto: qat - Fix typo (jsc#PED-12416). - crypto: qat - Remove trailing space after \n newline (jsc#PED-12416). - crypto: qat - Use static_assert() to check struct sizes (jsc#PED-12416). - crypto: qat - add admin msgs for telemetry (jsc#PED-12416). - crypto: qat - add auto reset on error (jsc#PED-12416). - crypto: qat - add bank save and restore flows (jsc#PED-12416). - crypto: qat - add fatal error notification (jsc#PED-12416). - crypto: qat - add fatal error notify method (jsc#PED-12416). - crypto: qat - add heartbeat error simulator (jsc#PED-12416). - crypto: qat - add interface for live migration (jsc#PED-12416). - crypto: qat - add shutdown handler to qat_420xx (bsc#1239934). - crypto: qat - add shutdown handler to qat_4xxx (bsc#1239934). - crypto: qat - add shutdown handler to qat_c3xxx (bsc#1239934). - crypto: qat - add shutdown handler to qat_c62x (bsc#1239934). - crypto: qat - add shutdown handler to qat_dh895xcc (bsc#1239934). - crypto: qat - add support for 420xx devices (jsc#PED-12416). - crypto: qat - add support for device telemetry (jsc#PED-12416). - crypto: qat - add support for ring pair level telemetry (jsc#PED-12416). - crypto: qat - adf_get_etr_base() helper (jsc#PED-12416). - crypto: qat - allow disabling SR-IOV VFs (jsc#PED-12416). - crypto: qat - avoid memcpy() overflow warning (jsc#PED-12416). - crypto: qat - change signature of uof_get_num_objs() (jsc#PED-12416). - crypto: qat - disable arbitration before reset (jsc#PED-12416). - crypto: qat - ensure correct order in VF restarting handler (jsc#PED-12416). - crypto: qat - expand CSR operations for QAT GEN4 devices (jsc#PED-12416). - crypto: qat - fix 'Full Going True' macro definition (jsc#PED-12416). - crypto: qat - fix arbiter mapping generation algorithm for QAT 402xx (jsc#PED-12416). - crypto: qat - fix comment structure (jsc#PED-12416). - crypto: qat - fix linking errors when PCI_IOV is disabled (jsc#PED-12416). - crypto: qat - fix recovery flow for VFs (jsc#PED-12416). - crypto: qat - fix ring to service map for dcc in 420xx (jsc#PED-12416). - crypto: qat - generate dynamically arbiter mappings (jsc#PED-12416). - crypto: qat - implement dh fallback for primes > 4K (jsc#PED-12416). - crypto: qat - implement interface for live migration (jsc#PED-12416). - crypto: qat - improve aer error reset handling (jsc#PED-12416). - crypto: qat - improve error message in adf_get_arbiter_mapping() (jsc#PED-12416). - crypto: qat - include pci.h for GET_DEV() (jsc#PED-12416). - crypto: qat - initialize user_input.lock for rate_limiting (jsc#PED-12416). - crypto: qat - limit heartbeat notifications (jsc#PED-12416). - crypto: qat - make adf_ctl_class constant (jsc#PED-12416). - crypto: qat - make ring to service map common for QAT GEN4 (jsc#PED-12416). - crypto: qat - move PFVF compat checker to a function (jsc#PED-12416). - crypto: qat - move fw config related structures (jsc#PED-12416). - crypto: qat - preserve ADF_GENERAL_SEC (jsc#PED-12416). - crypto: qat - re-enable sriov after pf reset (jsc#PED-12416). - crypto: qat - relocate CSR access code (jsc#PED-12416). - crypto: qat - relocate and rename 4xxx PF2VM definitions (jsc#PED-12416). - crypto: qat - relocate portions of qat_4xxx code (jsc#PED-12416). - crypto: qat - remove access to parity register for QAT GEN4 (git-fixes). - crypto: qat - remove redundant prototypes in qat_c3xxx (bsc#1239934). - crypto: qat - remove redundant prototypes in qat_c62x (bsc#1239934). - crypto: qat - remove redundant prototypes in qat_dh895xcc (bsc#1239934). - crypto: qat - remove unnecessary description from comment (jsc#PED-12416). - crypto: qat - remove unused adf_devmgr_get_first (jsc#PED-12416). - crypto: qat - rename get_sla_arr_of_type() (jsc#PED-12416). - crypto: qat - set parity error mask for qat_420xx (git-fixes). - crypto: qat - uninitialized variable in adf_hb_error_inject_write() (jsc#PED-12416). - crypto: qat - update PFVF protocol for recovery (jsc#PED-12416). - crypto: qat - use kcalloc_node() instead of kzalloc_node() (jsc#PED-12416). - crypto: qat - validate slices count returned by FW (jsc#PED-12416). - crypto: qat/qat_420xx - fix off by one in uof_get_name() (jsc#PED-12416). - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes). - cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports (bsc#1242125). - devlink: fix port new reply cmd type (git-fixes). - dlm: prevent NPD when writing a positive value to event_done (git-fixes). - dm array: fix cursor index when skipping across block boundaries (git-fixes). - dm array: fix unreleased btree blocks on closing a faulty array cursor (git-fixes). - dm init: Handle minors larger than 255 (git-fixes). - dm integrity: fix out-of-range warning (git-fixes). - dm persistent data: fix memory allocation failure (git-fixes). - dm resume: do not return EINVAL when signalled (git-fixes). - dm suspend: return -ERESTARTSYS instead of -EINTR (git-fixes). - dm thin: Add missing destroy_work_on_stack() (git-fixes). - dm-bufio: do not schedule in atomic context (git-fixes). - dm-crypt: do not update io->sector after kcryptd_crypt_write_io_submit() (git-fixes). - dm-crypt: track tag_offset in convert_context (git-fixes). - dm-delay: fix hung task introduced by kthread mode (git-fixes). - dm-delay: fix max_delay calculations (git-fixes). - dm-delay: fix workqueue delay_timer race (git-fixes). - dm-ebs: do not set the flag DM_TARGET_PASSES_INTEGRITY (git-fixes). - dm-ebs: fix prefetch-vs-suspend race (git-fixes). - dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature (git-fixes). - dm-integrity: align the outgoing bio in integrity_recheck (git-fixes). - dm-integrity: fix a race condition when accessing recalc_sector (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dm-integrity: set ti->error on memory allocation failure (git-fixes). - dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume (git-fixes). - dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow (git-fixes). - dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) (git-fixes). - dm-verity: fix prefetch-vs-suspend race (git-fixes). - dm: Fix typo in error message (git-fixes). - dm: add missing unlock on in dm_keyslot_evict() (git-fixes). - dm: always update the array size in realloc_argv on success (git-fixes). - dm: fix copying after src array boundaries (git-fixes). - dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline() (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - docs: perf: Fix build warning of hisi-pcie-pmu.rst (bsc#1237704) - docs: perf: Update usage for target filter of hisi-pcie-pmu (bsc#1237704) - docs: thermal: sync hardware protection doc with code (git-fixes). - driver core: Remove needless return in void API device_remove_group() (git-fixes). - drivers/perf: hisi_pcie: Add more events for counting TLP bandwidth (bsc#1237704) - drivers/perf: hisi_pcie: Check the target filter properly (bsc#1237704) - drivers/perf: hisi_pcie: Fix incorrect counting under metric mode (bsc#1237704) - drivers/perf: hisi_pcie: Introduce hisi_pcie_pmu_get_event_ctrl_val() (bsc#1237704) - drivers/perf: hisi_pcie: Merge find_related_event() and (bsc#1237704) - drivers/perf: hisi_pcie: Relax the check on related events (bsc#1237704) - drivers/perf: hisi_pcie: Rename hisi_pcie_pmu_{config,clear}_filter() (bsc#1237704) - drivers: base: devres: Allow to release group on device release (stable-fixes). - drm/amd/amdkfd: Evict all queues even HWS remove queue failed (stable-fixes). - drm/amd/display/dml2: use vzalloc rather than kzalloc (bsc#1241568). - drm/amd/display: Actually do immediate vblank disable (git-fixes). - drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1 (stable-fixes). - drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 (stable-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Assign normalized_pix_clk when color depth = 14 (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Disable unneeded hpd interrupts during dm_init (stable-fixes). - drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() (git-fixes). - drm/amd/display: Do not write DP_MSTM_CTRL after LT (stable-fixes). - drm/amd/display: Enable urgent latency adjustment on DCN35 (stable-fixes). - drm/amd/display: Exit idle optimizations before accessing PHY (git-fixes). - drm/amd/display: Fix gpu reset in multidisplay config (git-fixes). - drm/amd/display: Fix invalid context error in dml helper (git-fixes). - drm/amd/display: Fix message for support_edp0_on_dp1 (git-fixes). - drm/amd/display: Fix out-of-bound accesses (stable-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix slab-use-after-free on hdcp_work (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Force full update in gpu reset (stable-fixes). - drm/amd/display: Increase vblank offdelay for PSR panels (git-fixes). - drm/amd/display: Protect FPU in dml21_copy() (git-fixes). - drm/amd/display: Protect FPU in dml2_init()/dml21_init() (git-fixes). - drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Restore correct backlight brightness after a GPU reset (stable-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: Temporarily disable hostvm on DCN31 (stable-fixes). - drm/amd/display: Update Cursor request mode to the beginning prefetch always (stable-fixes). - drm/amd/display: Use HW lock mgr for PSR1 when only one eDP (git-fixes). - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - drm/amd/display: avoid NPD when ASIC does not support DMUB (git-fixes). - drm/amd/display: fix an indent issue in DML21 (git-fixes). - drm/amd/display: fix default brightness (git-fixes). - drm/amd/display: fix missing .is_two_pixels_per_container (git-fixes). - drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd/display: prevent hang on link training fail (stable-fixes). - drm/amd/display: stop DML2 from removing pipes based on planes (stable-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - drm/amd/pm: add unique_id for gfx12 (stable-fixes). - drm/amd/pm: always allow ih interrupt from fw (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amd: Handle being compiled without SI or CIK support better (stable-fixes). - drm/amd: Keep display off while going into S4 (stable-fixes). - drm/amdgpu/display: Allow DCC for video formats on GFX12 (stable-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amdgpu/gfx12: correct cleanup of 'me' field with gfx_v12_0_me_fini() (git-fixes). - drm/amdgpu/gfx12: fix num_mec (git-fixes). - drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu/mes11: optimize MES pipe FW version fetching (git-fixes). - drm/amdgpu/mes12: optimize MES pipe FW version fetching (git-fixes). - drm/amdgpu/pm: Handle SCLK offset correctly in overdrive for smu 14.0.2 (stable-fixes). - drm/amdgpu/pm: wire up hwmon fan speed for smu 14.0.2 (stable-fixes). - drm/amdgpu/umsch: declare umsch firmware (git-fixes). - drm/amdgpu/umsch: fix ucode check (git-fixes). - drm/amdgpu/vcn: using separate VCN1_AON_SOC offset (stable-fixes). - drm/amdgpu: Add back JPEG to video caps for carrizo and newer (git-fixes). - drm/amdgpu: Check extended configuration space register when system uses large bar (stable-fixes). - drm/amdgpu: Fix JPEG video caps max size for navi1x and raven (stable-fixes). - drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size (stable-fixes). - drm/amdgpu: Fix offset for HDP remap in nbio v7.11 (stable-fixes). - drm/amdgpu: Increase KIQ invalidate_tlbs timeout (stable-fixes). - drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags (git-fixes). - drm/amdgpu: Prefer shadow rom when available (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: Remove JPEG from vega and carrizo video caps (stable-fixes). - drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV (git-fixes). - drm/amdgpu: Restore uncached behaviour on GFX12 (stable-fixes). - drm/amdgpu: Unlocked unmap only clear page table leaves (stable-fixes). - drm/amdgpu: Use the right function for hdp flush (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: fix warning of drm_mm_clean (git-fixes). - drm/amdgpu: grab an additional reference on the gang fence v2 (stable-fixes). - drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes). - drm/amdgpu: immediately use GTT for new allocations (git-fixes). - drm/amdgpu: refine smu send msg debug log format (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/amdgpu: use a dummy owner for sysfs triggered cleaner shaders v4 (stable-fixes). - drm/amdkfd: Fix Circular Locking Dependency in 'svm_range_cpu_invalidate_pagetables' (git-fixes). - drm/amdkfd: Fix mode1 reset crash issue (stable-fixes). - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes). - drm/amdkfd: Fix user queue validation on Gfx7/8 (git-fixes). - drm/amdkfd: clamp queue size to minimum (stable-fixes). - drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes). - drm/ast: Fix ast_dp connection status (git-fixes). - drm/atomic: Filter out redundant DPMS calls (stable-fixes). - drm/bridge: Fix spelling mistake 'gettin' -> 'getting' (git-fixes). - drm/bridge: it6505: fix HDCP V match check is not performed correctly (git-fixes). - drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes). - drm/bridge: ti-sn65dsi86: Fix multiple instances (git-fixes). - drm/debugfs: fix printk format for bridge index (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - drm/dp_mst: Fix drm RAD print (git-fixes). - drm/dp_mst: Fix locking when skipping CSN before topology probing (git-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/fdinfo: Protect against driver unbind (git-fixes). - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() (git-fixes). - drm/hyperv: Fix address space leak when Hyper-V DRM device is removed (git-fixes). - drm/i915/cdclk: Do cdclk post plane programming later (stable-fixes). - drm/i915/color: Extract intel_color_modeset() (stable-fixes). - drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL (git-fixes). - drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes). - drm/i915/dsi: Use TRANS_DDI_FUNC_CTL's own port width macro (git-fixes). - drm/i915/dsi: convert to struct intel_display (stable-fixes). - drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes). - drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed (git-fixes). - drm/i915/xe2lpd: Move D2D enable/disable (stable-fixes). - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes). - drm/i915: Disable RPG during live selftest (git-fixes). - drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support for partial mmaps (git-fixes). - drm/i915: Plumb 'dsb' all way to the plane hooks (stable-fixes). - drm/imagination: fix firmware memory leaks (git-fixes). - drm/imagination: take paired job reference (git-fixes). - drm/mediatek: Fix config_updating flag never false when no mbox channel (git-fixes). - drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr (git-fixes). - drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() (git-fixes). - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes). - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes). - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member (git-fixes). - drm/mediatek: mtk_hdmi: Unregister audio platform device on failure (git-fixes). - drm/mgag200: Fix value in <VBLKSTR> register (git-fixes). - drm/mipi-dbi: Fix blanking for non-16 bit formats (git-fixes). - drm/msm/a6xx+: Do not let IB_SIZE overflow (git-fixes). - drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump (git-fixes). - drm/msm/a6xx: Fix stale rpmh votes from GPU (git-fixes). - drm/msm/dpu: do not set crtc_state->mode_changed from atomic_check() (git-fixes). - drm/msm/dpu: do not use active in atomic_check() (git-fixes). - drm/msm/dsi/phy: Program clock inverters in correct register (git-fixes). - drm/msm/dsi: Add check for devm_kstrdup() (git-fixes). - drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host (git-fixes). - drm/msm/dsi: Use existing per-interface slice count in DSC timing (git-fixes). - drm/nouveau: Do not override forced connector status (stable-fixes). - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/panel: ilitek-ili9882t: fix GPIO name in error message (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/panic: fix overindented list items in documentation (git-fixes). - drm/panic: use `div_ceil` to clean Clippy warning (git-fixes). - drm/panthor: Update CS_STATUS_ defines to correct values (git-fixes). - drm/radeon/ci_dpm: Remove needless NULL checks of dpm tables (git-fixes). - drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M (stable-fixes). - drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() (git-fixes). - drm/repaper: fix integer overflows in repeat functions (git-fixes). - drm/sched: Fix fence reference count leak (git-fixes). - drm/ssd130x: Set SPI .id_table to prevent an SPI core warning (git-fixes). - drm/ssd130x: ensure ssd132x pitch is correct (git-fixes). - drm/ssd130x: fix ssd132x encoding (git-fixes). - drm/sti: remove duplicate object names (git-fixes). - drm/tests: Add helper to create mock crtc (stable-fixes). - drm/tests: Add helper to create mock plane (stable-fixes). - drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes). - drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes). - drm/tests: hdmi: Remove redundant assignments (stable-fixes). - drm/tests: helpers: Add atomic helpers (stable-fixes). - drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes). - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes). - drm/tests: helpers: Fix compiler warning (git-fixes). - drm/tests: modes: Fix drm_display_mode memory leak (git-fixes). - drm/tests: modeset: Fix drm_display_mode memory leak (git-fixes). - drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes). - drm/tests: shmem: Fix memleak (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - drm/v3d: Do not run jobs that have errors flagged in its fence (git-fixes). - drm/vkms: Fix use after free and double free on init error (git-fixes). - drm/vkms: Round fixp2int conversion in lerp_u16 (stable-fixes). - drm/vmwgfx: Use VMware hypercall API (jsc#PED-11518). - drm/xe/dma_buf: stop relying on placement in unmap (git-fixes). - drm/xe/hw_engine: define sysfs_ops on all directories (git-fixes). - drm/xe/pm: Temporarily disable D3Cold on BMG (git-fixes). - drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs (git-fixes). - drm/xe/tests/mocs: Update xe_force_wake_get() return handling (stable-fixes). - drm/xe/userptr: Fix an incorrect assert (git-fixes). - drm/xe/userptr: fix notifier vs folio deadlock (git-fixes). - drm/xe/vf: Do not try to trigger a full GT reset if VF (stable-fixes). - drm/xe/xe3lpg: Apply Wa_14022293748, Wa_22019794406 (stable-fixes). - drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds (stable-fixes). - drm/xe: Add page queue multiplier (git-fixes). - drm/xe: Fix GT 'for each engine' workarounds (stable-fixes). - drm/xe: Fix an out-of-bounds shift when invalidating TLB (git-fixes). - drm/xe: Fix exporting xe buffers multiple times (git-fixes). - drm/xe: Release guc ids before cancelling work (git-fixes). - drm/xe: Remove double pageflip (git-fixes). - drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value (git-fixes). - drm/xe: Set LRC addresses before guc load (git-fixes). - drm/xe: Use local fence in error path of xe_migrate_clear (git-fixes). - drm/xe: remove redundant check in xe_vm_create_ioctl() (git-fixes). - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes). - drm: allow encoder mode_set even when connectors change for crtc (stable-fixes). - drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes). - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes). - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes). - drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes). - drm: panel: jd9365da: fix reset signal polarity in unprepare (git-fixes). - drm: xlnx: zynqmp: Fix max dma segment size (git-fixes). - dummycon: fix default rows/cols (git-fixes). - e1000e: change k1 configuration on MTP and later platforms (git-fixes). - efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 (bsc#1239349). - eth: bnxt: do not use BNXT_VNIC_NTUPLE unconditionally in queue restart logic (git-fixes). - eth: bnxt: fix memory leak in queue reset (git-fixes). - eth: bnxt: fix missing ring index trim on error path (git-fixes). - eth: bnxt: fix out-of-range access of vnic_info array (git-fixes). - ethtool: Fix context creation with no parameters (git-fixes). - ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes). - ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes). - ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() (git-fixes). - ethtool: do not propagate EOPNOTSUPP from dumps (git-fixes). - ethtool: fix setting key and resetting indir at once (git-fixes). - ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes). - ethtool: netlink: do not return SQI value if link is down (git-fixes). - ethtool: ntuple: fix rss + ring_cookie check (git-fixes). - ethtool: plca: fix plca enable data type while parsing the value (git-fixes). - ethtool: rss: echo the context number back (git-fixes). - ethtool: rss: fix hiding unsupported fields in dumps (git-fixes). - exfat: do not fallback to buffered write (git-fixes). - exfat: drop ->i_size_ondisk (git-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - exfat: fix soft lockup in exfat_clear_bitmap (git-fixes). - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes). - ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342). - ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540). - ext4: do not over-report free space or inodes in statvfs (bsc#1242345). - ext4: do not treat fhandle lookup of ea_inode as FS corruption (bsc#1242347). - ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557). - ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556). - ext4: make block validity check resistent to sb bh corruption (bsc#1242348). - ext4: partial zero eof block on unaligned inode size extension (bsc#1242336). - ext4: protect ext4_release_dquot against freezing (bsc#1242335). - ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536). - ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539). - ext4: unify the type of flexbg_size to unsigned int (bsc#1242538). - fbdev: au1100fb: Move a variable assignment behind a null pointer check (git-fixes). - fbdev: omapfb: Add 'plane' value check (stable-fixes). - fbdev: pxafb: Fix possible use after free in pxafb_task() (stable-fixes). - fbdev: sm501fb: Add some geometry checks (git-fixes). - firmware: arm_ffa: Explicitly cast return value from FFA_VERSION before comparison (git-fixes). - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes). - firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes). - firmware: arm_scmi: use ioread64() instead of ioread64_hi_lo() (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - firmware: imx-scu: fix OF node leak in .probe() (git-fixes). - flow_dissector: use RCU protection to fetch dev_net() (bsc#1239994). - fs/jfs: Prevent integer overflow in AG size calculation (git-fixes). - fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes). - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250). - fs: better handle deep ancestor chains in is_subdir() (bsc#1242528). - fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535). - fs: do not allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526). - fs: support relative paths with FSCONFIG_SET_STRING (git-fixes). - gpio: rcar: Use raw_spinlock to protect register access (stable-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes). - gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines (git-fixes). - gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU (git-fixes). - gve: handle overflow when reporting TX consumed descriptors (git-fixes). - gve: set xdp redirect target only when it is available (git-fixes). - gve: unlink old napi only if page pool exists (git-fixes). - gve: unlink old napi when stopping a queue using queue API (git-fixes). - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - i2c: ali1535: Fix an error handling path in ali1535_probe() (git-fixes). - i2c: ali15x3: Fix an error handling path in ali15x3_probe() (git-fixes). - i2c: amd-mp2: drop free_irq() of devm_request_irq() allocated irq (git-fixes). - i2c: atr: Fix wrong include (git-fixes). - i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes). - i2c: omap: fix IRQ storms (git-fixes). - i2c: sis630: Fix an error handling path in sis630_probe() (git-fixes). - i3c: Add NULL pointer check in i3c_master_queue_ibi() (git-fixes). - i3c: master: svc: Fix missing the IBI rules (git-fixes). - i3c: master: svc: Use readsb helper for reading MDB (git-fixes). - ice: Add check for devm_kzalloc() (git-fixes). - ice: Avoid setting default Rx VSI twice in switchdev setup (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - ice: Fix switchdev slow-path in LAG (git-fixes). - ice: Remove and readd netdev during devlink reload (bsc#1230497 bsc#1239518). - ice: do not configure destination override for switchdev (git-fixes). - ice: ensure periodic output start time is in the future (git-fixes). - ice: fix ice_parser_rt::bst_key array size (git-fixes). - ice: fix input validation for virtchnl BW (git-fixes). - ice: fix reservation of resources for RDMA when disabled (git-fixes). - ice: remove invalid parameter of equalizer (git-fixes). - ice: stop truncating queue ids when checking (git-fixes). - idpf: Acquire the lock before accessing the xn->salt (git-fixes). - idpf: check error for register_netdev() on init (git-fixes). - idpf: fix adapter NULL pointer dereference on reboot (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: fix transaction timeouts on reset (git-fixes). - idpf: protect shutdown from reset (git-fixes). - idpf: record rx queue in skb for RSC packets (git-fixes). - igb: reject invalid external timestamp requests for 82580-based HW (git-fixes). - igc: add lock preventing multiple simultaneous PTM transactions (git-fixes). - igc: cleanup PTP module if probe fails (git-fixes). - igc: fix PTM cycle trigger logic (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes). - igc: increase wait time before retrying PTM (git-fixes). - igc: move ktime snapshot into PTM retry loop (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio (git-fixes). - iio: accel: msa311: Fix failure to release runtime pm if direct mode claim fails (git-fixes). - iio: adc: ad4130: Fix comparison of channel setups (git-fixes). - iio: adc: ad7124: Fix comparison of channel configs (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adc: ad7768-1: Fix conversion result sign (git-fixes). - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - include/linux/mmzone.h: clean up watermark accessors (bsc#1239600). - include: net: add static inline dst_dev_overhead() to dst.h (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - init: add initramfs_internal.h (bsc#1232848). - initramfs: allocate heap buffers together (bsc#1232848). - initramfs: fix hardlink hash leak without TRAILER (bsc#1232848). - input/vmmouse: Use VMware hypercall API (jsc#PED-11518). - intel_idle: Add ibrs_off module parameter to force-disable IBRS (git-fixes). - intel_idle: Use __update_spec_ctrl() in intel_idle_ibrs() (git-fixes). - intel_th: pci: Add Arrow Lake support (stable-fixes). - intel_th: pci: Add Panther Lake-H support (stable-fixes). - intel_th: pci: Add Panther Lake-P/U support (stable-fixes). - io_uring/sqpoll: Increase task_work submission batch size (bsc#1238585). - ioam6: improve checks on user data (git-fixes). - iommu/arm-smmu-v3: Fix pgsize_bit for sva domains (bsc#1243341) - iommu/vt-d: Assign owner to the static identity domain (bsc#1241193). - iommu/vt-d: Fix suspicious RCU usage (git-fixes). - iommu/vt-d: Remove device comparison in context_setup_pass_through_cb (git-fixes). - iommu: Allow attaching static domains in iommu_attach_device_pasid() (bsc#1241193). - iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: add RCU protection to ip4_dst_hoplimit() (bsc#1239994). - ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv4: use RCU protection in inet_select_addr() (bsc#1239994). - ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (bsc#1239994). - ipv4: use RCU protection in ipv4_default_advmss() (bsc#1239994). - ipv4: use RCU protection in rt_is_expired() (bsc#1239994). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses (git-fixes). - ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() (git-fixes). - ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: Use RCU in ip6_input() (bsc#1239994). - ipv6: annotate data-races around cnf.disable_ipv6 (git-fixes). - ipv6: avoid atomic fragment on GSO packets (git-fixes). - ipv6: fib6_rules: flush route cache when rule is changed (git-fixes). - ipv6: fib: hide unused 'pn' variable (git-fixes). - ipv6: fix ndisc_is_useropt() handling for PIO (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - ipv6: fix potential NULL deref in fib6_add() (git-fixes). - ipv6: icmp: convert to dev_net_rcu() (bsc#1239994). - ipv6: introduce dst_rt6_info() helper (git-fixes). - ipv6: ioam: block BH from ioam6_output() (git-fixes). - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid (git-fixes). - ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - ipv6: sr: add missing seg6_local_exit (git-fixes). - ipv6: sr: block BH in seg6_output_core() and seg6_input_core() (git-fixes). - ipv6: take care of scope when choosing the src addr (git-fixes). - irqchip/davinci: Remove leftover header (git-fixes). - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307). - iwlwifi: correct modinfo firmware ucode (bsc#1243020). - ixgbe: fix media type detection for E610 device (git-fixes). - jbd2: add a missing data flush during file and fs synchronization (bsc#1242346). - jbd2: fix off-by-one while erasing journal (bsc#1242344). - jbd2: flush filesystem device before updating tail sequence (bsc#1242333). - jbd2: increase IO priority for writing revoke records (bsc#1242332). - jbd2: increase the journal IO's priority (bsc#1242537). - jbd2: remove wrong sb->s_sequence check (bsc#1242343). - jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes). - jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes). - jfs: add check read-only before truncation in jfs_truncate_nolock() (git-fixes). - jfs: add check read-only before txBeginAnon() call (git-fixes). - jfs: add index corruption check to DT_GETPAGE() (git-fixes). - jfs: add sanity check for agwidth in dbMount (git-fixes). - jfs: fix slab-out-of-bounds read in ea_get() (git-fixes). - jfs: reject on-disk inodes of an unsupported type (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kABI fix for RDMA/core: Do not expose hw_counters outside (git-fixes) - kABI fix for ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - kABI fix for net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - kABI fix for netlink: terminate outstanding dump on socket close (git-fixes). - kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - kABI fix for tcp: fix cookie_init_timestamp() overflows (git-fixes). - kABI fix for tcp: replace tcp_time_stamp_raw() (git-fixes). - kABI workaround for hci_core changes (git-fixes). - kABI workaround for intel-ish-hid (git-fixes). - kABI workaround for l2cap_conn changes (git-fixes). - kABI workaround for powercap update (bsc#1241010). - kABI workaround for soc_mixer_control changes (git-fixes). - kbuild: hdrcheck: fix cross build with clang (git-fixes). - kernel-binary: Support livepatch_rt with merged RT branch - kernel-obs-qa: Use srchash for dependency as well - kernel: Bad page map in process stress-ng-vm Revert commit (bsc#1241051) - kernel: Remove debug flavor (bsc#1243919). - keys: Fix UAF in key_put() (git-fixes). - ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes). - kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes). - kunit: qemu_configs: sparc: use Zilog console (git-fixes). - leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs (git-fixes). - leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs (git-fixes). - lib: 842: Improve error handling in sw842_compress() (git-fixes). - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - lockdep: Do not disable interrupts on RT in disable_irq_nosync_lockdep.*() (git-fixes). - loop: Add sanity check for read/write_iter (git-fixes). - loop: LOOP_SET_FD: send uevents for partitions (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes). - loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - mdacon: rework dependency list (git-fixes). - media: chips-media: wave5: Fix a hang after seeking (git-fixes). - media: i2c: adv748x: Fix test pattern selection mask (git-fixes). - media: i2c: ccs: Set the device's runtime PM status correctly in probe (git-fixes). - media: i2c: ccs: Set the device's runtime PM status correctly in remove (git-fixes). - media: i2c: imx214: Rectify probe error handling related to runtime PM (git-fixes). - media: i2c: imx219: Rectify runtime PM handling in probe and remove (git-fixes). - media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO (git-fixes). - media: i2c: ov7251: Set enable GPIO low in probe (git-fixes). - media: intel/ipu6: set the dev_parent of video device to pdev (git-fixes). - media: omap3isp: Handle ARM dma_iommu_mapping (git-fixes). - media: platform: allgro-dvt: unregister v4l2_device on the error path (git-fixes). - media: platform: stm32: Add check for clk_enable() (git-fixes). - media: siano: Fix error handling in smsdvb_module_init() (git-fixes). - media: streamzap: fix race between device disconnection and urb callback (git-fixes). - media: streamzap: prevent processing IR data on URB failure (git-fixes). - media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes). - media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() (git-fixes). - media: venus: hfi: add a check to handle OOB in sfr region (git-fixes). - media: venus: hfi: add check to handle incorrect queue size (git-fixes). - media: venus: hfi_parser: add check to avoid out of bound access (git-fixes). - media: venus: hfi_parser: refactor hfi packet parsing logic (git-fixes). - media: verisilicon: HEVC: Initialize start_bit field (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - media: vim2m: print device name after registering device (git-fixes). - media: visl: Fix ERANGE error when setting enum controls (git-fixes). - mei: me: add panther lake H DID (stable-fixes). - mei: me: add panther lake P DID (stable-fixes). - mei: vsc: Fix fortify-panic caused by invalid counted_by() use (git-fixes). - memblock tests: fix warning: '__ALIGN_KERNEL' redefined (git-fixes). - memory: mtk-smi: Add ostd setting for mt8192 (git-fixes). - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (git-fixes). - mfd: ene-kb3930: Fix a potential NULL pointer dereference (git-fixes). - mfd: sm501: Switch to BIT() to mitigate integer overflows (git-fixes). - mfd: syscon: Add of_syscon_register_regmap() API (stable-fixes). - mfd: syscon: Fix race in device_node_get_regmap() (git-fixes). - mfd: syscon: Remove extern from function prototypes (stable-fixes). - mfd: syscon: Use scoped variables with memory allocators to simplify error paths (stable-fixes). - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes). - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes). - mm/page_alloc: fix memory accept before watermarks gets initialized (bsc#1239600). - mm/readahead: fix large folio support in async readahead (bsc#1242321). - mm: accept to promo watermark (bsc#1239600). - mm: create promo_wmark_pages and clean up open-coded sites (bsc#1239600). - mm: fix endless reclaim on machines with unaccepted memory (bsc#1239600). - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326). - mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327). - mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546). - mm: zswap: move allocations during CPU init outside the lock (git-fixes). - mmc: atmel-mci: Add missing clk_disable_unprepare() (git-fixes). - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes). - mmc: omap: Fix memory leak in mmc_omap_new_slot (git-fixes). - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes). - mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops (git-fixes). - mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD (git-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - mptcp: fix rcv buffer auto-tuning (bsc#1220419 bsc#1222656 bsc#1236394). - mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes). - mptcp: refine opt_mp_capable determination (git-fixes). - mptcp: relax check on MPC passive fallback (git-fixes). - mptcp: strict validation before using mp_opt->hmac (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes). - mtd: Add check for devm_kcalloc() (git-fixes). - mtd: Replace kcalloc() with devm_kcalloc() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - mtd: nand: Fix a kdoc comment (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - mtd: rawnand: brcmnand: fix PM resume warning (git-fixes). - ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() (bsc#1239994). - ndisc: use RCU protection in ndisc_alloc_skb() (bsc#1239994). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5: Fill out devlink dev info only for PFs (git-fixes). - net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs (git-fixes). - net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() (git-fixes). - net/mlx5: HWS, Rightsize bwc matcher priority (git-fixes). - net/mlx5: IRQ, Fix null string in debug print (git-fixes). - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes). - net/mlx5: Move ttc allocation after switch case to prevent leaks (git-fixes). - net/mlx5: Restore missing trace event when enabling vport QoS (git-fixes). - net/mlx5: Start health poll after enable hca (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes). - net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover (git-fixes). - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes). - net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes). - net/mlx5e: TC, Continue the attr process even if encap entry is invalid (git-fixes). - net/mlx5e: Use custom tunnel header for vxlan gbp (git-fixes). - net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers (git-fixes). - net/sched: act_api: rely on rcu in tcf_idr_check_alloc (git-fixes). - net/sched: adjust device watchdog timer to detect stopped queue at right time (git-fixes). - net/sched: cbs: Fix integer overflow in cbs_set_port_rate() (git-fixes). - net/sched: cls_u32: replace int refcounts with proper refcounts (git-fixes). - net/sched: flower: Add lock protection when remove filter handle (git-fixes). - net/sched: taprio: make q->picos_per_byte available to fill_sched_entry() (git-fixes). - net/sched: tbf: correct backlog statistic for GSO packets (git-fixes). - net/tcp: refactor tcp_inet6_sk() (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: add dev_net_rcu() helper (bsc#1239994). - net: annotate data-races around sk->sk_dst_pending_confirm (git-fixes). - net: annotate data-races around sk->sk_tx_queue_mapping (git-fixes). - net: blackhole_dev: fix build warning for ethh set but not used (git-fixes). - net: constify sk_dst_get() and __sk_dst_get() argument (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: ethtool: Do not call .cleanup_data when prepare_data fails (git-fixes). - net: ethtool: Fix RSS setting (git-fixes). - net: free_netdev: exit earlier if dummy (bsc#1243215). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes). - net: ipv6: fix dst ref loop in ila lwtunnel (git-fixes). - net: ipv6: fix dst ref loop on input in rpl lwt (git-fixes). - net: ipv6: fix dst ref loop on input in seg6 lwt (git-fixes). - net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels (git-fixes). - net: ipv6: fix missing dst ref drop in ila lwtunnel (git-fixes). - net: ipv6: fix wrong start position when receive hop-by-hop fragment (git-fixes). - net: ipv6: ioam6: code alignment (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: ipv6: ioam6: new feature tunsrc (git-fixes). - net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input (git-fixes). - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() (git-fixes). - net: ipv6: rpl_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: seg6_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL (git-fixes). - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2 (bsc#1239016). - net: mana: Allow variable size indirection table (bsc#1239016). - net: mana: Assigning IRQ affinity on HT cores (bsc#1239015). - net: mana: Avoid open coded arithmetic (bsc#1239016). - net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Fix memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Support holes in device list reply msg (git-fixes). - net: mana: Switch to page pool for jumbo frames (git-fixes). - net: mana: add a function to spread IRQs per CPUs (bsc#1239015). - net: mana: cleanup mana struct after debugfs_remove() (git-fixes). - net: mark racy access on sk->sk_rcvbuf (git-fixes). - net: phy: leds: fix memory leak (git-fixes). - net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: sctp: fix skb leak in sctp_inq_free() (git-fixes). - net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - net: usb: usbnet: restore usb%d name exception for local mac addresses (bsc#1234480). - net: use unrcu_pointer() helper (git-fixes). - net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors (stable-fixes). - net_sched: Prevent creation of classes with TC_H_ROOT (git-fixes). - net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes). - net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes). - net_sched: sch_sfq: annotate data-races around q->perturb_period (git-fixes). - net_sched: sch_sfq: handle bigger packets (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netlink: specs: rt-link: add an attr layer around alt-ifname (git-fixes). - netlink: specs: rt-link: adjust mctp attribute naming (git-fixes). - netlink: specs: rtnetlink: attribute naming corrections (git-fixes). - netlink: specs: tc: all actions are indexed arrays (git-fixes). - netlink: specs: tc: fix a couple of attribute names (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes). - nfs: add missing selections of CONFIG_CRC32 (git-fixes). - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes). - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb: intel: Fix using link status DB's (git-fixes). - ntb: reduce stack usage in idt_scan_mws (stable-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - ntb_perf: Fix printk format (git-fixes). - nvme-fc: do not ignore connectivity loss during connecting (git-fixes bsc#1222649). - nvme-fc: go straight to connecting state when initializing (git-fixes bsc#1222649). - nvme-fc: rely on state transitions to handle connectivity loss (git-fixes bsc#1222649). - nvme-ioctl: fix leaked requests on mapping error (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-pci: quirk Acer FA100 for non-uniqueue identifiers (git-fixes). - nvme-pci: remove stale comment (git-fixes). - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - nvme-tcp: Fix a C2HTermReq error message (git-fixes). - nvme-tcp: add basic support for the C2HTermReq PDU (git-fixes). - nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes). - nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: fix signedness bug in nvme_tcp_init_connection() (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme/ioctl: do not warn on vectorized uring_cmd with fixed buffer (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: introduce nvme_disk_is_ns_head helper (git-fixes). - nvme: move error logging from nvme_end_req() to __nvme_end_req() (git-fixes). - nvme: move passthrough logging attribute to head (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: only allow entering LIVE from CONNECTING state (git-fixes bsc#1222649). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvme: update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvmet-fc: Remove unused functions (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-fcloop: swap list_add_tail arguments (git-fixes). - nvmet-rdma: recheck queue state is LIVE in state lock in recv done (git-fixes). - nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - nvmet: remove old function prototype (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - ocfs2: check dir i_size in ocfs2_find_entry (git-fixes). - ocfs2: fix deadlock in ocfs2_get_system_file_inode (git-fixes). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - ocfs2: handle a symlink read error correctly (git-fixes). - ocfs2: mark dquot as inactive if failed to start trans while releasing dquot (git-fixes). - ocfs2: update seq_file index in ocfs2_dlm_seq_next (git-fixes). - octeontx2-pf: Do not reallocate all ntuple filters (git-fixes). - octeontx2-pf: Fix ethtool support for SDP representors (git-fixes). - octeontx2-pf: handle otx2_mbox_get_rsp errors (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf tools: annotate asm_pure_loop.S (bsc#1239906). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172) - perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172) - perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172) - perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172) - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - pinctrl: bcm281xx: Fix incorrect regmap max_registers value (git-fixes). - pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm() (git-fixes). - pinctrl: qcom: Clear latched interrupt status when changing IRQ type (git-fixes). - pinctrl: renesas: rza2: Fix missing of_node_put() call (git-fixes). - pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes). - pinctrl: renesas: rzv2m: Fix missing of_node_put() call (git-fixes). - pinctrl: tegra: Set SFIO mode to Mux Register (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes). - platform/x86/intel/ifs: Add Clearwater Forest to CPU support list (jsc#PED-10213). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() (stable-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-ddv: Fix temperature calculation (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e (stable-fixes). - platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e (stable-fixes). - platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - power: supply: max77693: Fix wrong conversion of charge input threshold value (git-fixes). - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010). - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - powerpc/boot: Check for ld-option support (bsc#1215199). - powerpc/boot: Fix dash warning (bsc#1215199). - powerpc/pseries/eeh: Fix pseries_eeh_err_inject (bsc#1239573). - powerpc/pseries/eeh: move pseries_eeh_err_inject() outside CONFIG_DEBUG_FS block (bsc#1239573). - powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view (jsc#PED-10539 git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - powerpc: Do not use --- in kernel logs (git-fixes). - powerpc: Stop using no_llseek (bsc#1239573). - ptp/vmware: Use VMware hypercall API (jsc#PED-11518). - pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes). - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes). - pwm: rcar: Improve register calculation (git-fixes). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: check that dummy regulator has been probed before using it (stable-fixes). - regulator: core: Fix deadlock in create_regulator() (git-fixes). - regulator: dummy: force synchronous probing (git-fixes). - regulator: max20086: fix invalid memory access (git-fixes). - rndis_host: Flag RNDIS modems as WWAN devices (git-fixes). - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf sle_version was obsoleted for SLE16. It has to be combined with suse_version check (bsc#1239986). - rpm/package-descriptions: Add rt and rt_debug descriptions - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rtc: pcf85063: do a SW reset if POR failed (stable-fixes). - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - s390/ap: Fix CCA crypto card behavior within protected execution environment (git-fixes bsc#1243817 LTC#213623). - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - s390/cio: Fix CHPID 'configure' attribute caching (git-fixes bsc#1240979). - s390/cpumf: Update CPU Measurement facility extended counter set support (bsc#1243115). - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes). - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - s390/stackleak: Use exrl instead of ex in __stackleak_poison() (git-fixes bsc#1239594). - s390/traps: Fix test_monitor_call() inline assembly (git-fixes bsc#1239595). - s390: Add z17 elf platform (bsc#1243116). - sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (BSC#1241319). - sched/fair: Fix CPU bandwidth limit bypass during CPU hotplug (bsc#1241319). - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - sched/topology: Refinement to topology_span_sane speedup (bsc#1242119). - sched/topology: improve topology_span_sane speed (bsc#1242119). - sched: Add deprecation warning for users of RT_GROUP_SCHED (jsc#PED-11761 jsc#PED-12405). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes). - scsi: fnic: Fix indentation and remove unnecessary parenthesis (git-fixes). - scsi: fnic: Remove unnecessary debug print (git-fixes). - scsi: fnic: Remove unnecessary spinlock locking and unlocking (git-fixes). - scsi: fnic: Replace fnic->lock_flags with local flags (git-fixes). - scsi: fnic: Replace use of sizeof with standard usage (git-fixes). - scsi: hisi_sas: Check whether debugfs is enabled before removing or (bsc#1237546) - scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: hisi_sas: Remove hisi_hba->timer for v3 hw (bsc#1237545) - scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag (git-fixes). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (bsc#1241388 jsc#PED-11258). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: megaraid_sas: Driver version update to 07.734.00.00-rc1 (bsc#1241388 jsc#PED-11258). - scsi: megaraid_sas: Make most module parameters static (bsc#1241388 jsc#PED-11258). - scsi: mpi3mr: Add level check to control event logging (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Avoid reply queue full condition (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Check admin reply queue from Watchdog (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Fix locking in an error path (git-fixes). - scsi: mpi3mr: Fix pending I/O counter (git-fixes). - scsi: mpi3mr: Fix spelling mistake 'skiping' -> 'skipping' (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Handling of fault code for insufficient power (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Reset the pending interrupt flag (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Support for Segmented Hardware Trace buffer (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Synchronize access to ioctl data buffer (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Task Abort EH Support (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Update MPI Headers to revision 35 (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Update driver version to 8.12.0.3.50 (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Update driver version to 8.12.1.0.50 (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Update driver version to 8.13.0.5.50 (bsc#1241388 jsc#PED-12372). - scsi: mpi3mr: Update timestamp only for supervisor IOCs (bsc#1241388 jsc#PED-12372). - scsi: mpt3sas: Add details to EEDPTagMode error message (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Add support for MCTP Passthrough commands (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Fix a locking bug in an error path (git-fixes). - scsi: mpt3sas: Fix buffer overflow in mpt3sas_send_mctp_passthru_req() (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Fix spelling mistake 'receveid' -> 'received' (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes). - scsi: mpt3sas: Remove unused config functions (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Report driver capability as part of IOCINFO command (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Send a diag reset if target reset fails (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: Update MPI headers to 02.00.62 version (bsc#1241388 jsc#PED-11253). - scsi: mpt3sas: update driver version to 52.100.00.00 (bsc#1241388 jsc#PED-11253). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes). - scsi: smartpqi: Use is_kdump_kernel() to check for kdump (git-fixes). - sctp: Fix undefined behavior in left shift operation (git-fixes). - sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes). - sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes). - sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes). - sctp: fix busy polling (git-fixes). - sctp: prefer struct_size over open coded arithmetic (git-fixes). - sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes). - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selftests/bpf: Add a few tests to cover (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590). - selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590). - selftests/bpf: test for changing packet data from global functions (bsc#1241590). - selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590). - selftests/futex: futex_waitv wouldblock test should fail (git-fixes). - selftests/mm/cow: fix the incorrect error handling (git-fixes). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes). - selftests/x86/syscall: Fix coccinelle WARNING recommending the use of ARRAY_SIZE() (git-fixes). - selftests: mptcp: close fd_in before returning in main_loop (git-fixes). - selftests: mptcp: fix incorrect fd checks in main_loop (git-fixes). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - seq_file: add helper macro to define attribute for rw file (jsc#PED-12416). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - serial: msm: Configure correct working mode before starting earlycon (git-fixes). - serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes). - series.conf: temporarily disable patches.suse/md-md-bitmap-fix-writing-non-bitmap-pages-ab99.patch (bsc#1238212) - smb: client: destroy cfid_put_wq on module exit (git-fixes). - smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265). - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - soc: imx8m: Remove global soc_uid (stable-fixes). - soc: imx8m: Unregister cpufreq and soc dev in cleanup path (git-fixes). - soc: imx8m: Use devm_* to simplify probe failure handling (stable-fixes). - soc: mediatek: mt8167-mmsys: Fix missing regval in all entries (git-fixes). - soc: mediatek: mt8365-mmsys: Fix routing table masks and values (git-fixes). - soc: qcom: pdr: Fix the potential deadlock (git-fixes). - soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() (git-fixes). - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes). - soundwire: bus: Fix race on the creation of the IRQ domain (git-fixes). - soundwire: slave: fix an OF node reference leak in soundwire slave device (git-fixes). - spi: cadence-qspi: Fix probe on AM62A LP SK (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: microchip-core: Clean up redundant dev_err_probe() (git-fixes). - spi: microchip-core: Use helper function devm_clk_get_enabled() (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Do not fail set_cs_timing when delays are zero (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes). - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes). - splice: do not checksum AF_UNIX sockets (bsc#1240333). - splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328). - sqpoll: increase tw batch size (bsc#1238585). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes). - supported.conf: Mark HiSi DMA controller as supported (jsc#PED-12622) - supported.conf: Mark HiSi PMU drivers as supported (jsc#PED-12622) - supported.conf: Mark HiSi TRNG v2 as supported (jsc#PED-12622) - supported.conf: add now-included qat_420xx (external, intel) - tcp: Add memory barrier to tcp_push() (git-fixes). - tcp: Adjust clamping window for applications specifying SO_RCVBUF (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: Adjust clamping window for applications specifying SO_RCVBUF (git-fixes). - tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset (git-fixes). - tcp: Defer ts_recent changes until req is owned (git-fixes). - tcp: Do not drop SYN+ACK for simultaneous connect() (git-fixes). - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() (git-fixes). - tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses (git-fixes). - tcp: Update window clamping condition (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: Update window clamping condition (git-fixes). - tcp: add tcp_done_with_error() helper (git-fixes). - tcp: adjust rcvq_space after updating scaling ratio (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: adjust rcvq_space after updating scaling ratio (git-fixes). - tcp: annotate data-races around tp->window_clamp (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: annotate data-races around tp->window_clamp (git-fixes). - tcp: avoid premature drops in tcp_add_backlog() (git-fixes). - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process (git-fixes). - tcp: check mptcp-level constraints for backlog coalescing (git-fixes). - tcp: check space before adding MPTCP SYN options (git-fixes). - tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() (git-fixes). - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB (git-fixes). - tcp: define initial scaling factor value as a macro (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: define initial scaling factor value as a macro (git-fixes). - tcp: derive delack_max from rto_min (git-fixes). - tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out (git-fixes). - tcp: fix cookie_init_timestamp() overflows (git-fixes). - tcp: fix forever orphan socket caused by tcp_abort (git-fixes). - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function (git-fixes). - tcp: fix incorrect undo caused by DSACK of TLP retransmit (git-fixes). - tcp: fix mid stream window clamp (git-fixes). - tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes). - tcp: fix race in tcp_v6_syn_recv_sock() (git-fixes). - tcp: fix race in tcp_write_err() (git-fixes). - tcp: fix races in tcp_abort() (git-fixes). - tcp: fix races in tcp_v_err() (git-fixes). - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe (git-fixes). - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO (git-fixes). - tcp: fix to allow timestamp undo if no retransmits were sent (git-fixes). - tcp: get rid of sysctl_tcp_adv_win_scale (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: increase the default TCP scaling ratio (bsc#1220419 bsc#1222656 bsc#1236394). - tcp: increase the default TCP scaling ratio (git-fixes). - tcp: introduce tcp_clock_ms() (git-fixes). - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP (git-fixes). - tcp: reduce accepted window in NEW_SYN_RECV state (git-fixes). - tcp: remove 64 KByte limit for initial tp->rcv_wnd value (git-fixes). - tcp: replace tcp_time_stamp_raw() (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold (git-fixes). - thermal/drivers/mediatek/lvts: Disable monitor mode during suspend (git-fixes). - thermal/drivers/rockchip: Add missing rk3328 mapping entry (git-fixes). - thermal: int340x: Add NULL check for adev (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - thunderbolt: Scan retimers after device router has been enumerated (stable-fixes). - tools/hv: update route parsing in kvp daemon (git-fixes). - tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175). - tools/power turbostat: report CoreThr per measurement interval (git-fixes). - tools: move alignment-related macros to new <linux/align.h> (git-fixes). - topology: Set capacity_freq_ref in all cases (bsc#1238052) - tpm, tpm_tis: Fix timeout handling when waiting for TPM status (git-fixes). - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: do not start chip while suspended (git-fixes). - tpm: send_data: Wait longer for the TPM to become ready (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT (git-fixes). - tty: n_tty: use uint for space returned by tty_write_room() (git-fixes). - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - ubi: Add a check for ubi_num (git-fixes). - ubi: block: Fix use-after-free in ubiblock_cleanup (git-fixes). - ubi: block: fix null-pointer-dereference in ubiblock_create() (git-fixes). - ubi: correct the calculation of fastmap size (stable-fixes). - ubi: eba: properly rollback inside self_check_eba (git-fixes). - ubi: fastmap: Fix missed ec updating after erasing old fastmap data block (git-fixes). - ubi: fastmap: may_reserve_for_fm: Do not reserve PEB if fm_anchor exists (git-fixes). - ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty (git-fixes). - ubi: wl: Put source PEB into correct list if trying locking LEB failed (git-fixes). - ublk: set_params: properly check if parameters can be applied (git-fixes). - ucsi_ccg: Do not show failed to get FW build information error (git-fixes). - udf: Fix inode_getblk() return value (bsc#1242313). - udf: Skip parent dir link count update if corrupted (bsc#1242315). - udf: Verify inode link counts before performing rename (bsc#1242314). - usb: cdns3: Fix deadlock when using NCM gadget (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes). - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes). - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes). - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes). - usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes). - usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func (stable-fixes). - usb: phy: generic: Use proper helper for property detection (stable-fixes). - usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader (stable-fixes). - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes). - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - usb: xHCI: add XHCI_RESET_ON_RESUME quirk for Phytium xHCI host (git-fixes). - usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running (stable-fixes). - usb: xhci: Do not skip on Stopped - Length Invalid (git-fixes). - usb: xhci: Enable the TRB overfetch quirk on VIA VL805 (git-fixes). - usb: xhci: Enable the TRB overfetch quirk on VIA VL805 (stable-fixes). - usb: xhci: Fix invalid pointer dereference in Etron workaround (git-fixes). - usb: xhci: correct debug message page size calculation (git-fixes). - usb: xhci: remove 'retval' from xhci_pci_resume() (git-fixes). - usbnet:fix NPE during rx_complete (git-fixes). - vboxsf: fix building with GCC 15 (stable-fixes). - vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes). - vfs: do not mod negative dentry count when on shrinker list (bsc#1242534). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - video: screen_info: Update framebuffers behind PCI bridges (bsc#1240696). - virtchnl: make proto and filter action count unsigned (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - vmxnet3: Fix tx queue race condition with XDP (bsc#1241394). - vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394). - wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes). - wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path (git-fixes). - wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode (git-fixes). - wifi: ath11k: choose default PM policy for hibernation (bsc#1207948). - wifi: ath11k: determine PM policy based on machine model (bsc#1207948). - wifi: ath11k: fix RCU stall while reaping monitor destination ring (git-fixes). - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - wifi: ath11k: fix wrong overriding for VHT Beamformee STS Capability (git-fixes). - wifi: ath11k: introduce ath11k_core_continue_suspend_resume() (bsc#1207948). - wifi: ath11k: refactor ath11k_core_suspend/_resume() (bsc#1207948). - wifi: ath11k: support non-WoWLAN mode suspend as well (bsc#1207948). - wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path (git-fixes). - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes). - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes). - wifi: ath12k: encode max Tx power in scan channel list command (git-fixes). - wifi: ath9k: do not submit zero bytes to the entropy pool (git-fixes). - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: cfg80211: cancel wiphy_work before freeing wiphy (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: cfg80211: init wiphy_work before allocating rfkill fails (git-fixes). - wifi: iwlwifi: do not warn if the NIC is gone in resume (git-fixes). - wifi: iwlwifi: fix the check for the SCRATCH register upon resume (git-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms (git-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: iwlwifi: pcie: Fix TSO preparation (git-fixes). - wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8 (stable-fixes). - wifi: mac80211, cfg80211: miscellaneous spelling fixes (git-fixes). - wifi: mac80211: Cleanup sta TXQs on flush (stable-fixes). - wifi: mac80211: Fix sparse warning for monitor_sdata (git-fixes). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes). - wifi: mac80211: check basic rates validity in sta_link_apply_parameters (git-fixes). - wifi: mac80211: do not queue sdata::work for a non-running sdata (git-fixes). - wifi: mac80211: ensure sdata->work is canceled before initialized (stable-fixes). - wifi: mac80211: fix SA Query processing in MLO (stable-fixes). - wifi: mac80211: fix integer overflow in hwmp_route_info_get() (git-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - wifi: mac80211: remove debugfs dir for virtual monitor (stable-fixes). - wifi: mt76: Add check for devm_kstrdup() (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes). - wifi: mt76: mt7915: fix possible integer overflows in mt7915_muru_stats_show() (git-fixes). - wifi: mt76: mt7925: ensure wow pattern command align fw format (git-fixes). - wifi: mt76: mt7925: fix country count limitation for CLC (git-fixes). - wifi: mt76: mt7925: remove unused acpi function for clc (git-fixes). - wifi: mwifiex: Fix premature release of RF calibration data (git-fixes). - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes). - wifi: rtl8xxxu: Perform update_beacon_work when beaconing is enabled (git-fixes). - wifi: rtw89: fw: correct debug message format in rtw89_build_txpwr_trk_tbl_from_elm() (git-fixes). - wifi: rtw89: pci: correct ISR RDU bit for 8922AE (git-fixes). - wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes). - x86/apic: Provide apic_force_nmi_on_cpu() (git-fixes). - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/boot/32: De-uglify the 2/3 level paging difference in mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Disable stackprotector and tracing for mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Restructure mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Temporarily map initrd for microcode loading (git-fixes). - x86/boot: Use __pa_nodebug() in mk_early_pgtbl_32() (git-fixes). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - x86/bugs: Add RSB mitigation document (git-fixes). - x86/bugs: Do not fill RSB on VMEXIT with eIBRS+retpoline (git-fixes). - x86/bugs: Do not fill RSB on context switch with eIBRS (git-fixes). - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes). - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - x86/coco: Replace 'static const cc_mask' with the newly introduced cc_get_mask() function (git-fixes). - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers (git-fixes). - x86/cpu: Allow reducing x86_phys_bits during early_identify_cpu() (git-fixes). - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes). - x86/entry: Add __init to ia32_emulation_override_cmdline() (git-fixes). - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - x86/fpu: Fix guest FPU state buffer allocation size (git-fixes). - x86/hyperv/vtl: Stop kernel from probing VTL0 low memory (git-fixes). - x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes). - x86/hyperv: Fix output argument to hypercall that changes page visibility (git-fixes). - x86/idle: Disable IBRS when CPU is offline to improve single-threaded performance (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/microcode/32: Move early loading after paging enable (git-fixes). - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes). - x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes). - x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes). - x86/microcode/AMD: Split load_microcode_amd() (git-fixes). - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes). - x86/microcode/amd: Cache builtin microcode too (git-fixes). - x86/microcode/amd: Cache builtin/initrd microcode early (git-fixes). - x86/microcode/amd: Use cached microcode for AP load (git-fixes). - x86/microcode/amd: Use correct per CPU ucode_cpu_info (git-fixes). - x86/microcode/intel: Add a minimum required revision for late loading (git-fixes). - x86/microcode/intel: Cleanup code further (git-fixes). - x86/microcode/intel: Move microcode functions out of cpu/intel.c (git-fixes). - x86/microcode/intel: Remove debug code (git-fixes). - x86/microcode/intel: Remove pointless mutex (git-fixes). - x86/microcode/intel: Rename get_datasize() since its used externally (git-fixes). - x86/microcode/intel: Reuse intel_cpu_collect_info() git-fixes). - x86/microcode/intel: Rework intel_cpu_collect_info() (git-fixes). - x86/microcode/intel: Rework intel_find_matching_signature() (git-fixes). - x86/microcode/intel: Rip out mixed stepping support for Intel CPUs (git-fixes). - x86/microcode/intel: Save the microcode only after a successful late-load (git-fixes). - x86/microcode/intel: Set new revision only after a successful update (git-fixes). - x86/microcode/intel: Simplify and rename generic_load_microcode() (git-fixes). - x86/microcode/intel: Simplify early loading (git-fixes). - x86/microcode/intel: Simplify scan_microcode() (git-fixes). - x86/microcode/intel: Switch to kvmalloc() (git-fixes). - x86/microcode/intel: Unify microcode apply() functions (git-fixes). - x86/microcode: Add per CPU control field (git-fixes). - x86/microcode: Add per CPU result state (git-fixes). - x86/microcode: Clarify the late load logic (git-fixes). - x86/microcode: Clean up mc_cpu_down_prep() (git-fixes). - x86/microcode: Get rid of the schedule work indirection (git-fixes). - x86/microcode: Handle 'nosmt' correctly (git-fixes). - x86/microcode: Handle 'offline' CPUs correctly (git-fixes). - x86/microcode: Hide the config knob (git-fixes). - x86/microcode: Include vendor headers into microcode.h (git-fixes). - x86/microcode: Make reload_early_microcode() static (git-fixes). - x86/microcode: Mop up early loading leftovers (git-fixes). - x86/microcode: Move core specific defines to local header (git-fixes). - x86/microcode: Prepare for minimal revision check (git-fixes). - x86/microcode: Protect against instrumentation (git-fixes). - x86/microcode: Provide CONFIG_MICROCODE_INITRD32 (git-fixes). - x86/microcode: Provide new control functions (git-fixes). - x86/microcode: Remove microcode_mutex (git-fixes). - x86/microcode: Remove pointless apply() invocation (git-fixes). - x86/microcode: Remove the driver announcement and version (git-fixes). - x86/microcode: Rendezvous and load in NMI (git-fixes). - x86/microcode: Replace the all-in-one rendevous handler (git-fixes). - x86/microcode: Rework early revisions reporting (git-fixes). - x86/microcode: Sanitize __wait_for_cpus() (git-fixes). - x86/mm: Remove unused microcode.h include (git-fixes). - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - x86/platform/olpc: Remove unused variable 'len' in olpc_dt_compatible_match() (git-fixes). - x86/sev: Move sev_setup_arch() to mem_encrypt.c (bsc#1239314). - x86/speculation: Add __update_spec_ctrl() helper (git-fixes). - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes). - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - x86/vmware: Add TDX hypercall support (jsc#PED-11518). - x86/vmware: Correct macro names (jsc#PED-11518). - x86/vmware: Introduce VMware hypercall API (jsc#PED-11518). - x86/vmware: Remove legacy VMWARE_HYPERCALL* macros (jsc#PED-11518). - x86/vmware: Use VMware hypercall API (jsc#PED-11518). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xfs: flush inodegc before swapon (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Apply XHCI_RESET_TO_DEFAULT quirk to TGL (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: Cleanup Candence controller PCI device and vendor ID usage (git-fixes). - xhci: Combine two if statements for Etron xHCI host (jsc#PED-10701). - xhci: Do not issue Reset Device command to Etron xHCI host (jsc#PED-10701). - xhci: Do not perform Soft Retry for Etron xHCI host (git-fixes). - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - xhci: Limit time spent with xHC interrupts disabled during bus resume (stable-fixes). - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - xhci: dbc: Check for errors first in xhci_dbc_stop() (git-fixes). - xhci: dbc: Convert to use sysfs_streq() (git-fixes). - xhci: dbc: Drop duplicate checks for dma_free_coherent() (git-fixes). - xhci: dbc: Fix STALL transfer event handling (git-fixes). - xhci: dbc: Replace custom return value with proper Linux error code (git-fixes). - xhci: dbc: Use ATTRIBUTE_GROUPS() (git-fixes). - xhci: dbc: Use sysfs_emit() to instead of scnprintf() (git-fixes). - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). - xhci: pci: Fix indentation in the PCI device ID definitions (stable-fixes). - xhci: pci: Group out Thunderbolt xHCI IDs (git-fixes). - xhci: pci: Use PCI_VENDOR_ID_RENESAS (git-fixes). - xhci: pci: Use full names in PCI IDs for Intel platforms (git-fixes). - xhci: pci: Use standard pattern for device IDs (git-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167). The following package changes have been done: - glibc-locale-base-2.38-150600.14.32.1 updated - kernel-macros-6.4.0-150700.53.3.1 updated - zstd-1.5.7-150700.1.2 added - glibc-locale-2.38-150600.14.32.1 updated - kernel-devel-6.4.0-150700.53.3.1 updated - glibc-devel-2.38-150600.14.32.1 updated - kernel-default-devel-6.4.0-150700.53.3.1 updated - kernel-syms-6.4.0-150700.53.3.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:04:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:04:21 +0200 (CEST) Subject: SUSE-CU-2025:4496-1: Security update of containers/open-webui-pipelines Message-ID: <20250620070421.53497FCFE@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4496-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.8 Container Release : 5.8 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - python-open-webui-pipelines-0.20250329.151219-150600.3.6 updated - container:registry.suse.com-bci-bci-base-15.6.47.5.6-dd1dec4b73d1042fac372d3d2f5128aaf4822e29a26ee947fbcef64270f309a1-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a05744ce2c3f4696496bed0ea75f9e909b09a727f3d3407cd155bc24e1d01689-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:05:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:05:51 +0200 (CEST) Subject: SUSE-IU-2025:1601-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250620070551.5D61DFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1601-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.178 , suse/sle-micro/base-5.5:latest Image Release : 5.8.178 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:05:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:05:52 +0200 (CEST) Subject: SUSE-IU-2025:1602-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250620070552.547B4FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1602-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.179 , suse/sle-micro/base-5.5:latest Image Release : 5.8.179 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:06:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:06:40 +0200 (CEST) Subject: SUSE-IU-2025:1603-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250620070640.7CCA7FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1603-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.340 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.340 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.178 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:07:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:07:52 +0200 (CEST) Subject: SUSE-IU-2025:1604-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250620070752.ABCBEFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1604-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.409 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.409 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.310 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:09:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:09:04 +0200 (CEST) Subject: SUSE-IU-2025:1606-1: Security update of suse/sle-micro/5.5 Message-ID: <20250620070904.34106FD1A@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1606-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.310 , suse/sle-micro/5.5:latest Image Release : 5.5.310 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.179 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:09:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:09:03 +0200 (CEST) Subject: SUSE-IU-2025:1605-1: Security update of suse/sle-micro/5.5 Message-ID: <20250620070903.6DCCCFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1605-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.308 , suse/sle-micro/5.5:latest Image Release : 5.5.308 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.178 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:15:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:15:53 +0200 (CEST) Subject: SUSE-CU-2025:4503-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250620071553.0B6ECF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4503-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.142 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.142 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:15:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:15:55 +0200 (CEST) Subject: SUSE-CU-2025:4504-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250620071555.8DA35F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4504-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.144 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.144 Severity : moderate Type : security References : 1239012 1239543 1240132 1241463 1243887 1243901 1244079 1244105 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - libzypp-17.37.5-150400.3.126.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - zypper-1.14.90-150400.3.85.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:18:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:18:34 +0200 (CEST) Subject: SUSE-CU-2025:4505-1: Recommended update of suse/sle-micro-rancher/5.4 Message-ID: <20250620071834.A8663F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4505-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.5 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.5 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150400.3.126.1 updated - zypper-1.14.90-150400.3.85.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:18:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:18:35 +0200 (CEST) Subject: SUSE-CU-2025:4506-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250620071835.8CF14F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4506-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.6 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.6 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:20:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:20:16 +0200 (CEST) Subject: SUSE-CU-2025:4507-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250620072016.38F92F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4507-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.142 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.142 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:20:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:20:17 +0200 (CEST) Subject: SUSE-CU-2025:4508-1: Recommended update of suse/sle-micro/5.4/toolbox Message-ID: <20250620072017.1F9CBFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4508-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.143 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.143 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150400.3.126.1 updated - zypper-1.14.90-150400.3.85.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:20:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:20:19 +0200 (CEST) Subject: SUSE-CU-2025:4509-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250620072019.A3773F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4509-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.144 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.144 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:21:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:21:43 +0200 (CEST) Subject: SUSE-CU-2025:4510-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250620072143.48AD2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4510-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.46 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.46 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:21:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:21:44 +0200 (CEST) Subject: SUSE-CU-2025:4511-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250620072144.1C380F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4511-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.47 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.47 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:22:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:22:23 +0200 (CEST) Subject: SUSE-IU-2025:1607-1: Security update of suse/sl-micro/6.0/base-os-container Message-ID: <20250620072223.55BC3F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1607-1 Image Tags : suse/sl-micro/6.0/base-os-container:2.1.3 , suse/sl-micro/6.0/base-os-container:2.1.3-7.11 , suse/sl-micro/6.0/base-os-container:latest Image Release : 7.11 Severity : important Type : security References : 1244509 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.0/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.0-5.1 updated - container:suse-toolbox-image-1.0.0-9.5 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:23:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:23:04 +0200 (CEST) Subject: SUSE-IU-2025:1608-1: Security update of suse/sl-micro/6.0/kvm-os-container Message-ID: <20250620072304.3B5DBF78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.0/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1608-1 Image Tags : suse/sl-micro/6.0/kvm-os-container:2.1.3 , suse/sl-micro/6.0/kvm-os-container:2.1.3-6.38 , suse/sl-micro/6.0/kvm-os-container:latest Image Release : 6.38 Severity : important Type : security References : 1244509 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.0/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.0-5.1 updated - container:SL-Micro-base-container-2.1.3-7.11 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:24:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:24:19 +0200 (CEST) Subject: SUSE-CU-2025:4514-1: Security update of suse/sl-micro/6.0/toolbox Message-ID: <20250620072419.64DF9F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sl-micro/6.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4514-1 Container Tags : suse/sl-micro/6.0/toolbox:13.2 , suse/sl-micro/6.0/toolbox:13.2-9.5 , suse/sl-micro/6.0/toolbox:latest Container Release : 9.5 Severity : important Type : security References : 1244509 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 361 Released: Thu Jun 19 10:49:31 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.0-5.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:24:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:24:48 +0200 (CEST) Subject: SUSE-IU-2025:1609-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250620072448.A91C0F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1609-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.53 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.53 Severity : important Type : security References : 1244509 CVE-2024-10220 CVE-2024-36620 CVE-2024-36621 CVE-2024-36623 CVE-2024-37820 CVE-2024-43784 CVE-2024-45719 CVE-2024-50948 CVE-2024-52003 CVE-2024-52280 CVE-2024-52282 CVE-2024-52309 CVE-2024-52529 CVE-2024-52801 CVE-2024-53259 CVE-2024-53264 CVE-2024-53858 CVE-2024-53862 CVE-2024-54131 CVE-2024-54132 CVE-2024-6156 CVE-2024-6219 CVE-2024-6538 CVE-2024-8676 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2024-10220,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-37820,CVE-2024-43784,CVE-2024-45719,CVE-2024-50948,CVE-2024-52003,CVE-2024-52280,CVE-2024-52282,CVE-2024-52309,CVE-2024-52529,CVE-2024-52801,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53862,CVE-2024-54131,CVE-2024-54132,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-8676,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.1-slfo.1.1_3.1 updated - container:suse-toolbox-image-1.0.0-4.44 updated From sle-container-updates at lists.suse.com Fri Jun 20 07:25:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 09:25:18 +0200 (CEST) Subject: SUSE-IU-2025:1610-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250620072518.7CB30F78C@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1610-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.52 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.52 Severity : important Type : security References : 1244509 CVE-2024-10220 CVE-2024-36620 CVE-2024-36621 CVE-2024-36623 CVE-2024-37820 CVE-2024-43784 CVE-2024-45719 CVE-2024-50948 CVE-2024-52003 CVE-2024-52280 CVE-2024-52282 CVE-2024-52309 CVE-2024-52529 CVE-2024-52801 CVE-2024-53259 CVE-2024-53264 CVE-2024-53858 CVE-2024-53862 CVE-2024-54131 CVE-2024-54132 CVE-2024-6156 CVE-2024-6219 CVE-2024-6538 CVE-2024-8676 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2024-10220,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-37820,CVE-2024-43784,CVE-2024-45719,CVE-2024-50948,CVE-2024-52003,CVE-2024-52280,CVE-2024-52282,CVE-2024-52309,CVE-2024-52529,CVE-2024-52801,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53862,CVE-2024-54131,CVE-2024-54132,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-8676,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.1-slfo.1.1_3.1 updated - container:SL-Micro-base-container-2.2.0-4.53 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:43:03 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:43:03 +0200 (CEST) Subject: SUSE-IU-2025:1610-1: Security update of suse/sl-micro/6.1/kvm-os-container Message-ID: <20250620124303.342E6FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/kvm-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1610-1 Image Tags : suse/sl-micro/6.1/kvm-os-container:2.2.0 , suse/sl-micro/6.1/kvm-os-container:2.2.0-4.52 , suse/sl-micro/6.1/kvm-os-container:latest Image Release : 4.52 Severity : important Type : security References : 1244509 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.1/kvm-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.1-slfo.1.1_3.1 updated - container:SL-Micro-base-container-2.2.0-4.53 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:43:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:43:37 +0200 (CEST) Subject: SUSE-IU-2025:1611-1: Security update of suse/sl-micro/6.1/rt-os-container Message-ID: <20250620124337.A8DD0FD12@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/rt-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1611-1 Image Tags : suse/sl-micro/6.1/rt-os-container:2.2.0 , suse/sl-micro/6.1/rt-os-container:2.2.0-4.58 , suse/sl-micro/6.1/rt-os-container:latest Image Release : 4.58 Severity : important Type : security References : 1244509 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sl-micro/6.1/rt-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 151 Released: Thu Jun 19 10:45:49 2025 Summary: Security update for pam Type: security Severity: important References: 1244509,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path. And keep the bind-mount protection from protect_mount() as a defense in depthmeasure. (bsc#1244509) The following package changes have been done: - pam-1.6.1-slfo.1.1_3.1 updated - container:SL-Micro-container-2.2.0-5.18 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:45:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:45:57 +0200 (CEST) Subject: SUSE-CU-2025:4519-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250620124557.73F6AFD12@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4519-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.94 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.94 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2001-1 Released: Wed Jun 18 13:21:25 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.1.8-24.71.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:47:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:47:37 +0200 (CEST) Subject: SUSE-CU-2025:4524-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250620124737.C1D71FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4524-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.92 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.92 , suse/ltss/sle15.3/sle15:latest Container Release : 2.92 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:47:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:47:38 +0200 (CEST) Subject: SUSE-CU-2025:4525-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250620124738.C8272FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4525-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.93 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.93 , suse/ltss/sle15.3/sle15:latest Container Release : 2.93 Severity : important Type : security References : 1205000 1208958 1211576 1211725 1215241 1243935 CVE-2022-4415 CVE-2023-26604 CVE-2025-4598 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2019-1 Released: Thu Jun 19 09:57:43 2025 Summary: Security update for systemd Type: security Severity: important References: 1205000,1208958,1211576,1211725,1215241,1243935,CVE-2022-4415,CVE-2023-26604,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). - CVE-2023-26604: Privilege escalation via the less pager (bsc#1208958). - CVE-2022-4415: systemd-coredump was not respecting fs.suid_dumpable kernel setting (bsc#1205000). Other bugfixes: - clarify passno and noauto combination in /etc/fstab (bsc#1211725) - handle -EINTR return from bus_poll() (bsc#1215241) - /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576) The following package changes have been done: - libsystemd0-246.16-150300.7.60.1 updated - libudev1-246.16-150300.7.60.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:47:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:47:40 +0200 (CEST) Subject: SUSE-CU-2025:4527-1: Security update of suse/ltss/sle15.3/sle15 Message-ID: <20250620124740.E7120FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4527-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.95 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.95 , suse/ltss/sle15.3/sle15:latest Container Release : 2.95 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:47:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:47:39 +0200 (CEST) Subject: SUSE-CU-2025:4526-1: Recommended update of suse/ltss/sle15.3/sle15 Message-ID: <20250620124739.D8048FD12@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.3/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4526-1 Container Tags : suse/ltss/sle15.3/bci-base:15.3 , suse/ltss/sle15.3/bci-base:15.3.2.94 , suse/ltss/sle15.3/bci-base:latest , suse/ltss/sle15.3/sle15:15.3 , suse/ltss/sle15.3/sle15:15.3.2.94 , suse/ltss/sle15.3/sle15:latest Container Release : 2.94 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/ltss/sle15.3/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2023-1 Released: Thu Jun 19 15:15:22 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150200.160.1 updated - zypper-1.14.90-150200.114.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:49:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:49:22 +0200 (CEST) Subject: SUSE-CU-2025:4531-1: Security update of suse/ltss/sle15.4/sle15 Message-ID: <20250620124922.4C387FD21@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4531-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.50 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.50 , suse/ltss/sle15.4/sle15:latest Container Release : 2.50 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:49:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:49:21 +0200 (CEST) Subject: SUSE-CU-2025:4530-1: Recommended update of suse/ltss/sle15.4/sle15 Message-ID: <20250620124921.75A97FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.4/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4530-1 Container Tags : suse/ltss/sle15.4/bci-base:15.4 , suse/ltss/sle15.4/bci-base:15.4.2.49 , suse/ltss/sle15.4/bci-base:latest , suse/ltss/sle15.4/sle15:15.4 , suse/ltss/sle15.4/sle15:15.4.2.49 , suse/ltss/sle15.4/sle15:latest Container Release : 2.49 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/ltss/sle15.4/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150400.3.126.1 updated - zypper-1.14.90-150400.3.85.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:53:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:53:54 +0200 (CEST) Subject: SUSE-CU-2025:4533-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250620125354.9EA85FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4533-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.61 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.61 Severity : important Type : security References : 1239012 1239543 1240132 1241463 1243226 1243887 1243901 1244105 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - libzypp-17.37.5-150600.3.60.1 updated - pam-1.3.0-150000.6.83.1 updated - zypper-1.14.90-150600.10.34.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:53:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:53:55 +0200 (CEST) Subject: SUSE-CU-2025:4534-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250620125355.73D45FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4534-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.62 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.62 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:54:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:54:20 +0200 (CEST) Subject: SUSE-CU-2025:4536-1: Security update of bci/bci-minimal Message-ID: <20250620125420.06AE3FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4536-1 Container Tags : bci/bci-minimal:15.6 , bci/bci-minimal:15.6.37.2 Container Release : 37.2 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:55:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:55:38 +0200 (CEST) Subject: SUSE-CU-2025:4538-1: Security update of suse/mariadb-client Message-ID: <20250620125538.D23D3FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4538-1 Container Tags : suse/mariadb-client:10.11 , suse/mariadb-client:10.11.11 , suse/mariadb-client:10.11.11-60.4 Container Release : 60.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a05744ce2c3f4696496bed0ea75f9e909b09a727f3d3407cd155bc24e1d01689-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:56:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:56:14 +0200 (CEST) Subject: SUSE-CU-2025:4540-1: Security update of suse/mariadb Message-ID: <20250620125614.BA535FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4540-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-67.4 Container Release : 67.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated - container:registry.suse.com-bci-bci-micro-15.6-a05744ce2c3f4696496bed0ea75f9e909b09a727f3d3407cd155bc24e1d01689-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:56:16 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:56:16 +0200 (CEST) Subject: SUSE-CU-2025:4542-1: Security update of suse/mariadb Message-ID: <20250620125616.197B4FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4542-1 Container Tags : suse/mariadb:10.11 , suse/mariadb:10.11.11 , suse/mariadb:10.11.11-68.2 Container Release : 68.2 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:59:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:59:31 +0200 (CEST) Subject: SUSE-CU-2025:4544-1: Security update of bci/spack Message-ID: <20250620125931.BEF4FFD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4544-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-11.4 Container Release : 11.4 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:59:42 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:59:42 +0200 (CEST) Subject: SUSE-CU-2025:4551-1: Security update of suse/bind Message-ID: <20250620125942.713C0FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4551-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-61.5 , suse/bind:latest Container Release : 61.5 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:59:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:59:43 +0200 (CEST) Subject: SUSE-CU-2025:4552-1: Security update of suse/cosign Message-ID: <20250620125943.E16B8FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/cosign ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4552-1 Container Tags : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.0 , suse/cosign:2.5.0-11.4 , suse/cosign:latest Container Release : 11.4 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/cosign was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:59:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:59:54 +0200 (CEST) Subject: SUSE-CU-2025:4562-1: Recommended update of bci/golang Message-ID: <20250620125954.88C74FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4562-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.3 , bci/golang:oldstable , bci/golang:oldstable-2.71.3 Container Release : 71.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:59:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:59:56 +0200 (CEST) Subject: SUSE-CU-2025:4564-1: Recommended update of bci/golang Message-ID: <20250620125956.65B06FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4564-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.3 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.3 Container Release : 71.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:19 +0200 (CEST) Subject: SUSE-CU-2025:4565-1: Security update of suse/389-ds Message-ID: <20250620134019.79179F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4565-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.7 , suse/389-ds:latest Container Release : 61.7 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:22 +0200 (CEST) Subject: SUSE-CU-2025:4566-1: Security update of suse/git Message-ID: <20250620134022.1C4DBF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4566-1 Container Tags : suse/git:2 , suse/git:2.43 , suse/git:2.43.0 , suse/git:2.43.0-61.7 , suse/git:latest Container Release : 61.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:23 +0200 (CEST) Subject: SUSE-CU-2025:4564-1: Recommended update of bci/golang Message-ID: <20250620134023.91CF4F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4564-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.3 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.3 Container Release : 71.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:25 +0200 (CEST) Subject: SUSE-CU-2025:4568-1: Security update of bci/golang Message-ID: <20250620134025.41701F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4568-1 Container Tags : bci/golang:1.23-openssl , bci/golang:1.23.2-openssl , bci/golang:1.23.2-openssl-71.5 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-71.5 Container Release : 71.5 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.5.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:27 +0200 (CEST) Subject: SUSE-CU-2025:4569-1: Recommended update of bci/golang Message-ID: <20250620134027.D10C9F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4569-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.3 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.3 Container Release : 71.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:30 +0200 (CEST) Subject: SUSE-CU-2025:4570-1: Recommended update of bci/golang Message-ID: <20250620134030.5FB24F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4570-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.3 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.3 Container Release : 71.3 Severity : moderate Type : recommended References : 1242060 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:34 +0200 (CEST) Subject: SUSE-CU-2025:4572-1: Security update of suse/helm Message-ID: <20250620134034.1463AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4572-1 Container Tags : suse/helm:3 , suse/helm:3.17 , suse/helm:3.17.3 , suse/helm:3.17.3-61.4 , suse/helm:latest Container Release : 61.4 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:35 +0200 (CEST) Subject: SUSE-CU-2025:4573-1: Security update of suse/helm Message-ID: <20250620134035.2C19FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4573-1 Container Tags : suse/helm:3 , suse/helm:3.17 , suse/helm:3.17.3 , suse/helm:3.17.3-61.6 , suse/helm:latest Container Release : 61.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:38 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:38 +0200 (CEST) Subject: SUSE-CU-2025:4574-1: Security update of bci/bci-init Message-ID: <20250620134038.7FD14F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4574-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.3 , bci/bci-init:latest Container Release : 41.3 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:39 +0200 (CEST) Subject: SUSE-CU-2025:4575-1: Security update of bci/bci-init Message-ID: <20250620134039.AB7F8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4575-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.6 , bci/bci-init:latest Container Release : 41.6 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:43 +0200 (CEST) Subject: SUSE-CU-2025:4577-1: Security update of bci/kiwi Message-ID: <20250620134043.2EF89F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4577-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.6 , bci/kiwi:latest Container Release : 16.6 Severity : important Type : security References : 1222044 1230267 1235598 1237172 1237587 1237949 1238315 1239012 1239543 1239809 1239909 1240132 1240529 1241020 1241078 1241189 1241463 1242060 1242269 1243226 1243887 1243901 1244105 1244509 CVE-2025-2588 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-46802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1527-1 Released: Fri May 9 17:21:39 2025 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1222044,1230267,1235598,1237172,1237587,1237949,1238315,1239809,1240529 This update for libsolv, libzypp, zypper fixes the following issues: - Support the apk package and repository format (both v2 and v3) - New dataiterator_final_{repo,solvable} functions - Provide a symbol specific for the ruby-version so yast does not break across updates (bsc#1235598) - XmlReader: Fix detection of bad input streams - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more related attributes a service may set - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false) - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - Fix computation of RepStatus if Repo URLs change - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) - Add a transaction package preloader - Strip a mediahandler tag from baseUrl querystrings - Updated translations (bsc#1230267) - Do not double encode URL strings passed on the commandline (bsc#1237587) - info,search: add option to search and list Enhances (bsc#1237949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1534-1 Released: Mon May 12 18:00:59 2025 Summary: Security update for augeas Type: security Severity: low References: 1239909,CVE-2025-2588 This update for augeas fixes the following issues: - CVE-2025-2588: Check for NULL pointers when calling re_case_expand in function fa_expand_nocase. (bsc#1239909) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2016-1 Released: Thu Jun 19 09:14:28 2025 Summary: Security update for screen Type: security Severity: moderate References: 1242269,CVE-2025-46802 This update for screen fixes the following issues: Security issues fixed: - CVE-2025-46802: temporary `chmod` of a user's TTY to mode 0666 when attempting to attach to a multi-user session allows for TTY hijacking (bsc#1242269). Other issues fixed: - Use TTY file descriptor passing after a suspend (`MSG_CONT`). - Fix resume after suspend in multi-user mode. The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libfa1-1.14.1-150600.3.3.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - libaugeas0-1.14.1-150600.3.3.1 updated - krb5-1.20.1-150600.11.11.2 updated - libsolv-tools-base-0.7.32-150600.8.10.1 updated - libzypp-17.37.5-150600.3.60.1 updated - zypper-1.14.90-150600.10.34.3 updated - pam-1.3.0-150000.6.83.1 updated - screen-4.6.2-150000.5.8.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:44 +0200 (CEST) Subject: SUSE-CU-2025:4578-1: Security update of bci/kiwi Message-ID: <20250620134044.5A034F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4578-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.8 , bci/kiwi:latest Container Release : 16.8 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:46 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:46 +0200 (CEST) Subject: SUSE-CU-2025:4579-1: Security update of suse/kubectl Message-ID: <20250620134046.CFAB3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/kubectl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4579-1 Container Tags : suse/kubectl:1.31 , suse/kubectl:1.31.9 , suse/kubectl:1.31.9-2.61.4 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.61.4 Container Release : 61.4 Severity : important Type : security References : 1243317 CVE-2025-4802 ----------------------------------------------------------------- The container suse/kubectl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:51 +0200 (CEST) Subject: SUSE-CU-2025:4581-1: Security update of bci/bci-minimal Message-ID: <20250620134051.E91ABF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4581-1 Container Tags : bci/bci-minimal:15.7 , bci/bci-minimal:15.7-9.3 , bci/bci-minimal:latest Container Release : 9.3 Severity : important Type : security References : 1243317 1244079 CVE-2025-40909 CVE-2025-4802 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - perl-base-5.26.1-150300.17.20.1 updated - terminfo-base-6.1-150000.5.30.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:54 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:54 +0200 (CEST) Subject: SUSE-CU-2025:4582-1: Security update of suse/nginx Message-ID: <20250620134054.5E8CAF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4582-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-9.3 , suse/nginx:latest Container Release : 9.3 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:56 +0200 (CEST) Subject: SUSE-CU-2025:4584-1: Security update of suse/nginx Message-ID: <20250620134056.389ECF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4584-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.2 , suse/nginx:latest Container Release : 61.2 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:40:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:40:58 +0200 (CEST) Subject: SUSE-CU-2025:4586-1: Security update of bci/nodejs Message-ID: <20250620134058.AB611F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4586-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.3 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.3 , bci/nodejs:latest Container Release : 9.3 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:41:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:41:01 +0200 (CEST) Subject: SUSE-CU-2025:4588-1: Security update of bci/openjdk-devel Message-ID: <20250620134101.32BC8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4588-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.11 Container Release : 7.11 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243226 1243317 1244079 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-40909 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - perl-base-5.26.1-150300.17.20.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:bci-openjdk-17-15.7.17-7.10 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:41:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:41:02 +0200 (CEST) Subject: SUSE-CU-2025:4589-1: Security update of bci/openjdk Message-ID: <20250620134102.AF1F4F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4589-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.8 Container Release : 7.8 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:41:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:41:05 +0200 (CEST) Subject: SUSE-CU-2025:4591-1: Security update of bci/openjdk-devel Message-ID: <20250620134105.AD4A3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4591-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.10 , bci/openjdk-devel:latest Container Release : 10.10 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:bci-openjdk-21-15.7.21-10.9 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:41:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:41:07 +0200 (CEST) Subject: SUSE-CU-2025:4592-1: Security update of bci/openjdk Message-ID: <20250620134107.53A77F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4592-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.8 , bci/openjdk:latest Container Release : 10.8 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:28 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:28 +0200 (CEST) Subject: SUSE-CU-2025:4592-1: Security update of bci/openjdk Message-ID: <20250620135828.075FBF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4592-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.8 , bci/openjdk:latest Container Release : 10.8 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:31 +0200 (CEST) Subject: SUSE-CU-2025:4595-1: Security update of suse/pcp Message-ID: <20250620135831.CB794F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4595-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.4 , suse/pcp:latest Container Release : 61.4 Severity : important Type : security References : 1242060 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - ncurses-utils-6.1-150000.5.30.1 updated - libudev1-254.24-150600.4.33.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:bci-bci-init-15.7-52236df3833867a7199e51a82ceea64e28c4879ff6d1d16b6effb834ccc37456-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:30 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:30 +0200 (CEST) Subject: SUSE-CU-2025:4594-1: Security update of suse/pcp Message-ID: <20250620135830.EB3FEF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4594-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.3 , suse/pcp:latest Container Release : 61.3 Severity : important Type : security References : 1236177 1237230 1237496 1241678 1242938 1243259 CVE-2024-10041 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1511-1 Released: Wed May 7 21:35:57 2025 Summary: Security update for apparmor Type: security Severity: moderate References: 1241678,CVE-2024-10041 This update for apparmor fixes the following issues: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. (bsc#1241678) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1739-1 Released: Thu May 29 11:40:51 2025 Summary: Recommended update for systemd Type: recommended Severity: important References: 1236177,1237496,1242938,1243259 This update for systemd fixes the following issues: - Add missing 'systemd-journal-remote' package to 15-SP7 (bsc#1243259) - umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Fix the issue with journalctl not working for users in Container UID range (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - man/pstore.conf: pstore.conf template is not always installed in /etc - man: coredump.conf template is not always installed in /etc (bsc#1237496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1866-1 Released: Tue Jun 10 16:19:33 2025 Summary: Recommended update for kbd Type: recommended Severity: important References: 1237230 This update for kbd fixes the following issues: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230) The following package changes have been done: - kbd-2.4.0-150700.15.3.1 updated - libapparmor1-3.1.7-150600.5.9.1 updated - libsystemd0-254.24-150600.4.33.1 updated - systemd-254.24-150600.4.33.1 updated - container:bci-bci-init-15.7-e24769b1cac69fbbfec9b56d8571092c0c77c32bdb9439bc21d1c950d4d06c5b-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:32 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:32 +0200 (CEST) Subject: SUSE-CU-2025:4596-1: Security update of suse/pcp Message-ID: <20250620135833.40C3EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4596-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.5 , suse/pcp:latest Container Release : 61.5 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:41 +0200 (CEST) Subject: SUSE-CU-2025:4601-1: Security update of suse/postgres Message-ID: <20250620135841.7751DF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4601-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-61.4 Container Release : 61.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:43 +0200 (CEST) Subject: SUSE-CU-2025:4602-1: Security update of suse/postgres Message-ID: <20250620135843.863B5F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4602-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.4 , suse/postgres:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:45 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:45 +0200 (CEST) Subject: SUSE-CU-2025:4603-1: Security update of bci/python Message-ID: <20250620135845.BACC8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4603-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.11 , bci/python:3.11.11-71.3 Container Release : 71.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243317 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-4802 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:53 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:53 +0200 (CEST) Subject: SUSE-CU-2025:4607-1: Security update of suse/mariadb-client Message-ID: <20250620135853.0796EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4607-1 Container Tags : suse/mariadb-client:11.4 , suse/mariadb-client:11.4.5 , suse/mariadb-client:11.4.5-61.4 , suse/mariadb-client:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:58:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:58:55 +0200 (CEST) Subject: SUSE-CU-2025:4608-1: Security update of suse/mariadb Message-ID: <20250620135855.1D5E3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4608-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.6 , suse/mariadb:latest Container Release : 61.6 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:00 +0200 (CEST) Subject: SUSE-CU-2025:4610-1: Security update of bci/ruby Message-ID: <20250620135900.256C0F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4610-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.3 Container Release : 11.3 Severity : important Type : security References : 1242060 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:02 +0200 (CEST) Subject: SUSE-CU-2025:4612-1: Security update of bci/ruby Message-ID: <20250620135902.CAD82F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4612-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.3 , bci/ruby:latest Container Release : 10.3 Severity : important Type : security References : 1242060 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:08 +0200 (CEST) Subject: SUSE-CU-2025:4615-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250620135908.8697EF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4615-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.3 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.3 Severity : important Type : security References : 1241020 1241078 1241189 1242060 1243226 1244509 CVE-2025-29087 CVE-2025-29088 CVE-2025-3277 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1456-1 Released: Wed May 7 17:13:32 2025 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1241020,1241078,1241189,CVE-2025-29087,CVE-2025-29088,CVE-2025-3277 This update for sqlite3 fixes the following issues: - CVE-2025-29087,CVE-2025-3277: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1733-1 Released: Wed May 28 17:59:52 2025 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1242060 This update for krb5 fixes the following issue: - Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libsqlite3-0-3.49.1-150000.3.27.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - krb5-1.20.1-150600.11.11.2 updated - pam-1.3.0-150000.6.83.1 updated - container:registry.suse.com-bci-bci-base-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:09 +0200 (CEST) Subject: SUSE-CU-2025:4616-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250620135909.7B69DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4616-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.5 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.5 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:12 +0200 (CEST) Subject: SUSE-CU-2025:4617-1: Security update of suse/sle15 Message-ID: <20250620135912.B1C69F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4617-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.5 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.5 , suse/sle15:latest Container Release : 5.8.5 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:14 +0200 (CEST) Subject: SUSE-CU-2025:4618-1: Security update of bci/spack Message-ID: <20250620135914.EEF41F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4618-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.4 , bci/spack:latest Container Release : 13.4 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:18 +0200 (CEST) Subject: SUSE-CU-2025:4620-1: Security update of bci/spack Message-ID: <20250620135918.9538CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/spack ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4620-1 Container Tags : bci/spack:0.23 , bci/spack:0.23.1 , bci/spack:0.23.1-13.6 , bci/spack:latest Container Release : 13.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/spack was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.5.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:20 +0200 (CEST) Subject: SUSE-CU-2025:4621-1: Security update of suse/stunnel Message-ID: <20250620135920.A7D5AF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4621-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-61.6 , suse/stunnel:latest Container Release : 61.6 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 13:59:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 15:59:23 +0200 (CEST) Subject: SUSE-CU-2025:4622-1: Security update of suse/valkey Message-ID: <20250620135923.51913F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4622-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.4 , suse/valkey:latest Container Release : 61.4 Severity : important Type : security References : 1243226 1243317 1244509 CVE-2025-4802 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1702-1 Released: Sat May 24 11:50:53 2025 Summary: Security update for glibc Type: security Severity: important References: 1243317,CVE-2025-4802 This update for glibc fixes the following issues: - CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen search for libraries to load in LD_LIBRARY_PATH (bsc#1243317). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:1714-1 Released: Tue May 27 13:23:20 2025 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: This update for ncurses fixes the following issues: - Backport sclp terminfo description entry if for s390 sclp terminal lines - Add a further sclp entry for qemu s390 based systems - Make use of dumb ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - glibc-2.38-150600.14.32.1 updated - libncurses6-6.1-150000.5.30.1 updated - terminfo-base-6.1-150000.5.30.1 updated - pam-1.3.0-150000.6.83.1 updated - container:suse-sle15-15.7-04113e63d8b21a6587df36873c0cfa792cda3b832bf43939774fdf420ef97fc3-0 updated - container:registry.suse.com-bci-bci-micro-15.7-682126fbb8603c66bc615024220d2f4fa79e146fba005a14d926e8cf9c4eae15-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:01:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:01:01 +0200 (CEST) Subject: SUSE-CU-2025:4623-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250620140101.BC2A6FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4623-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.39 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.39 Severity : moderate Type : security References : 1239012 1239543 1240132 1241463 1243887 1243901 1244079 1244105 CVE-2025-40909 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - libzypp-17.37.5-150400.3.126.1 updated - zypper-1.14.90-150400.3.85.3 updated - container:sles15-ltss-image-15.4.0-2.50 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:02:06 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:02:06 +0200 (CEST) Subject: SUSE-CU-2025:4624-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20250620140206.C03B8FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4624-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.15 , suse/manager/4.3/proxy-salt-broker:4.3.15.9.53.48 , suse/manager/4.3/proxy-salt-broker:latest Container Release : 9.53.48 Severity : moderate Type : security References : 1239012 1239543 1240132 1241463 1243887 1243901 1244079 1244105 CVE-2025-40909 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2022-1 Released: Thu Jun 19 15:14:37 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - libzypp-17.37.5-150400.3.126.1 updated - zypper-1.14.90-150400.3.85.3 updated - container:sles15-ltss-image-15.4.0-2.50 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:03:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:03:08 +0200 (CEST) Subject: SUSE-CU-2025:4625-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250620140308.D5533FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4625-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.28 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.28 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:sles15-ltss-image-15.4.0-2.50 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:13 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:13 +0200 (CEST) Subject: SUSE-CU-2025:4626-1: Security update of suse/bind Message-ID: <20250620141313.6815AFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/bind ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4626-1 Container Tags : suse/bind:9 , suse/bind:9.20 , suse/bind:9.20.9 , suse/bind:9.20.9-61.7 , suse/bind:latest Container Release : 61.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/bind was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:15 +0200 (CEST) Subject: SUSE-CU-2025:4627-1: Security update of suse/registry Message-ID: <20250620141315.2521AFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4627-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-5.5 , suse/registry:latest Container Release : 5.5 Severity : important Type : security References : 1236136 1236599 1243459 1244079 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 CVE-2025-40909 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:17 +0200 (CEST) Subject: SUSE-CU-2025:4628-1: Security update of suse/postgres Message-ID: <20250620141317.9599DFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4628-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-61.6 Container Release : 61.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:20 +0200 (CEST) Subject: SUSE-CU-2025:4629-1: Security update of suse/mariadb-client Message-ID: <20250620141320.0E198FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4629-1 Container Tags : suse/mariadb-client:11.4 , suse/mariadb-client:11.4.5 , suse/mariadb-client:11.4.5-61.6 , suse/mariadb-client:latest Container Release : 61.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/mariadb-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:22 +0200 (CEST) Subject: SUSE-CU-2025:4630-1: Security update of suse/stunnel Message-ID: <20250620141322.46B3DFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/stunnel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4630-1 Container Tags : suse/stunnel:5 , suse/stunnel:5.70 , suse/stunnel:5.70-61.7 , suse/stunnel:latest Container Release : 61.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/stunnel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:13:24 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:13:24 +0200 (CEST) Subject: SUSE-CU-2025:4631-1: Security update of suse/valkey Message-ID: <20250620141324.995D2FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/valkey ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4631-1 Container Tags : suse/valkey:8 , suse/valkey:8.0 , suse/valkey:8.0.2 , suse/valkey:8.0.2-61.6 , suse/valkey:latest Container Release : 61.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/valkey was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:14:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:14:09 +0200 (CEST) Subject: SUSE-CU-2025:4625-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20250620141409.CF5CAFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4625-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.15 , suse/manager/4.3/proxy-squid:4.3.15.9.62.28 , suse/manager/4.3/proxy-squid:latest Container Release : 9.62.28 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:sles15-ltss-image-15.4.0-2.50 updated From sle-container-updates at lists.suse.com Fri Jun 20 12:58:37 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 14:58:37 +0200 (CEST) Subject: SUSE-CU-2025:4543-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250620125837.B08C4FD1A@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4543-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.4 Container Release : 44.4 Severity : important Type : security References : 1220112 1223096 1226498 1229491 1230581 1231016 1232649 1232882 1233192 1234154 1235149 1235968 1236142 1236208 1237312 1238212 1238473 1238774 1238992 1239691 1239925 1240593 1240866 1240966 1241148 1241282 1241305 1241340 1241351 1241376 1241448 1241457 1241492 1241519 1241525 1241533 1241538 1241576 1241590 1241595 1241596 1241597 1241625 1241627 1241635 1241638 1241644 1241654 1241657 1242006 1242012 1242035 1242044 1242203 1242343 1242414 1242417 1242501 1242502 1242506 1242507 1242509 1242510 1242512 1242513 1242514 1242520 1242523 1242524 1242529 1242530 1242531 1242532 1242559 1242563 1242564 1242565 1242566 1242567 1242568 1242569 1242574 1242575 1242578 1242584 1242585 1242587 1242591 1242709 1242727 1242758 1242760 1242761 1242762 1242763 1242764 1242766 1242770 1242778 1242781 1242782 1242785 1242786 1242792 1242852 1242854 1242856 1242859 1242860 1242861 1242866 1242867 1242868 1242871 1242873 1242875 1242906 1242908 1242924 1242930 1242944 1242945 1242948 1242949 1242951 1242953 1242955 1242957 1242959 1242961 1242962 1242973 1242974 1242977 1242990 1242993 1243000 1243006 1243011 1243015 1243044 1243049 1243056 1243074 1243076 1243077 1243082 1243090 1243226 1243330 1243342 1243456 1243469 1243470 1243471 1243472 1243473 1243476 1243509 1243511 1243513 1243515 1243516 1243517 1243519 1243522 1243524 1243528 1243529 1243530 1243534 1243536 1243539 1243540 1243541 1243543 1243545 1243547 1243559 1243560 1243562 1243567 1243573 1243574 1243575 1243589 1243621 1243624 1243625 1243626 1243627 1243649 1243657 1243658 1243659 1243660 1243664 1243737 1243805 1243963 1244509 CVE-2023-53146 CVE-2024-28956 CVE-2024-43869 CVE-2024-46713 CVE-2024-50106 CVE-2024-50223 CVE-2024-53135 CVE-2024-54458 CVE-2024-58098 CVE-2024-58099 CVE-2024-58100 CVE-2024-58237 CVE-2025-21629 CVE-2025-21648 CVE-2025-21702 CVE-2025-21787 CVE-2025-21814 CVE-2025-21919 CVE-2025-22005 CVE-2025-22021 CVE-2025-22030 CVE-2025-22056 CVE-2025-22057 CVE-2025-22063 CVE-2025-22066 CVE-2025-22070 CVE-2025-22089 CVE-2025-22095 CVE-2025-22103 CVE-2025-22119 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23140 CVE-2025-23141 CVE-2025-23142 CVE-2025-23144 CVE-2025-23146 CVE-2025-23147 CVE-2025-23148 CVE-2025-23149 CVE-2025-23150 CVE-2025-23151 CVE-2025-23156 CVE-2025-23157 CVE-2025-23158 CVE-2025-23159 CVE-2025-23160 CVE-2025-23161 CVE-2025-37740 CVE-2025-37741 CVE-2025-37742 CVE-2025-37747 CVE-2025-37748 CVE-2025-37749 CVE-2025-37750 CVE-2025-37754 CVE-2025-37755 CVE-2025-37758 CVE-2025-37765 CVE-2025-37766 CVE-2025-37767 CVE-2025-37768 CVE-2025-37769 CVE-2025-37770 CVE-2025-37771 CVE-2025-37772 CVE-2025-37773 CVE-2025-37780 CVE-2025-37781 CVE-2025-37782 CVE-2025-37787 CVE-2025-37788 CVE-2025-37789 CVE-2025-37790 CVE-2025-37792 CVE-2025-37793 CVE-2025-37794 CVE-2025-37796 CVE-2025-37797 CVE-2025-37798 CVE-2025-37803 CVE-2025-37804 CVE-2025-37805 CVE-2025-37809 CVE-2025-37810 CVE-2025-37812 CVE-2025-37815 CVE-2025-37819 CVE-2025-37820 CVE-2025-37823 CVE-2025-37824 CVE-2025-37829 CVE-2025-37830 CVE-2025-37831 CVE-2025-37833 CVE-2025-37836 CVE-2025-37839 CVE-2025-37840 CVE-2025-37841 CVE-2025-37842 CVE-2025-37849 CVE-2025-37850 CVE-2025-37851 CVE-2025-37852 CVE-2025-37853 CVE-2025-37854 CVE-2025-37858 CVE-2025-37867 CVE-2025-37870 CVE-2025-37871 CVE-2025-37873 CVE-2025-37875 CVE-2025-37879 CVE-2025-37881 CVE-2025-37886 CVE-2025-37887 CVE-2025-37889 CVE-2025-37890 CVE-2025-37891 CVE-2025-37892 CVE-2025-37897 CVE-2025-37900 CVE-2025-37901 CVE-2025-37903 CVE-2025-37905 CVE-2025-37911 CVE-2025-37912 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37918 CVE-2025-37925 CVE-2025-37928 CVE-2025-37929 CVE-2025-37930 CVE-2025-37931 CVE-2025-37932 CVE-2025-37937 CVE-2025-37943 CVE-2025-37944 CVE-2025-37948 CVE-2025-37949 CVE-2025-37951 CVE-2025-37953 CVE-2025-37954 CVE-2025-37957 CVE-2025-37958 CVE-2025-37959 CVE-2025-37960 CVE-2025-37963 CVE-2025-37969 CVE-2025-37970 CVE-2025-37972 CVE-2025-37974 CVE-2025-37978 CVE-2025-37979 CVE-2025-37980 CVE-2025-37982 CVE-2025-37983 CVE-2025-37985 CVE-2025-37986 CVE-2025-37989 CVE-2025-37990 CVE-2025-38104 CVE-2025-38152 CVE-2025-38240 CVE-2025-38637 CVE-2025-39735 CVE-2025-40014 CVE-2025-40325 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2000-1 Released: Wed Jun 18 13:08:14 2025 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1220112,1223096,1226498,1229491,1230581,1231016,1232649,1232882,1233192,1234154,1235149,1235968,1236142,1236208,1237312,1238212,1238473,1238774,1238992,1239691,1239925,1240593,1240866,1240966,1241148,1241282,1241305,1241340,1241351,1241376,1241448,1241457,1241492,1241519,1241525,1241533,1241538,1241576,1241590,1241595,1241596,1241597,1241625,1241627,1241635,1241638,1241644,1241654,1241657,1242006,1242012,1242035,1242044,1242203,1242343,1242414,1242417,1242501,1242502,1242506,1242507,1242509,1242510,1242512,1242513,1242514,1242520,1242523,1242524,1242529,1242530,1242531,1242532,1242559,1242563,1242564,1242565,1242566,1242567,1242568,1242569,1242574,1242575,1242578,1242584,1242585,1242587,1242591,1242709,1242727,1242758,1242760,1242761,1242762,1242763,1242764,1242766,1242770,1242778,1242781,1242782,1242785,1242786,1242792,1242852,1242854,1242856,1242859,1242860,1242861,1242866,1242867,1242868,1242871,1242873,1242875,1242906,1242908,1242924,1242930,1242944,1242945,1242948,1 242949,1242951,1242953,1242955,1242957,1242959,1242961,1242962,1242973,1242974,1242977,1242990,1242993,1243000,1243006,1243011,1243015,1243044,1243049,1243056,1243074,1243076,1243077,1243082,1243090,1243330,1243342,1243456,1243469,1243470,1243471,1243472,1243473,1243476,1243509,1243511,1243513,1243515,1243516,1243517,1243519,1243522,1243524,1243528,1243529,1243530,1243534,1243536,1243539,1243540,1243541,1243543,1243545,1243547,1243559,1243560,1243562,1243567,1243573,1243574,1243575,1243589,1243621,1243624,1243625,1243626,1243627,1243649,1243657,1243658,1243659,1243660,1243664,1243737,1243805,1243963,CVE-2023-53146,CVE-2024-28956,CVE-2024-43869,CVE-2024-46713,CVE-2024-50106,CVE-2024-50223,CVE-2024-53135,CVE-2024-54458,CVE-2024-58098,CVE-2024-58099,CVE-2024-58100,CVE-2024-58237,CVE-2025-21629,CVE-2025-21648,CVE-2025-21702,CVE-2025-21787,CVE-2025-21814,CVE-2025-21919,CVE-2025-22005,CVE-2025-22021,CVE-2025-22030,CVE-2025-22056,CVE-2025-22057,CVE-2025-22063,CVE-2025-22066,CVE-2025-22070, CVE-2025-22089,CVE-2025-22095,CVE-2025-22103,CVE-2025-22119,CVE-2025-22124,CVE-2025-22125,CVE-2025-22126,CVE-2025-23140,CVE-2025-23141,CVE-2025-23142,CVE-2025-23144,CVE-2025-23146,CVE-2025-23147,CVE-2025-23148,CVE-2025-23149,CVE-2025-23150,CVE-2025-23151,CVE-2025-23156,CVE-2025-23157,CVE-2025-23158,CVE-2025-23159,CVE-2025-23160,CVE-2025-23161,CVE-2025-37740,CVE-2025-37741,CVE-2025-37742,CVE-2025-37747,CVE-2025-37748,CVE-2025-37749,CVE-2025-37750,CVE-2025-37754,CVE-2025-37755,CVE-2025-37758,CVE-2025-37765,CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37769,CVE-2025-37770,CVE-2025-37771,CVE-2025-37772,CVE-2025-37773,CVE-2025-37780,CVE-2025-37781,CVE-2025-37782,CVE-2025-37787,CVE-2025-37788,CVE-2025-37789,CVE-2025-37790,CVE-2025-37792,CVE-2025-37793,CVE-2025-37794,CVE-2025-37796,CVE-2025-37797,CVE-2025-37798,CVE-2025-37803,CVE-2025-37804,CVE-2025-37805,CVE-2025-37809,CVE-2025-37810,CVE-2025-37812,CVE-2025-37815,CVE-2025-37819,CVE-2025-37820,CVE-2025-37823,CVE-2025-37824,CVE-202 5-37829,CVE-2025-37830,CVE-2025-37831,CVE-2025-37833,CVE-2025-37836,CVE-2025-37839,CVE-2025-37840,CVE-2025-37841,CVE-2025-37842,CVE-2025-37849,CVE-2025-37850,CVE-2025-37851,CVE-2025-37852,CVE-2025-37853,CVE-2025-37854,CVE-2025-37858,CVE-2025-37867,CVE-2025-37870,CVE-2025-37871,CVE-2025-37873,CVE-2025-37875,CVE-2025-37879,CVE-2025-37881,CVE-2025-37886,CVE-2025-37887,CVE-2025-37889,CVE-2025-37890,CVE-2025-37891,CVE-2025-37892,CVE-2025-37897,CVE-2025-37900,CVE-2025-37901,CVE-2025-37903,CVE-2025-37905,CVE-2025-37911,CVE-2025-37912,CVE-2025-37913,CVE-2025-37914,CVE-2025-37915,CVE-2025-37918,CVE-2025-37925,CVE-2025-37928,CVE-2025-37929,CVE-2025-37930,CVE-2025-37931,CVE-2025-37932,CVE-2025-37937,CVE-2025-37943,CVE-2025-37944,CVE-2025-37948,CVE-2025-37949,CVE-2025-37951,CVE-2025-37953,CVE-2025-37954,CVE-2025-37957,CVE-2025-37958,CVE-2025-37959,CVE-2025-37960,CVE-2025-37963,CVE-2025-37969,CVE-2025-37970,CVE-2025-37972,CVE-2025-37974,CVE-2025-37978,CVE-2025-37979,CVE-2025-37980,CVE-2025-37982 ,CVE-2025-37983,CVE-2025-37985,CVE-2025-37986,CVE-2025-37989,CVE-2025-37990,CVE-2025-38104,CVE-2025-38152,CVE-2025-38240,CVE-2025-38637,CVE-2025-39735,CVE-2025-40014,CVE-2025-40325 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006). - CVE-2024-46713: kabi fix for perf/aux: Fix AUX buffer serialization (bsc#1230581). - CVE-2024-50223: sched/numa: Fix the potential null pointer dereference in (bsc#1233192). - CVE-2024-53135: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (bsc#1234154). - CVE-2024-54458: scsi: ufs: bsg: Set bsg_queue to NULL after removal (bsc#1238992). - CVE-2025-21648: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (bsc#1236142). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21787: team: better TEAM_OPTION_TYPE_STRING validation (bsc#1238774). - CVE-2025-21814: ptp: Ensure info->enable callback is always set (bsc#1238473). - CVE-2025-21919: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (bsc#1240593). - CVE-2025-22021: netfilter: socket: Lookup orig tuple for IPv6 SNAT (bsc#1241282). - CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() (bsc#1241376). - CVE-2025-22056: netfilter: nft_tunnel: fix geneve_opt type confusion addition (bsc#1241525). - CVE-2025-22057: net: decrease cached dst counters in dst_release (bsc#1241533). - CVE-2025-22063: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (bsc#1241351). - CVE-2025-22070: fs/9p: fix NULL pointer dereference on mkdir (bsc#1241305). - CVE-2025-22103: net: fix NULL pointer dereference in l3mdev_l3_rcv (bsc#1241448). - CVE-2025-23140: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (bsc#1242763). - CVE-2025-23150: ext4: fix off-by-one error in do_split (bsc#1242513). - CVE-2025-23160: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (bsc#1242507). - CVE-2025-37748: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group (bsc#1242523). - CVE-2025-37749: net: ppp: Add bound checking for skb data on ppp_sync_txmung (bsc#1242859). - CVE-2025-37750: smb: client: fix UAF in decryption with multichannel (bsc#1242510). - CVE-2025-37755: net: libwx: handle page_pool_dev_alloc_pages error (bsc#1242506). - CVE-2025-37773: virtiofs: add filesystem context source name check (bsc#1242502). - CVE-2025-37780: isofs: Prevent the use of too small fid (bsc#1242786). - CVE-2025-37787: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (bsc#1242585). - CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762). - CVE-2025-37790: net: mctp: Set SOCK_RCU_FREE (bsc#1242509). - CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417). - CVE-2025-37803: udmabuf: fix a buf size overflow issue during udmabuf creation (bsc#1242852). - CVE-2025-37804: io_uring: always do atomic put from iowq (bsc#1242854). - CVE-2025-37809: usb: typec: class: Unlocked on error in typec_register_partner() (bsc#1242856). - CVE-2025-37820: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (bsc#1242866). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37824: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (bsc#1242867). - CVE-2025-37829: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (bsc#1242875). - CVE-2025-37830: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (bsc#1242860). - CVE-2025-37831: cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate() (bsc#1242861). - CVE-2025-37833: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads (bsc#1242868). - CVE-2025-37842: spi: fsl-qspi: Fix double cleanup in probe error path (bsc#1242951). - CVE-2025-37870: drm/amd/display: prevent hang on link training fail (bsc#1243056). - CVE-2025-37879: 9p/net: fix improper handling of bogus negative read/write replies (bsc#1243077). - CVE-2025-37886: pds_core: make wait_context part of q_info (bsc#1242944). - CVE-2025-37887: pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result (bsc#1242962). - CVE-2025-37949: xenbus: Use kref to track req lifetime (bsc#1243541). - CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664). - CVE-2025-37957: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (bsc#1243513). - CVE-2025-37958: mm/huge_memory: fix dereferencing invalid pmd migration entry (bsc#1243539). - CVE-2025-37960: memblock: Accept allocated memory before use in memblock_double_array() (bsc#1243519). - CVE-2025-37974: s390/pci: Fix missing check for zpci_create_device() error return (bsc#1243547). - CVE-2025-38152: remoteproc: core: Clear table_sz when rproc_shutdown (bsc#1241627). - CVE-2025-38637: net_sched: skbprio: Remove overly strict queue assertions (bsc#1241657). The following non-security bugs were fixed: - ACPI: PPTT: Fix processor subtable walk (git-fixes). - ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (git-fixes). - ALSA: seq: Fix delivery of UMP events to group ports (git-fixes). - ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes). - ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info (git-fixes). - ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() (stable-fixes). - ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (stable-fixes). - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (stable-fixes). - ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext (git-fixes). - ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction (git-fixes). - ASoC: Use of_property_read_bool() (stable-fixes). - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties (stable-fixes). - ASoc: SOF: topology: connect DAI to a single DAI link (git-fixes). - Bluetooth: L2CAP: Fix not checking l2cap_chan security level (git-fixes). - Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags (git-fixes). - Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling (git-fixes). - Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes). - Fix write to cloned skb in ipv6_hop_ioam() (git-fixes). - HID: thrustmaster: fix memory leak in thrustmaster_interrupts() (git-fixes). - HID: uclogic: Add NULL check in uclogic_input_configured() (git-fixes). - IB/cm: use rwlock for MAD agent lock (git-fixes) - Input: cyttsp5 - ensure minimum reset pulse width (git-fixes). - Input: mtk-pmic-keys - fix possible null pointer dereference (git-fixes). - Input: synaptics - enable InterTouch on Dell Precision M3800 (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30-D (stable-fixes). - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (stable-fixes). - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (stable-fixes). - Input: synaptics - enable SMBus for HP Elitebook 850 G1 (stable-fixes). - Input: synaptics-rmi - fix crash with unsupported versions of F34 (git-fixes). - Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller (stable-fixes). - Input: xpad - fix Share button on Xbox One controllers (stable-fixes). - Input: xpad - fix two controller table values (git-fixes). - KVM: SVM: Allocate IR data using atomic allocation (git-fixes). - KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value (git-fixes). - KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes). - KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields (git-fixes). - KVM: VMX: Do not modify guest XFD_ERR if CR0.TS=1 (git-fixes). - KVM: arm64: Change kvm_handle_mmio_return() return polarity (git-fixes). - KVM: arm64: Fix RAS trapping in pKVM for protected VMs (git-fixes). - KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status (git-fixes). - KVM: arm64: Mark some header functions as inline (git-fixes). - KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes). - KVM: arm64: timer: Always evaluate the need for a soft timer (git-fixes). - KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* (git-fixes). - KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device (git-fixes). - KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE (git-fixes). - KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI not found (git-fixes). - KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs (git-fixes). - KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation (git-fixes). - KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes). - KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation (git-fixes). - KVM: s390: Do not use %pK through debug printing (git-fixes bsc#1243657). - KVM: s390: Do not use %pK through tracepoints (git-fixes bsc#1243658). - KVM: x86/xen: Use guest's copy of pvclock when starting timer (git-fixes). - KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (git-fixes). - KVM: x86: Do not take kvm->lock when iterating over vCPUs in suspend notifier (git-fixes). - KVM: x86: Explicitly treat routing entry type changes as changes (git-fixes). - KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM (git-fixes). - KVM: x86: Explicitly zero-initialize on-stack CPUID unions (git-fixes). - KVM: x86: Make x2APIC ID 100% readonly (git-fixes). - KVM: x86: Reject disabling of MWAIT/HLT interception when not allowed (git-fixes). - KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (git-fixes). - KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found (git-fixes). - NFS: O_DIRECT writes must check and adjust the file length (git-fixes). - NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up (git-fixes). - NFSv4/pnfs: Reset the layout state after a layoutreturn (git-fixes). - NFSv4: Do not trigger uneccessary scans for return-on-close delegations (git-fixes). - RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes) - RDMA/core: Fix 'KASAN: slab-use-after-free Read in ib_register_device' problem (git-fixes) - RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes) - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes) - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes) - RDMA/rxe: Fix 'trying to register non-static key in rxe_qp_do_cleanup' bug (git-fixes) - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes) - Squashfs: check return result of sb_min_blocksize (git-fixes). - USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes). - Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes). - add bug reference for an existing hv_netvsc change (bsc#1243737). - afs: Fix the server_list to unuse a displaced server rather than putting it (git-fixes). - afs: Make it possible to find the volumes that are using a server (git-fixes). - arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes) - arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes) - arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes) - arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes) - arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes) - arm64: insn: Add support for encoding DSB (git-fixes) - arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes) - arm64: proton-pack: Expose whether the branchy loop k value (git-fixes) - arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes) - arp: switch to dev_getbyhwaddr() in arp_req_set_public() (git-fixes). - bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() (git-fixes). - bnxt_en: Fix coredump logic to free allocated buffer (git-fixes). - bnxt_en: Fix ethtool -d byte order for 32-bit values (git-fixes). - bnxt_en: Fix out-of-bound memcpy() during ethtool -w (git-fixes). - bpf: Fix mismatched RCU unlock flavour in bpf_out_neigh_v6 (git-fixes). - bpf: Scrub packet on bpf_redirect_peer (git-fixes). - btrfs: adjust subpage bit start based on sectorsize (bsc#1241492). - btrfs: avoid NULL pointer dereference if no valid csum tree (bsc#1243342). - btrfs: avoid NULL pointer dereference if no valid extent tree (bsc#1236208). - btrfs: avoid monopolizing a core when activating a swap file (git-fixes). - btrfs: do not loop for nowait writes when checking for cross references (git-fixes). - btrfs: fix a leaked chunk map issue in read_one_chunk() (git-fixes). - btrfs: fix discard worker infinite loop after disabling discard (bsc#1242012). - btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers (git-fixes). - cBPF: Refresh fixes for cBPF issue (bsc#1242778) - can: bcm: add locking for bcm_op runtime updates (git-fixes). - can: bcm: add missing rcu read protection for procfs content (git-fixes). - can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes). - can: mcan: m_can_class_unregister(): fix order of unregistration calls (git-fixes). - can: mcp251xfd: fix TDC setting for low data bit rates (git-fixes). - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (git-fixes). - can: slcan: allow reception of short error messages (git-fixes). - check-for-config-changes: Fix flag name typo - cifs: change tcon status when need_reconnect is set on it (git-fixes). - cifs: reduce warning log level for server not advertising interfaces (git-fixes). - crypto: algif_hash - fix double free in hash_accept (git-fixes). - devlink: fix port new reply cmd type (git-fixes). - dm-integrity: fix a warning on invalid table line (git-fixes). - dma-buf: insert memory barrier before updating num_fences (git-fixes). - dmaengine: Revert 'dmaengine: dmatest: Fix dmatest waiting less when interrupted' (git-fixes). - dmaengine: idxd: Add missing cleanup for early error out in idxd_setup_internals (git-fixes). - dmaengine: idxd: Add missing cleanups in cleanup internals (git-fixes). - dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove call (git-fixes). - dmaengine: idxd: Fix ->poll() return value (git-fixes). - dmaengine: idxd: Fix allowing write() from different address spaces (git-fixes). - dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_pci_probe (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (git-fixes). - dmaengine: idxd: fix memory leak in error handling path of idxd_setup_wqs (git-fixes). - dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() (git-fixes). - dmaengine: mediatek: drop unused variable (git-fixes). - dmaengine: ti: k3-udma: Add missing locking (git-fixes). - dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (git-fixes). - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp (stable-fixes). - drm/amd/display: Avoid flooding unnecessary info messages (git-fixes). - drm/amd/display: Copy AUX read reply data whenever length > 0 (git-fixes). - drm/amd/display: Correct the reply value when AUX write incomplete (git-fixes). - drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes). - drm/amd/display: Fix the checking condition in dmub aux handling (stable-fixes). - drm/amd/display: Fix wrong handling for AUX_DEFER case (git-fixes). - drm/amd/display: Remove incorrect checking in dmub aux handler (git-fixes). - drm/amd/display: Shift DMUB AUX reply command if necessary (git-fixes). - drm/amd/display: more liberal vmin/vmax update for freesync (stable-fixes). - drm/amd: Add Suspend/Hibernate notification callback support (stable-fixes). - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush (git-fixes). - drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes). - drm/amdgpu: fix pm notifier handling (git-fixes). - drm/amdgpu: trigger flr_work if reading pf2vf data failed (stable-fixes). - drm/edid: fixed the bug that hdr metadata was not reset (git-fixes). - drm/panel: simple: Update timings for AUO G101EVN010 (git-fixes). - drm/v3d: Add job to pending list if the reset was skipped (stable-fixes). - exfat: fix potential wrong error return from get_block (git-fixes). - hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes). - hv_netvsc: Remove rmsg_pgcnt (git-fixes). - hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes). - i2c: designware: Fix an error handling path in i2c_dw_pci_probe() (git-fixes). - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() (git-fixes). - idpf: fix offloads support for encapsulated packets (git-fixes). - idpf: fix potential memory leak on kcalloc() failure (git-fixes). - idpf: protect shutdown from reset (git-fixes). - igc: fix lock order in igc_ptp_reset (git-fixes). - iio: accel: adxl367: fix setting odr for activity time update (git-fixes). - iio: adc: ad7606: fix serial register access (git-fixes). - iio: adis16201: Correct inclinometer channel resolution (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (git-fixes). - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (git-fixes). - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer (git-fixes). - inetpeer: remove create argument of inet_getpeer_v() (git-fixes). - inetpeer: update inetpeer timestamp in inet_getpeer() (git-fixes). - ipv4/route: avoid unused-but-set-variable warning (git-fixes). - ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) (git-fixes). - ipv4: Convert icmp_route_lookup() to dscp_t (git-fixes). - ipv4: Fix incorrect source address in Record Route option (git-fixes). - ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family (git-fixes). - ipv4: fix source address selection with route leak (git-fixes). - ipv4: give an IPv4 dev to blackhole_netdev (git-fixes). - ipv4: icmp: Pass full DS field to ip_route_input() (git-fixes). - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() (git-fixes). - ipv4: ip_gre: Fix drops of small packets in ipgre_xmit (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() (git-fixes). - ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() (git-fixes). - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid (git-fixes). - ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels (git-fixes). - ipv6: Align behavior across nexthops during path selection (git-fixes). - ipv6: Do not consider link down nexthops in path selection (git-fixes). - ipv6: Start path selection from the first nexthop (git-fixes). - ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS (git-fixes). - irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs (git-fixes). - jiffies: Cast to unsigned long in secs_to_jiffies() conversion (bsc#1242993). - jiffies: Define secs_to_jiffies() (bsc#1242993). - kernel-obs-qa: Use srchash for dependency as well - loop: Add sanity check for read/write_iter (git-fixes). - loop: aio inherit the ioprio of original request (git-fixes). - loop: do not require ->write_iter for writable files in loop_configure (git-fixes). - md/raid1,raid10: do not ignore IO flags (git-fixes). - md/raid10: fix missing discard IO accounting (git-fixes). - md/raid10: wait barrier before returning discard request with REQ_NOWAIT (git-fixes). - md/raid1: Add check for missing source disk in process_checks() (git-fixes). - md/raid1: fix memory leak in raid1_run() if no active rdev (git-fixes). - md/raid5: implement pers->bitmap_sector() (git-fixes). - md: add a new callback pers->bitmap_sector() (git-fixes). - md: ensure resync is prioritized over recovery (git-fixes). - md: fix mddev uaf while iterating all_mddevs list (git-fixes). - md: preserve KABI in struct md_personality v2 (git-fixes). - media: videobuf2: Add missing doc comment for waiting_in_dqbuf (git-fixes). - mtd: phram: Add the kernel lock down check (bsc#1232649). - neighbour: delete redundant judgment statements (git-fixes). - net/handshake: Fix handshake_req_destroy_test1 (git-fixes). - net/handshake: Fix memory leak in __sock_create() and sock_alloc_file() (git-fixes). - net/ipv6: Fix route deleting failure when metric equals 0 (git-fixes). - net/ipv6: Fix the RT cache flush via sysctl using a previous delay (git-fixes). - net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged (git-fixes). - net/mlx5: E-Switch, Initialize MAC Address for Default GID (git-fixes). - net/mlx5: E-switch, Fix error handling for enabling roce (git-fixes). - net/mlx5e: Disable MACsec offload for uplink representor profile (git-fixes). - net: Add non-RCU dev_getbyhwaddr() helper (git-fixes). - net: Clear old fragment checksum value in napi_reuse_skb (git-fixes). - net: Handle napi_schedule() calls from non-interrupt (git-fixes). - net: Implement missing SO_TIMESTAMPING_NEW cmsg support (git-fixes). - net: Remove acked SYN flag from packet in the transmit queue correctly (git-fixes). - net: do not dump stack on queue timeout (git-fixes). - net: gro: parse ipv6 ext headers without frag0 invalidation (git-fixes). - net: ipv6: ioam6: fix lwtunnel_output() loop (git-fixes). - net: loopback: Avoid sending IP packets without an Ethernet header (git-fixes). - net: qede: Initialize qede_ll_ops with designated initializer (git-fixes). - net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets (git-fixes). - net: set the minimum for net_hotdata.netdev_budget_usecs (git-fixes). - net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension (git-fixes). - netdev-genl: avoid empty messages in queue dump (git-fixes). - netdev: fix repeated netlink messages in queue dump (git-fixes). - netlink: annotate data-races around sk->sk_err (git-fixes). - netpoll: Ensure clean state on setup failures (git-fixes). - nfs: handle failure of nfs_get_lock_context in unlock path (git-fixes). - nfsd: add list_head nf_gc to struct nfsd_file (git-fixes). - nilfs2: add pointer check for nilfs_direct_propagate() (git-fixes). - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() (git-fixes). - nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable (git-fixes bsc#1223096). - nvme-pci: add quirk for Samsung PM173x/PM173xa disk (bsc#1241148). - nvme-pci: fix queue unquiesce check on slot_reset (git-fixes). - nvme-pci: make nvme_pci_npages_prp() __always_inline (git-fixes). - nvme-tcp: fix premature queue removal and I/O failover (git-fixes). - nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS (git-fixes). - nvme: Add 'partial_nid' quirk (bsc#1241148). - nvme: Add warning when a partiually unique NID is detected (bsc#1241148). - nvme: Update patch nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch (git-fixes bsc#1235149). - nvme: Update patch nvme-re-read-ANA-log-page-after-ns-scan-completes.patch (git-fixes bsc#1235149). - nvme: fixup scan failure for non-ANA multipath controllers (git-fixes). - nvme: multipath: fix return value of nvme_available_path (git-fixes). - nvme: re-read ANA log page after ns scan completes (git-fixes). - nvme: requeue namespace scan on missed AENs (git-fixes). - nvme: unblock ctrl state transition for firmware update (git-fixes). - nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes). - nvmet-fc: inline nvmet_fc_free_hostport (git-fixes). - nvmet-fc: put ref when assoc->del_work is already scheduled (git-fixes). - nvmet-fc: take tgtport reference only once (git-fixes). - nvmet-fc: update tgtport ref per assoc (git-fixes). - nvmet-fcloop: Remove remote port from list when unlinking (git-fixes). - nvmet-fcloop: add ref counting to lport (git-fixes). - nvmet-fcloop: replace kref with refcount (git-fixes). - nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS (git-fixes). - objtool, panic: Disable SMAP in __stack_chk_fail() (bsc#1243963). - ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes). - octeontx2-pf: qos: fix VF root node parent queue index (git-fixes). - padata: do not leak refcount in reorder_work (git-fixes). - phy: Fix error handling in tegra_xusb_port_init (git-fixes). - phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind (git-fixes). - phy: renesas: rcar-gen3-usb2: Set timing registers only once (git-fixes). - phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking (git-fixes). - phy: tegra: xusb: remove a stray unlock (git-fixes). - platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie 14XA (GX4HRXL) (git-fixes). - platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles (stable-fixes). - platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (git-fixes). - platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() (git-fixes). - powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes). - powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits (bsc#1239691 bsc#1243044 ltc#212555). - qibfs: fix _another_ leak (git-fixes) - rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes) - rcu/tasks: Handle new PF_IDLE semantics (git-fixes) - rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes) - rcu: Introduce rcu_cpu_online() (git-fixes) - regulator: max20086: fix invalid memory access (git-fixes). - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - s390/bpf: Store backchain even for leaf progs (git-fixes bsc#1243805). - scsi: Improve CDL control (git-fixes). - scsi: core: Clear flags for scsi_cmnd that did not complete (git-fixes). - scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes). - scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk (bsc#1242993). - scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: lpfc: Copyright updates for 14.4.0.9 patches (bsc#1242993). - scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993). - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands (bsc#1242993). - scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology' (bsc#1242993). - scsi: lpfc: Notify FC transport of rport disappearance during PCI fcn reset (bsc#1242993). - scsi: lpfc: Prevent failure to reregister with NVMe transport after PRLI retry (bsc#1242993). - scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still unset (bsc#1242993). - scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993). - scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966). - scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993). - scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes). - scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes). - scsi: qla2xxx: Fix typos in a comment (bsc#1243090). - scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090). - scsi: qla2xxx: Remove duplicate struct crb_addr_pair (bsc#1243090). - scsi: qla2xxx: Remove unused module parameters (bsc#1243090). - scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090). - scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_pci_region_offset() (bsc#1243090). - scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_83xx_iospace_config() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_fc_port_deleted() (bsc#1243090). - scsi: qla2xxx: Remove unused qlt_free_qfull_cmds() (bsc#1243090). - selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test (bsc#1242203). - smb3: fix Open files on server counter going negative (git-fixes). - smb: client: Use str_yes_no() helper function (git-fixes). - smb: client: allow more DFS referrals to be cached (git-fixes). - smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes). - smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes). - smb: client: do not retry DFS targets on server shutdown (git-fixes). - smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes). - smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes). - smb: client: fix DFS interlink failover (git-fixes). - smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes). - smb: client: fix hang in wait_for_response() for negproto (bsc#1242709). - smb: client: fix potential race in cifs_put_tcon() (git-fixes). - smb: client: fix return value of parse_dfs_referrals() (git-fixes). - smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes). - smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes). - smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes). - smb: client: improve purging of cached referrals (git-fixes). - smb: client: introduce av_for_each_entry() helper (git-fixes). - smb: client: optimize referral walk on failed link targets (git-fixes). - smb: client: parse DNS domain name from domain= option (git-fixes). - smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes). - smb: client: provide dns_resolve_{unc,name} helpers (git-fixes). - smb: client: refresh referral without acquiring refpath_lock (git-fixes). - smb: client: remove unnecessary checks in open_cached_dir() (git-fixes). - spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes). - spi: spi-fsl-dspi: Halt the module after a new message transfer (git-fixes). - spi: spi-fsl-dspi: Reset SR flags before sending a new message (git-fixes). - spi: spi-fsl-dspi: restrict register range for regmap access (git-fixes). - spi: tegra114: Use value to check for invalid delays (git-fixes). - staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (git-fixes). - staging: axis-fifo: Remove hardware resets for user errors (git-fixes). - staging: iio: adc: ad7816: Correct conditional logic for store mode (git-fixes). - tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress() (git-fixes). - tcp_cubic: fix incorrect HyStart round start detection (git-fixes). - thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature (git-fixes). - usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (git-fixes). - usb: gadget: Use get_status callback to set remote wakeup capability (git-fixes). - usb: gadget: f_ecm: Add get_status callback (git-fixes). - usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (git-fixes). - usb: host: tegra: Prevent host controller crash when OTG port is used (git-fixes). - usb: typec: class: Invalidate USB device pointers on partner unregistration (git-fixes). - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (git-fixes). - usb: typec: ucsi: displayport: Fix NULL pointer access (git-fixes). - usb: uhci-platform: Make the clock really optional (git-fixes). - usb: usbtmc: Fix erroneous generic_read ioctl return (git-fixes). - usb: usbtmc: Fix erroneous get_stb ioctl error returns (git-fixes). - usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes). - vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint (git-fixes). - virtio_console: fix missing byte order handling for cols and rows (git-fixes). - wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation (git-fixes). - wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request (git-fixes). - wifi: mt76: disable napi on driver removal (git-fixes). - x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes). - x86/xen: move xen_reserve_extra_memory() (git-fixes). - xen/mcelog: Add __nonstring annotations for unterminated strings (git-fixes). - xen: Change xen-acpi-processor dom0 dependency (git-fixes). - xenfs/xensyms: respect hypervisor's 'next' indication (git-fixes). - xhci: Add helper to set an interrupters interrupt moderation interval (git-fixes). - xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes). - xhci: split free interrupter into separate remove and free parts (git-fixes). - xsk: Add truesize to skb_add_rx_frag() (git-fixes). - xsk: Do not assume metadata is always requested in TX completion (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - kernel-macros-6.4.0-150600.23.53.1 updated - kernel-devel-6.4.0-150600.23.53.1 updated - kernel-default-devel-6.4.0-150600.23.53.1 updated - kernel-syms-6.4.0-150600.23.53.1 updated - container:registry.suse.com-bci-bci-base-15.6-dbdc31a07ebfb930fa5997578ce6f6c51fcac74f6ff64205846b8f6f7b30b679-0 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:17:56 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:17:56 +0200 (CEST) Subject: SUSE-CU-2025:4636-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250620141756.61956FD1A@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4636-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.134 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.134 Severity : important Type : security References : 1205000 1208958 1211576 1211725 1215241 1243935 CVE-2022-4415 CVE-2023-26604 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2019-1 Released: Thu Jun 19 09:57:43 2025 Summary: Security update for systemd Type: security Severity: important References: 1205000,1208958,1211576,1211725,1215241,1243935,CVE-2022-4415,CVE-2023-26604,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). - CVE-2023-26604: Privilege escalation via the less pager (bsc#1208958). - CVE-2022-4415: systemd-coredump was not respecting fs.suid_dumpable kernel setting (bsc#1205000). Other bugfixes: - clarify passno and noauto combination in /etc/fstab (bsc#1211725) - handle -EINTR return from bus_poll() (bsc#1215241) - /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576) The following package changes have been done: - libsystemd0-246.16-150300.7.60.1 updated - libudev1-246.16-150300.7.60.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:17:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:17:55 +0200 (CEST) Subject: SUSE-CU-2025:4635-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250620141755.7CD96FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4635-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.133 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.133 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:17:57 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:17:57 +0200 (CEST) Subject: SUSE-CU-2025:4637-1: Recommended update of suse/sle-micro/5.1/toolbox Message-ID: <20250620141757.3EB35FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4637-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.135 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.135 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2023-1 Released: Thu Jun 19 15:15:22 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150200.160.1 updated - zypper-1.14.90-150200.114.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:17:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:17:58 +0200 (CEST) Subject: SUSE-CU-2025:4638-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250620141758.278F5FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4638-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.136 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.136 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:22:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:22:50 +0200 (CEST) Subject: SUSE-CU-2025:4642-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250620142250.24146FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4642-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.135 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.135 Severity : important Type : security References : 1243226 1244509 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:22:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:22:50 +0200 (CEST) Subject: SUSE-CU-2025:4643-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250620142250.E3526FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4643-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.136 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.136 Severity : important Type : security References : 1205000 1208958 1211576 1211725 1215241 1243935 CVE-2022-4415 CVE-2023-26604 CVE-2025-4598 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2019-1 Released: Thu Jun 19 09:57:43 2025 Summary: Security update for systemd Type: security Severity: important References: 1205000,1208958,1211576,1211725,1215241,1243935,CVE-2022-4415,CVE-2023-26604,CVE-2025-4598 This update for systemd fixes the following issues: - CVE-2025-4598: Race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump (bsc#1243935). - CVE-2023-26604: Privilege escalation via the less pager (bsc#1208958). - CVE-2022-4415: systemd-coredump was not respecting fs.suid_dumpable kernel setting (bsc#1205000). Other bugfixes: - clarify passno and noauto combination in /etc/fstab (bsc#1211725) - handle -EINTR return from bus_poll() (bsc#1215241) - /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576) The following package changes have been done: - libsystemd0-246.16-150300.7.60.1 updated - libudev1-246.16-150300.7.60.1 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:22:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:22:51 +0200 (CEST) Subject: SUSE-CU-2025:4644-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20250620142251.C9FDEFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4644-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.137 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.137 Severity : moderate Type : recommended References : 1239012 1239543 1240132 1241463 1243887 1243901 1244105 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2023-1 Released: Thu Jun 19 15:15:22 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. The following package changes have been done: - libzypp-17.37.5-150200.160.1 updated - zypper-1.14.90-150200.114.3 updated From sle-container-updates at lists.suse.com Fri Jun 20 14:22:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 20 Jun 2025 16:22:52 +0200 (CEST) Subject: SUSE-CU-2025:4645-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250620142252.B3D4BFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4645-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.138 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.138 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Sat Jun 21 07:04:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 21 Jun 2025 09:04:21 +0200 (CEST) Subject: SUSE-IU-2025:1632-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250621070421.59A89FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1632-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.54 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.54 Severity : moderate Type : security References : 1242300 1243284 1243772 CVE-2025-47268 CVE-2025-48964 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 153 Released: Fri Jun 20 16:28:11 2025 Summary: Security update for iputils Type: security Severity: moderate References: 1242300,1243284,1243772,CVE-2025-47268,CVE-2025-48964 This update for iputils fixes the following issues: - CVE-2025-48964: Fixed integer overflow in ping statistics via zero timestamp (bsc#1243772) - Fix ping on s390x printing invalid ttl (bsc#1243284) - CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300) The following package changes have been done: - iputils-20221126-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.45 updated From sle-container-updates at lists.suse.com Sat Jun 21 07:07:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 21 Jun 2025 09:07:44 +0200 (CEST) Subject: SUSE-CU-2025:4650-1: Security update of suse/ltss/sle12.5/sles12sp5 Message-ID: <20250621070744.57148FCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4650-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.95 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.95 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2051-1 Released: Fri Jun 20 14:42:25 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: do not change the current directory when cloning an open directory handle (bsc#1244079) The following package changes have been done: - perl-base-5.18.2-12.29.1 updated From sle-container-updates at lists.suse.com Sat Jun 21 07:11:49 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 21 Jun 2025 09:11:49 +0200 (CEST) Subject: SUSE-CU-2025:4651-1: Security update of bci/python Message-ID: <20250621071149.B23B5FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4651-1 Container Tags : bci/python:3 , bci/python:3.12 , bci/python:3.12.11 , bci/python:3.12.11-69.3 Container Release : 69.3 Severity : important Type : security References : 1243273 1244032 1244056 1244059 1244060 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2048-1 Released: Fri Jun 20 14:40:37 2025 Summary: Security update for python312 Type: security Severity: important References: 1243273,1244032,1244056,1244059,1244060,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python312 fixes the following issues: python312 was updated from version 3.12.9 to 3.12.11: - Security issues fixed: * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273) * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032) - Other changes and bugs fixed: * Added --single-process option to the Python test runner (regrtest). * Added support for text/x-rst MIME type. * Corrected issues in various modules. * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy. * Fixed f-string handling of lambda expressions with non-ASCII characters. * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596. * Fixed parsing long IPv6 addresses with embedded IPv4 address. * Fixed resource leaks in gzip and multiprocessing Resource Tracker. * Improved IDLE's documentation display. * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress. * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects * Made from __future__ import barry_as_FLUFL work in more contexts. * Resolved potential crashes in contextvars, xml.etree.ElementTree, sqlite3, and the sys module. * Scheduled deprecation of the check_home argument in sysconfig.is_python_build() for Python 3.15. * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. * Undeprecated functional API for importlib.resources and added Anchor. * Updated bundled libexpat to 2.7.1 * Updated bundled pip to version 25.0.1. * Updated documentation for generic classes, wheel tags, and the C API. The following package changes have been done: - libpython3_12-1_0-3.12.11-150600.3.30.1 updated - python312-base-3.12.11-150600.3.30.1 updated - python312-3.12.11-150600.3.30.1 updated - python312-devel-3.12.11-150600.3.30.1 updated From sle-container-updates at lists.suse.com Sat Jun 21 07:13:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 21 Jun 2025 09:13:18 +0200 (CEST) Subject: SUSE-CU-2025:4653-1: Security update of bci/golang Message-ID: <20250621071318.0742EF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4653-1 Container Tags : bci/golang:1.24-openssl , bci/golang:1.24.3-openssl , bci/golang:1.24.3-openssl-71.5 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-71.5 Container Release : 71.5 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl-3-devel-3.2.3-150700.5.5.1 updated From sle-container-updates at lists.suse.com Sat Jun 21 07:13:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 21 Jun 2025 09:13:19 +0200 (CEST) Subject: SUSE-CU-2025:4654-1: Security update of bci/bci-micro-fips Message-ID: <20250621071319.6420CF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro-fips ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4654-1 Container Tags : bci/bci-micro-fips:15.7 , bci/bci-micro-fips:15.7-5.7 , bci/bci-micro-fips:latest Container Release : 5.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-micro-fips was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:bci-bci-base-15.7-f5d1895861c7077c6d86dd4ced9bf4c68924c11836e300749f173176c6b454ba-0 updated From sle-container-updates at lists.suse.com Sun Jun 22 07:04:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 22 Jun 2025 09:04:04 +0200 (CEST) Subject: SUSE-CU-2025:4655-1: Security update of containers/open-webui Message-ID: <20250622070404.03DA5FD12@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4655-1 Container Tags : containers/open-webui:0 , containers/open-webui:0.6.9 , containers/open-webui:0.6.9-10.19 Container Release : 10.19 Severity : important Type : security References : 1239949 1241067 1243217 1243218 1243220 1243273 1244032 1244056 1244059 1244060 CVE-2024-12718 CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container containers/open-webui was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2045-1 Released: Fri Jun 20 13:03:59 2025 Summary: Security update for nodejs20 Type: security Severity: important References: 1239949,1243217,1243218,1243220,CVE-2025-23165,CVE-2025-23166,CVE-2025-23167 This update for nodejs20 fixes the following issues: Update to 20.19.2: - CVE-2025-23166: improper error handling in async cryptographic operations crashes process (bsc#1243218). - CVE-2025-23167: improper HTTP header block termination in llhttp (bsc#1243220). - CVE-2025-23165: add missing call to uv_fs_req_cleanup (bsc#1243217). Other bugfixes: - Build with PIE (bsc#1239949) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2057-1 Released: Sat Jun 21 11:04:24 2025 Summary: Security update for python311 Type: security Severity: important References: 1241067,1243273,1244032,1244056,1244059,1244060,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python311 fixes the following issues: python311 was updated from version 3.11.10 to 3.11.13: - Security issues fixed: * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273). * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032) - Other changes and bugs fixed: * Improved handling of system call failures that OpenSSL reports (bsc#1241067) * Disable GC during thread operations to prevent deadlocks. * Fixed a potential denial of service vulnerability in the imaplib module. * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy. * Fixed parsing long IPv6 addresses with embedded IPv4 address. * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596 * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress. * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects * os.path.realpath() now accepts a strict keyword-only argument. * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. * Updated bundled libexpat to 2.7.1 * Writers of CPython documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. The following package changes have been done: - libpython3_11-1_0-3.11.13-150600.3.30.1 updated - python311-base-3.11.13-150600.3.30.1 updated - python311-3.11.13-150600.3.30.1 updated - python311-pymongo-4.6.3-150600.1.16 updated - python311-psycopg2-2.9.9-150600.1.22 updated - python311-protobuf-5.29.3-150600.3.2 updated - python311-propcache-0.2.0-150600.1.6 updated - python311-peewee-3.17.9-150600.1.2 updated - python311-mmh3-4.1.0-150600.1.18 updated - python311-greenlet-3.1.0-150600.1.20 updated - python311-devel-3.11.13-150600.3.30.1 updated - python311-certifi-2024.7.4-150600.1.42 updated - python311-cchardet-2.1.19-150600.1.38 updated - python311-PyYAML-6.0.2-150600.1.2 updated - nodejs20-20.19.2-150600.3.12.1 updated - python311-cffi-1.17.0-150600.1.15 updated - python311-Pillow-11.1.0-150600.1.2 updated - python311-yarl-1.18.3-150600.1.6 updated - python311-SQLAlchemy-2.0.40-150600.1.2 updated - python311-lxml-5.3.2-150600.1.2 updated - python311-grpcio-1.69.0-150600.1.8 updated - python311-marshmallow-3.20.2-150600.1.10 updated - python311-aiohttp-3.11.11-150600.1.9 updated - python311-grpcio-tools-1.68.1-150600.1.10 updated - python311-ctranslate2-4.4.0-150600.1.15 updated - python311-numpy1-1.26.4-150600.1.45 updated - python311-scipy-1.14.1-150600.1.46 updated - python311-pandas-2.2.3-150600.1.47 updated - python311-chroma-hnswlib-0.7.6-150600.2.14 updated - python311-Shapely-2.0.6-150600.1.16 updated - python311-pyarrow-17.0.0-150600.2.41 updated - python311-scikit-learn-1.5.1-150600.1.48 updated - python311-av-11.0.0-150600.1.20 updated - python311-open-webui-0.6.9-150600.2.4 updated From sle-container-updates at lists.suse.com Sun Jun 22 07:04:07 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 22 Jun 2025 09:04:07 +0200 (CEST) Subject: SUSE-CU-2025:4656-1: Security update of containers/open-webui-pipelines Message-ID: <20250622070407.B4DBFFD12@maintenance.suse.de> SUSE Container Update Advisory: containers/open-webui-pipelines ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4656-1 Container Tags : containers/open-webui-pipelines:0 , containers/open-webui-pipelines:0.20250329.151219 , containers/open-webui-pipelines:0.20250329.151219-5.9 Container Release : 5.9 Severity : important Type : security References : 1241067 1243273 1244032 1244056 1244059 1244060 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container containers/open-webui-pipelines was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2057-1 Released: Sat Jun 21 11:04:24 2025 Summary: Security update for python311 Type: security Severity: important References: 1241067,1243273,1244032,1244056,1244059,1244060,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python311 fixes the following issues: python311 was updated from version 3.11.10 to 3.11.13: - Security issues fixed: * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273). * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032) - Other changes and bugs fixed: * Improved handling of system call failures that OpenSSL reports (bsc#1241067) * Disable GC during thread operations to prevent deadlocks. * Fixed a potential denial of service vulnerability in the imaplib module. * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy. * Fixed parsing long IPv6 addresses with embedded IPv4 address. * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596 * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress. * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects * os.path.realpath() now accepts a strict keyword-only argument. * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. * Updated bundled libexpat to 2.7.1 * Writers of CPython documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. The following package changes have been done: - libpython3_11-1_0-3.11.13-150600.3.30.1 updated - python311-base-3.11.13-150600.3.30.1 updated - python-open-webui-pipelines-0.20250329.151219-150600.3.7 updated From sle-container-updates at lists.suse.com Sun Jun 22 07:04:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 22 Jun 2025 09:04:15 +0200 (CEST) Subject: SUSE-CU-2025:4657-1: Security update of containers/pytorch Message-ID: <20250622070415.2401BFD12@maintenance.suse.de> SUSE Container Update Advisory: containers/pytorch ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4657-1 Container Tags : containers/pytorch:2-nvidia , containers/pytorch:2.7.0-nvidia , containers/pytorch:2.7.0-nvidia-2.21 Container Release : 2.21 Severity : important Type : security References : 1241067 1243273 1244032 1244056 1244059 1244060 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container containers/pytorch was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2057-1 Released: Sat Jun 21 11:04:24 2025 Summary: Security update for python311 Type: security Severity: important References: 1241067,1243273,1244032,1244056,1244059,1244060,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python311 fixes the following issues: python311 was updated from version 3.11.10 to 3.11.13: - Security issues fixed: * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273). * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032) - Other changes and bugs fixed: * Improved handling of system call failures that OpenSSL reports (bsc#1241067) * Disable GC during thread operations to prevent deadlocks. * Fixed a potential denial of service vulnerability in the imaplib module. * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy. * Fixed parsing long IPv6 addresses with embedded IPv4 address. * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596 * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress. * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects * os.path.realpath() now accepts a strict keyword-only argument. * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. * Updated bundled libexpat to 2.7.1 * Writers of CPython documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. The following package changes have been done: - libpython3_11-1_0-3.11.13-150600.3.30.1 updated - python311-base-3.11.13-150600.3.30.1 updated - python311-3.11.13-150600.3.30.1 updated - python311-protobuf-5.29.3-150600.3.2 updated - python311-numpy-2.1.1-150600.1.45 updated - python311-devel-3.11.13-150600.3.30.1 updated - python311-torch-cuda-2.7.0-150600.2.9 updated From sle-container-updates at lists.suse.com Sun Jun 22 07:08:26 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 22 Jun 2025 09:08:26 +0200 (CEST) Subject: SUSE-CU-2025:4658-1: Security update of bci/python Message-ID: <20250622070826.718A2FD12@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4658-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.7 Container Release : 71.7 Severity : important Type : security References : 1241067 1243273 1244032 1244056 1244059 1244060 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2057-1 Released: Sat Jun 21 11:04:24 2025 Summary: Security update for python311 Type: security Severity: important References: 1241067,1243273,1244032,1244056,1244059,1244060,CVE-2024-12718,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python311 fixes the following issues: python311 was updated from version 3.11.10 to 3.11.13: - Security issues fixed: * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273). * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032) - Other changes and bugs fixed: * Improved handling of system call failures that OpenSSL reports (bsc#1241067) * Disable GC during thread operations to prevent deadlocks. * Fixed a potential denial of service vulnerability in the imaplib module. * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy. * Fixed parsing long IPv6 addresses with embedded IPv4 address. * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596 * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress. * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects * os.path.realpath() now accepts a strict keyword-only argument. * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. * Updated bundled libexpat to 2.7.1 * Writers of CPython documentation can now use next as the version for the versionchanged, versionadded, deprecated directives. The following package changes have been done: - libpython3_11-1_0-3.11.13-150600.3.30.1 updated - python311-base-3.11.13-150600.3.30.1 updated - python311-3.11.13-150600.3.30.1 updated - python311-devel-3.11.13-150600.3.30.1 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:05:39 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:05:39 +0200 (CEST) Subject: SUSE-IU-2025:1641-1: Security update of suse/sl-micro/6.1/base-os-container Message-ID: <20250624070539.7ABC6FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sl-micro/6.1/base-os-container ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1641-1 Image Tags : suse/sl-micro/6.1/base-os-container:2.2.0 , suse/sl-micro/6.1/base-os-container:2.2.0-4.55 , suse/sl-micro/6.1/base-os-container:latest Image Release : 4.55 Severity : moderate Type : security References : 1239119 CVE-2025-30258 ----------------------------------------------------------------- The container suse/sl-micro/6.1/base-os-container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: 156 Released: Mon Jun 23 15:34:00 2025 Summary: Security update for gpg2 Type: security Severity: moderate References: 1239119,CVE-2025-30258 This update for gpg2 fixes the following issues: - CVE-2025-30258: Fixed a verification DoS due to a malicious subkey in the keyring. (bsc#1239119) The following package changes have been done: - SL-Micro-release-6.1-slfo.1.11.38 updated - gpg2-2.4.4-slfo.1.1_2.1 updated - container:suse-toolbox-image-1.0.0-4.46 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:10:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:10:23 +0200 (CEST) Subject: SUSE-CU-2025:4669-1: Security update of suse/ltss/sle15.5/sle15 Message-ID: <20250624071023.3BBBAFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/ltss/sle15.5/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4669-1 Container Tags : suse/ltss/sle15.5/bci-base:15.5 , suse/ltss/sle15.5/bci-base:15.5-5.7 , suse/ltss/sle15.5/sle15:15.5 , suse/ltss/sle15.5/sle15:15.5-5.7 , suse/ltss/sle15.5/sle15:latest Container Release : 5.7 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/ltss/sle15.5/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:11:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:11:41 +0200 (CEST) Subject: SUSE-CU-2025:4671-1: Security update of bci/bci-init Message-ID: <20250624071141.2C375FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4671-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.6 Container Release : 44.6 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.6-7f1a9a6fc65c96293ea124e432d476840e77b5afceecce79e19e67ab2153d3c1-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:12:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:12:20 +0200 (CEST) Subject: SUSE-CU-2025:4672-1: Security update of bci/nodejs Message-ID: <20250624071220.F2B3BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4672-1 Container Tags : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-54.6 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-54.6 Container Release : 54.6 Severity : important Type : security References : 1239949 1243217 1243218 1243220 CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2045-1 Released: Fri Jun 20 13:03:59 2025 Summary: Security update for nodejs20 Type: security Severity: important References: 1239949,1243217,1243218,1243220,CVE-2025-23165,CVE-2025-23166,CVE-2025-23167 This update for nodejs20 fixes the following issues: Update to 20.19.2: - CVE-2025-23166: improper error handling in async cryptographic operations crashes process (bsc#1243218). - CVE-2025-23167: improper HTTP header block termination in llhttp (bsc#1243220). - CVE-2025-23165: add missing call to uv_fs_req_cleanup (bsc#1243217). Other bugfixes: - Build with PIE (bsc#1239949) The following package changes have been done: - nodejs20-20.19.2-150600.3.12.1 updated - npm20-20.19.2-150600.3.12.1 updated - container:registry.suse.com-bci-bci-base-15.6-7f1a9a6fc65c96293ea124e432d476840e77b5afceecce79e19e67ab2153d3c1-0 updated - libcares2-1.19.1-150000.3.26.1 removed - netcfg-11.6-150000.3.6.1 removed From sle-container-updates at lists.suse.com Tue Jun 24 07:15:12 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:15:12 +0200 (CEST) Subject: SUSE-CU-2025:4674-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250624071512.C57F0F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4674-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.6 , bci/bci-sle15-kernel-module-devel:15.6.44.7 Container Release : 44.7 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - container:registry.suse.com-bci-bci-base-15.6-7f1a9a6fc65c96293ea124e432d476840e77b5afceecce79e19e67ab2153d3c1-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:15:48 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:15:48 +0200 (CEST) Subject: SUSE-CU-2025:4675-1: Security update of suse/sle15 Message-ID: <20250624071548.F1F55F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4675-1 Container Tags : bci/bci-base:15.6 , bci/bci-base:15.6.47.23.5 , suse/sle15:15.6 , suse/sle15:15.6.47.23.5 Container Release : 47.23.5 Severity : moderate Type : security References : 1244079 CVE-2025-40909 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:16:40 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:16:40 +0200 (CEST) Subject: SUSE-CU-2025:4677-1: Security update of suse/389-ds Message-ID: <20250624071640.58507F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4677-1 Container Tags : suse/389-ds:2.5 , suse/389-ds:2.5.3 , suse/389-ds:2.5.3-61.9 , suse/389-ds:latest Container Release : 61.9 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:16:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:16:58 +0200 (CEST) Subject: SUSE-CU-2025:4685-1: Security update of bci/gcc Message-ID: <20250624071658.4F58DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/gcc ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4685-1 Container Tags : bci/gcc:14 , bci/gcc:14.2 , bci/gcc:14.2-10.7 , bci/gcc:latest Container Release : 10.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/gcc was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:00 +0200 (CEST) Subject: SUSE-CU-2025:4686-1: Security update of bci/golang Message-ID: <20250624071700.ECEDEF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4686-1 Container Tags : bci/golang:1.23 , bci/golang:1.23.10 , bci/golang:1.23.10-2.71.7 , bci/golang:oldstable , bci/golang:oldstable-2.71.7 Container Release : 71.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:05 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:05 +0200 (CEST) Subject: SUSE-CU-2025:4688-1: Security update of bci/golang Message-ID: <20250624071705.DD0F3F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4688-1 Container Tags : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.71.7 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.7 Container Release : 71.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:11 +0200 (CEST) Subject: SUSE-CU-2025:4690-1: Security update of bci/bci-init Message-ID: <20250624071711.8F285F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4690-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.9 , bci/bci-init:latest Container Release : 41.9 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:14 +0200 (CEST) Subject: SUSE-CU-2025:4691-1: Security update of bci/kiwi Message-ID: <20250624071714.52AF8F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4691-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.12 , bci/kiwi:latest Container Release : 16.12 Severity : important Type : security References : 1236136 1236329 1236599 1240157 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2063-1 Released: Mon Jun 23 12:02:06 2025 Summary: Recommended update for qemu Type: recommended Severity: moderate References: 1236329,1240157 This update for qemu fixes the following issues: - Fix the *-video-gpu-ccw package not being present in products: * [openSUSE] rpm/spec: go back to only Recommending -video-gpu-ccw for s390x - Update to version 9.2.4: * target/hppa: Fix FPE exceptions * linux-user/hppa: Send proper si_code on SIGFPE exception * target/hppa: Copy instruction code into fr1 on FPU assist fault * migration: Allow caps to be set when preempt or multifd cap enabled * qapi/misc-target: Fix the doc to distinguish query-sgx and query-sgx-capabilities * hw/pci-host: Remove unused pci_host_data_be_ops * hw/pci-host/gt64120: Fix endianness handling * target/riscv/kvm: add kvm_csr_cfgs[] * target/riscv/kvm: turn kvm_riscv_reg_id_ulong() into a macro * target/riscv/kvm: turn u32/u64 reg functions into macros * target/riscv/kvm: fix leak in kvm_riscv_init_multiext_cfg() * target/riscv: Fix vslidedown with rvv_ta_all_1s * target/riscv: Fix the rvv reserved encoding of unmasked instructions * target/riscv: rvv: Apply vext_check_input_eew to vector indexed load/store instructions * target/riscv: rvv: Apply vext_check_input_eew to vector narrow/widen instructions * target/riscv: rvv: Apply vext_check_input_eew to vector integer extension instructions(OPMVV) * target/riscv: rvv: Apply vext_check_input_eew to vector slide instructions(OPIVI/OPIVX) * target/riscv: rvv: Apply vext_check_input_eew to OPIVV/OPFVV(vext_check_sss) instructions * target/riscv: rvv: Apply vext_check_input_eew to OPIVI/OPIVX/OPFVF(vext_check_ss) instructions * target/riscv: rvv: Apply vext_check_input_eew to vrgather instructions to check mismatched input EEWs encoding constraint * target/riscv: rvv: Add CHECK arg to GEN_OPFVF_WIDEN_TRANS * target/riscv: rvv: Source vector registers cannot overlap mask register * common-user/host/riscv: use tail pseudoinstruction for calling tail * target/riscv: fix endless translation loop on big endian systems * target/riscv: pmp: move Smepmp operation conversion into a function * virtio: Call set_features during reset * s390x: Fix leak in machine_set_loadparm * 9pfs: fix FD leak and reduce latency of v9fs_reclaim_fd() * 9pfs: fix concurrent v9fs_reclaim_fd() calls - all glib2 versions are recent enough to use pcre2: * qemu-linux-user: drop pcre (by Andreas Stieger) - Correct wrong bug mentioned in changelog (bsc#1236329) - Update to latest stable release (9.2.3) Fixes: bsc#1236329 * hw/intc/aspeed: Fix IRQ handler mask check * hw/misc/aspeed_hace: Fix buffer overflow in has_padding function * target/riscv: fix handling of nop for vstart >= vl in some vector instruction * target/riscv: refactor VSTART_CHECK_EARLY_EXIT() to accept vl as a parameter * Makefile: 'make dist' generates a .xz, not .bz2 * target/ppc: Fix e200 duplicate SPRs * target/ppc: Fix facility interrupt checks for VSX * ppc/spapr: fix default cpu for pre-9.0 machines. * host/include/loongarch64: Fix inline assembly compatibility with Clang * linux-user/riscv: Fix handling of cpu mask in riscv_hwprobe syscall * target/riscv: fixes a bug against `ssamoswap` behavior in M-mode * target/riscv: fix access permission checks for CSR_SSP * docs/about/emulation: Fix broken link * vdpa: Allow vDPA to work on big-endian machine * vdpa: Fix endian bugs in shadow virtqueue * target/loongarch: Fix vldi inst * target/arm: Simplify pstate_sm check in sve_access_check * target/arm: Make DisasContext.{fp, sve}_access_checked tristate * util/cacheflush: Make first DSB unconditional on aarch64 * docs: Rename default-configs to configs * block: Zero block driver state before reopening * hw/xen/hvm: Fix Aarch64 typo * hw/net/smc91c111: Don't allow data register access to overrun buffer * hw/net/smc91c111: Sanitize packet length on tx * hw/net/smc91c111: Sanitize packet numbers * ppc/pnv/occ: Fix common area sensor offsets * xen: No need to flush the mapcache for grants (bsc#1236329) * net: move backend cleanup to NIC cleanup * net: parameterize the removing client from nc list * util/qemu-timer.c: Don't warp timer from timerlist_rearm() * target/arm: Correct STRD atomicity * target/arm: Correct LDRD atomicity and fault behaviour * hw/arm: enable secure EL2 timers for sbsa machine * hw/arm: enable secure EL2 timers for virt machine * target/arm: Implement SEL2 physical and virtual timers - [openSUSE][RPM] spec: Require ipxe and virtio-gpu packages for more arch-es (bsc#1240157) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - qemu-vmsr-helper-9.2.4-150700.3.5.1 updated - qemu-pr-helper-9.2.4-150700.3.5.1 updated - qemu-img-9.2.4-150700.3.5.1 updated - qemu-tools-9.2.4-150700.3.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:17 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:17 +0200 (CEST) Subject: SUSE-CU-2025:4692-1: Security update of suse/nginx Message-ID: <20250624071717.A9DFCF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4692-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-61.7 , suse/nginx:latest Container Release : 61.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:19 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:19 +0200 (CEST) Subject: SUSE-CU-2025:4693-1: Security update of bci/nodejs Message-ID: <20250624071719.AE386F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4693-1 Container Tags : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-9.7 , bci/node:latest , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-9.7 , bci/nodejs:latest Container Release : 9.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:21 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:21 +0200 (CEST) Subject: SUSE-CU-2025:4694-1: Security update of bci/openjdk-devel Message-ID: <20250624071721.75159F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4694-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17.0.15.0 , bci/openjdk-devel:17.0.15.0-7.14 Container Release : 7.14 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:bci-openjdk-17-15.7.17-7.13 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:23 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:23 +0200 (CEST) Subject: SUSE-CU-2025:4695-1: Security update of bci/openjdk Message-ID: <20250624071723.9DD7BF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4695-1 Container Tags : bci/openjdk:17 , bci/openjdk:17.0.15.0 , bci/openjdk:17.0.15.0-7.13 Container Release : 7.13 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:27 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:27 +0200 (CEST) Subject: SUSE-CU-2025:4697-1: Security update of bci/openjdk Message-ID: <20250624071727.E22D8FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4697-1 Container Tags : bci/openjdk:21 , bci/openjdk:21.0.7.0 , bci/openjdk:21.0.7.0-10.12 , bci/openjdk:latest Container Release : 10.12 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:31 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:31 +0200 (CEST) Subject: SUSE-CU-2025:4698-1: Security update of suse/pcp Message-ID: <20250624071731.5E38EFCFE@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4698-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.10 , suse/pcp:latest Container Release : 61.10 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:bci-bci-init-15.7-dd98290f2c7a4cd2108fcb6d2cd1f600910e5dfcbc9235fc428221650e4bb8d6-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:33 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:33 +0200 (CEST) Subject: SUSE-CU-2025:4699-1: Security update of bci/php-apache Message-ID: <20250624071733.6EDD3FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4699-1 Container Tags : bci/php-apache:8 , bci/php-apache:8.3.19 , bci/php-apache:8.3.19-10.8 , bci/php-apache:latest Container Release : 10.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:35 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:35 +0200 (CEST) Subject: SUSE-CU-2025:4700-1: Security update of bci/php-fpm Message-ID: <20250624071735.60F67FCFE@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4700-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.8 , bci/php-fpm:latest Container Release : 10.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:17:25 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:17:25 +0200 (CEST) Subject: SUSE-CU-2025:4696-1: Security update of bci/openjdk-devel Message-ID: <20250624071725.EDFE2F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4696-1 Container Tags : bci/openjdk-devel:21 , bci/openjdk-devel:21.0.7.0 , bci/openjdk-devel:21.0.7.0-10.13 , bci/openjdk-devel:latest Container Release : 10.13 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:bci-openjdk-21-15.7.21-10.12 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:41 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:41 +0200 (CEST) Subject: SUSE-CU-2025:4700-1: Security update of bci/php-fpm Message-ID: <20250624075841.87364F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4700-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8.3.19 , bci/php-fpm:8.3.19-10.8 , bci/php-fpm:latest Container Release : 10.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:43 +0200 (CEST) Subject: SUSE-CU-2025:4701-1: Security update of bci/php Message-ID: <20250624075843.46538F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4701-1 Container Tags : bci/php:8 , bci/php:8.3.19 , bci/php:8.3.19-10.8 , bci/php:latest Container Release : 10.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:44 +0200 (CEST) Subject: SUSE-CU-2025:4702-1: Security update of suse/postgres Message-ID: <20250624075844.D8F12F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4702-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.7 , suse/postgres:latest Container Release : 61.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:47 +0200 (CEST) Subject: SUSE-CU-2025:4703-1: Security update of bci/python Message-ID: <20250624075847.94F2DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4703-1 Container Tags : bci/python:3 , bci/python:3.11 , bci/python:3.11.13 , bci/python:3.11.13-71.9 Container Release : 71.9 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:50 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:50 +0200 (CEST) Subject: SUSE-CU-2025:4704-1: Security update of bci/python Message-ID: <20250624075850.5B6B5F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4704-1 Container Tags : bci/python:3.13 , bci/python:3.13.0 , bci/python:3.13.0-71.8 , bci/python:latest Container Release : 71.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:52 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:52 +0200 (CEST) Subject: SUSE-CU-2025:4705-1: Security update of bci/python Message-ID: <20250624075852.BEA9DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4705-1 Container Tags : bci/python:3 , bci/python:3.6 , bci/python:3.6.15 , bci/python:3.6.15-71.8 Container Release : 71.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:55 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:55 +0200 (CEST) Subject: SUSE-CU-2025:4706-1: Security update of suse/rmt-server Message-ID: <20250624075855.AAF54F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4706-1 Container Tags : suse/rmt-server:2 , suse/rmt-server:2.21 , suse/rmt-server:2.21-71.8 , suse/rmt-server:latest Container Release : 71.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:00 +0200 (CEST) Subject: SUSE-CU-2025:4708-1: Security update of bci/ruby Message-ID: <20250624075900.AE809F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4708-1 Container Tags : bci/ruby:3 , bci/ruby:3.4 , bci/ruby:3.4-10.7 , bci/ruby:latest Container Release : 10.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:58:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:58:58 +0200 (CEST) Subject: SUSE-CU-2025:4707-1: Security update of bci/ruby Message-ID: <20250624075858.2A204F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4707-1 Container Tags : bci/ruby:2 , bci/ruby:2.5 , bci/ruby:2.5-11.7 Container Release : 11.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:02 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:02 +0200 (CEST) Subject: SUSE-CU-2025:4709-1: Security update of bci/rust Message-ID: <20250624075902.B404AF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4709-1 Container Tags : bci/rust:1.86 , bci/rust:1.86.0 , bci/rust:1.86.0-2.2.12 , bci/rust:oldstable , bci/rust:oldstable-2.2.12 Container Release : 2.12 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:04 +0200 (CEST) Subject: SUSE-CU-2025:4711-1: Security update of bci/rust Message-ID: <20250624075904.C5794F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4711-1 Container Tags : bci/rust:1.87 , bci/rust:1.87.0 , bci/rust:1.87.0-1.3.7 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.3.7 Container Release : 3.7 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:08 +0200 (CEST) Subject: SUSE-CU-2025:4712-1: Security update of bci/bci-sle15-kernel-module-devel Message-ID: <20250624075908.32F4DF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-sle15-kernel-module-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4712-1 Container Tags : bci/bci-sle15-kernel-module-devel:15.7 , bci/bci-sle15-kernel-module-devel:15.7-41.8 , bci/bci-sle15-kernel-module-devel:latest Container Release : 41.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container bci/bci-sle15-kernel-module-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:registry.suse.com-bci-bci-base-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:10 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:10 +0200 (CEST) Subject: SUSE-CU-2025:4713-1: Security update of suse/sle15 Message-ID: <20250624075910.A9466F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4713-1 Container Tags : bci/bci-base:15.7 , bci/bci-base:15.7-5.8.6 , bci/bci-base:latest , suse/sle15:15.7 , suse/sle15:15.7-5.8.6 , suse/sle15:latest Container Release : 5.8.6 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl-3-fips-provider-3.2.3-150700.5.5.1 updated - libopenssl3-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated From sle-container-updates at lists.suse.com Tue Jun 24 07:59:47 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 09:59:47 +0200 (CEST) Subject: SUSE-CU-2025:4723-1: Security update of suse/manager/5.0/x86_64/proxy-tftpd Message-ID: <20250624075947.3FB2EF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4723-1 Container Tags : suse/manager/5.0/x86_64/proxy-tftpd:5.0.4.1 , suse/manager/5.0/x86_64/proxy-tftpd:5.0.4.1.7.20.1 , suse/manager/5.0/x86_64/proxy-tftpd:latest Container Release : 7.20.1 Severity : moderate Type : security References : 1244039 CVE-2024-47081 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). The following package changes have been done: - python3-requests-2.25.1-150300.3.15.1 updated From sle-container-updates at lists.suse.com Tue Jun 24 08:00:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 10:00:04 +0200 (CEST) Subject: SUSE-CU-2025:4726-1: Security update of suse/manager/5.0/x86_64/server Message-ID: <20250624080004.03249F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4726-1 Container Tags : suse/manager/5.0/x86_64/server:5.0.4.1 , suse/manager/5.0/x86_64/server:5.0.4.1.7.27.2 , suse/manager/5.0/x86_64/server:latest Container Release : 7.27.2 Severity : important Type : security References : 1239012 1239543 1240132 1241463 1243226 1243887 1243901 1244039 1244079 1244105 1244509 CVE-2024-47081 CVE-2025-40909 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:1998-1 Released: Wed Jun 18 10:42:20 2025 Summary: Security update for python-requests Type: security Severity: moderate References: 1244039,CVE-2024-47081 This update for python-requests fixes the following issues: - CVE-2024-47081: fixed netrc credential leak (bsc#1244039). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2007-1 Released: Wed Jun 18 16:03:17 2025 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1239012,1239543,1240132,1241463,1243887,1243901,1244105 This update for libzypp, zypper fixes the following issues: - Fix credential handling in HEAD requests (bsc#1244105) - RepoInfo: use pathNameSetTrailingSlash - Fix wrong userdata parameter type when running zypp with debug verbosity (bsc#1239012) - Do not warn about no mirrors if mirrorlist was switched on automatically. (bsc#1243901) - Relax permission of cached packages to 0644 & ~umask (bsc#1243887) - Add a note to service maintained .repo file entries - Support using %{url} variable in a RIS service's repo section. - Use a cookie file to validate mirrorlist cache. This patch extends the mirrorlist code to use a cookie file to validate the contents of the cache against the source URL, making sure that we do not accidentially use a old cache when the mirrorlist url was changed. For example when migrating a system from one release to the next where the same repo alias might just have a different URL. - Let Service define and update gpgkey, mirrorlist and metalink. - Preserve a mirrorlist file in the raw cache during refresh. - Enable curl2 backend and parallel package download by default. Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1> can be used to turn the features on or off. - Make gpgKeyUrl the default source for gpg keys. When refreshing zypp now primarily uses gpgKeyUrl information from the repo files and only falls back to a automatically generated key Url if a gpgKeyUrl was not specified. - Introduce mirrors into the Media backends (bsc#1240132) - Drop MediaMultiCurl backend. - Throttle progress updates when preloading packages (bsc#1239543) - Check if request is in valid state in CURL callbacks - spec/CMake: add conditional build '--with[out] classic_rpmtrans_as_default'. classic_rpmtrans is the current builtin default for SUSE, otherwise it's single_rpmtrans. The `enable_preview_single_rpmtrans_as_default_for_zypper` switch was removed from the spec file. Accordingly the CMake option ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed. - BuildRequires: libzypp-devel >= 17.37.0. - Use libzypp improvements for preload and mirror handling. - xmlout.rnc: Update repo-element (bsc#1241463) Add the 'metalink' attribute and reflect that the 'url' elements list may in fact be empty, if no baseurls are defined in the .repo files. - man: update --allow-unsigned-rpm description. Explain how to achieve the same for packages provided by repositories. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-Manager-5.0-2025-2062 Released: Mon Jun 23 11:26:16 2025 Summary: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server Type: recommended Severity: moderate References: Maintenance update for Multi-Linux Manager 5.0: Server, Proxy and Retail Branch Server This is a codestream only update The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - libzypp-17.37.5-150600.3.60.1 updated - zypper-1.14.90-150600.10.34.3 updated - perl-base-5.26.1-150300.17.20.1 updated - perl-5.26.1-150300.17.20.1 updated - spacewalk-base-minimal-5.0.20-150600.3.24.4 updated - spacewalk-base-minimal-config-5.0.20-150600.3.24.4 updated - python3-requests-2.25.1-150300.3.15.1 updated - spacewalk-base-5.0.20-150600.3.24.4 updated - spacewalk-html-5.0.20-150600.3.24.4 updated - container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 added - container:suse-manager-5.0-init-5.0.4-5.0.4-7.15.5 removed From sle-container-updates at lists.suse.com Tue Jun 24 08:00:09 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 24 Jun 2025 10:00:09 +0200 (CEST) Subject: SUSE-CU-2025:4727-1: Security update of suse/manager/5.0/x86_64/server-migration-14-16 Message-ID: <20250624080009.38D28F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/5.0/x86_64/server-migration-14-16 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4727-1 Container Tags : suse/manager/5.0/x86_64/server-migration-14-16:5.0.4.1 , suse/manager/5.0/x86_64/server-migration-14-16:5.0.4.1.7.20.1 , suse/manager/5.0/x86_64/server-migration-14-16:latest Container Release : 7.20.1 Severity : important Type : security References : 1243226 1244079 1244509 CVE-2025-40909 CVE-2025-6018 CVE-2025-6020 ----------------------------------------------------------------- The container suse/manager/5.0/x86_64/server-migration-14-16 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2013-1 Released: Wed Jun 18 20:05:07 2025 Summary: Security update for pam Type: security Severity: important References: 1243226,1244509,CVE-2025-6018,CVE-2025-6020 This update for pam fixes the following issues: - CVE-2025-6018: pam_env: Change the default to not read the user .pam_environment file (bsc#1243226). - CVE-2025-6020: pam_namespace: convert functions that may operate on a user-controlled path to operate on file descriptors instead of absolute path (bsc#1244509). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). The following package changes have been done: - pam-1.3.0-150000.6.83.1 updated - perl-5.26.1-150300.17.20.1 updated - container:suse-manager-5.0-init-5.0.4.1-5.0.4.1-7.18.5 added - container:suse-manager-5.0-init-5.0.4-5.0.4-7.15.5 removed From sle-container-updates at lists.suse.com Wed Jun 25 07:04:15 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:04:15 +0200 (CEST) Subject: SUSE-IU-2025:1643-1: Security update of suse/sle-micro/base-5.5 Message-ID: <20250625070415.36BFDFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/base-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1643-1 Image Tags : suse/sle-micro/base-5.5:2.0.4 , suse/sle-micro/base-5.5:2.0.4-5.8.180 , suse/sle-micro/base-5.5:latest Image Release : 5.8.180 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sle-micro/base-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150200.3.14.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:05:01 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:05:01 +0200 (CEST) Subject: SUSE-IU-2025:1644-1: Security update of suse/sle-micro/kvm-5.5 Message-ID: <20250625070501.1D6CAFCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/kvm-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1644-1 Image Tags : suse/sle-micro/kvm-5.5:2.0.4 , suse/sle-micro/kvm-5.5:2.0.4-3.5.344 , suse/sle-micro/kvm-5.5:latest Image Release : 3.5.344 Severity : important Type : security References : 1243226 1244079 CVE-2025-40909 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sle-micro/kvm-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2027-1 Released: Thu Jun 19 17:15:41 2025 Summary: Security update for perl Type: security Severity: moderate References: 1244079,CVE-2025-40909 This update for perl fixes the following issues: - CVE-2025-40909: Do not change the current directory when cloning an open directory handle (bsc#1244079). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - perl-base-5.26.1-150300.17.20.1 updated - pam-config-1.1-150200.3.14.1 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.180 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:06:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:06:11 +0200 (CEST) Subject: SUSE-IU-2025:1645-1: Security update of suse/sle-micro/rt-5.5 Message-ID: <20250625070611.9A047FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/rt-5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1645-1 Image Tags : suse/sle-micro/rt-5.5:2.0.4 , suse/sle-micro/rt-5.5:2.0.4-4.5.412 , suse/sle-micro/rt-5.5:latest Image Release : 4.5.412 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sle-micro/rt-5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150200.3.14.1 updated - container:suse-sle-micro-5.5-latest-2.0.4-5.5.312 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:07:22 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:07:22 +0200 (CEST) Subject: SUSE-IU-2025:1647-1: Security update of suse/sle-micro/5.5 Message-ID: <20250625070722.02988FCFE@maintenance.suse.de> SUSE Image Update Advisory: suse/sle-micro/5.5 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2025:1647-1 Image Tags : suse/sle-micro/5.5:2.0.4 , suse/sle-micro/5.5:2.0.4-5.5.313 , suse/sle-micro/5.5:latest Image Release : 5.5.313 Severity : important Type : security References : 1239776 1243226 CVE-2024-6104 CVE-2025-22869 CVE-2025-27144 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sle-micro/5.5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2025:2093-1 Released: Tue Jun 24 15:45:24 2025 Summary: Recommended update for podman Type: recommended Severity: moderate References: 1239776,CVE-2024-6104,CVE-2025-22869,CVE-2025-27144 This update for podman fixes the following issues: - Added patch to remove using rw as a default mount option (bsc#1239776) The following package changes have been done: - pam-config-1.1-150200.3.14.1 updated - podman-4.9.5-150500.3.43.2 updated - container:suse-sle-micro-base-5.5-latest-2.0.4-5.8.180 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:13:51 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:13:51 +0200 (CEST) Subject: SUSE-CU-2025:4731-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20250625071351.C6AF6F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4731-1 Container Tags : suse/sle-micro/5.3/toolbox:14.2 , suse/sle-micro/5.3/toolbox:14.2-6.11.147 , suse/sle-micro/5.3/toolbox:latest Container Release : 6.11.147 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu-suse65_1-65.1-150200.4.15.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:16:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:16:20 +0200 (CEST) Subject: SUSE-CU-2025:4732-1: Security update of suse/sle-micro-rancher/5.4 Message-ID: <20250625071620.39C75F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro-rancher/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4732-1 Container Tags : suse/sle-micro-rancher/5.4:5.4.4.5.9 , suse/sle-micro-rancher/5.4:latest Container Release : 4.5.9 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/sle-micro-rancher/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150200.3.14.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:17:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:17:58 +0200 (CEST) Subject: SUSE-CU-2025:4733-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20250625071758.21BF5F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4733-1 Container Tags : suse/sle-micro/5.4/toolbox:14.2 , suse/sle-micro/5.4/toolbox:14.2-5.19.147 , suse/sle-micro/5.4/toolbox:latest Container Release : 5.19.147 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu-suse65_1-65.1-150200.4.15.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:19:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:19:18 +0200 (CEST) Subject: SUSE-CU-2025:4734-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20250625071918.B84D0F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4734-1 Container Tags : suse/sle-micro/5.5/toolbox:14.2 , suse/sle-micro/5.5/toolbox:14.2-3.12.50 , suse/sle-micro/5.5/toolbox:latest Container Release : 3.12.50 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu-suse65_1-65.1-150200.4.15.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:23:58 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:23:58 +0200 (CEST) Subject: SUSE-CU-2025:4737-1: Security update of suse/hpc/warewulf4-x86_64/sle-hpc-node Message-ID: <20250625072358.901F2F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4737-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.8.63 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.8.63 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:24:43 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:24:43 +0200 (CEST) Subject: SUSE-CU-2025:4738-1: Security update of bci/bci-init Message-ID: <20250625072443.AE5D1F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4738-1 Container Tags : bci/bci-init:15.6 , bci/bci-init:15.6.44.7 Container Release : 44.7 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:00 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:00 +0200 (CEST) Subject: SUSE-CU-2025:4739-1: Security update of bci/bci-init Message-ID: <20250625072600.D3348F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4739-1 Container Tags : bci/bci-init:15.7 , bci/bci-init:15.7-41.10 , bci/bci-init:latest Container Release : 41.10 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:04 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:04 +0200 (CEST) Subject: SUSE-CU-2025:4740-1: Security update of bci/kiwi Message-ID: <20250625072604.7424FF78C@maintenance.suse.de> SUSE Container Update Advisory: bci/kiwi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4740-1 Container Tags : bci/kiwi:9 , bci/kiwi:9.24 , bci/kiwi:9.24.43 , bci/kiwi:9.24.43-16.13 , bci/kiwi:latest Container Release : 16.13 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container bci/kiwi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:08 +0200 (CEST) Subject: SUSE-CU-2025:4741-1: Security update of suse/pcp Message-ID: <20250625072608.E8BA3F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4741-1 Container Tags : suse/pcp:6 , suse/pcp:6.2 , suse/pcp:6.2.0 , suse/pcp:6.2.0-61.12 , suse/pcp:latest Container Release : 61.12 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2080-1 Released: Tue Jun 24 12:26:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150600.16.8.1 updated - container:bci-bci-init-15.7-37796d5dcf270a3829ec3ecd29c94ae6153abee722f8d03c84ef47c40c8c86c3-0 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:11 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:11 +0200 (CEST) Subject: SUSE-CU-2025:4742-1: Security update of suse/postgres Message-ID: <20250625072611.A84B1F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4742-1 Container Tags : suse/postgres:16 , suse/postgres:16.9 , suse/postgres:16.9 , suse/postgres:16.9-61.8 Container Release : 61.8 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu65_1-ledata-65.1-150200.4.15.1 updated - libicu-suse65_1-65.1-150200.4.15.1 updated - container:suse-sle15-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:14 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:14 +0200 (CEST) Subject: SUSE-CU-2025:4743-1: Security update of suse/postgres Message-ID: <20250625072614.3A143F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4743-1 Container Tags : suse/postgres:17 , suse/postgres:17.5 , suse/postgres:17.5 , suse/postgres:17.5-61.8 , suse/postgres:latest Container Release : 61.8 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu65_1-ledata-65.1-150200.4.15.1 updated - libicu-suse65_1-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:20 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:20 +0200 (CEST) Subject: SUSE-CU-2025:4745-1: Security update of suse/mariadb Message-ID: <20250625072620.8BE2CF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/mariadb ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4745-1 Container Tags : suse/mariadb:11.4 , suse/mariadb:11.4.5 , suse/mariadb:11.4.5-61.8 , suse/mariadb:latest Container Release : 61.8 Severity : important Type : security References : 1236136 1236599 1243459 CVE-2024-12797 CVE-2024-13176 CVE-2025-27587 ----------------------------------------------------------------- The container suse/mariadb was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2042-1 Released: Fri Jun 20 12:38:43 2025 Summary: Security update for openssl-3 Type: security Severity: important References: 1236136,1236599,1243459,CVE-2024-12797,CVE-2024-13176,CVE-2025-27587 This update for openssl-3 fixes the following issues: - CVE-2025-27587: timing side-channel vulnerability in the P-384 implementation when used with ECDSA (bsc#1243459). - CVE-2024-12797: Fixed that RFC7250 handshakes with unauthenticated servers don't abort as expected. (bsc#1236599) - CVE-2024-13176: Fixed timing side-channel in ECDSA signature computation (bsc#1236136) The following package changes have been done: - libopenssl3-3.2.3-150700.5.5.1 updated - openssl-3-3.2.3-150700.5.5.1 updated - container:suse-sle15-15.7-9e49fc567fe60172c3ff29129ca645c392f64fee9781980847b55586563791b0-0 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:28:08 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:28:08 +0200 (CEST) Subject: SUSE-CU-2025:4752-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20250625072808.37BC0F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4752-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.15 , suse/manager/4.3/proxy-httpd:4.3.15.9.63.40 , suse/manager/4.3/proxy-httpd:latest Container Release : 9.63.40 Severity : important Type : security References : 1243226 CVE-2025-6018 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2082-1 Released: Tue Jun 24 12:28:23 2025 Summary: Security update for pam-config Type: security Severity: important References: 1243226,CVE-2025-6018 This update for pam-config fixes the following issues: - CVE-2025-6018: Stop adding pam_env in AUTH stack, and be sure to put this module at the really end of the SESSION stack (bsc#1243226). The following package changes have been done: - pam-config-1.1-150200.3.14.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:29:44 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:29:44 +0200 (CEST) Subject: SUSE-CU-2025:4753-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20250625072944.8F191F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4753-1 Container Tags : suse/sle-micro/5.1/toolbox:14.2 , suse/sle-micro/5.1/toolbox:14.2-3.13.139 , suse/sle-micro/5.1/toolbox:latest Container Release : 3.13.139 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu-suse65_1-65.1-150200.4.15.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:34:34 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:34:34 +0200 (CEST) Subject: SUSE-CU-2025:4755-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20250625073434.55877F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4755-1 Container Tags : suse/sle-micro/5.2/toolbox:14.2 , suse/sle-micro/5.2/toolbox:14.2-7.11.141 , suse/sle-micro/5.2/toolbox:latest Container Release : 7.11.141 Severity : important Type : security References : 1161007 1167603 1193951 1243721 CVE-2020-21913 CVE-2025-5222 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2079-1 Released: Tue Jun 24 12:24:05 2025 Summary: Security update for icu Type: security Severity: important References: 1161007,1167603,1193951,1243721,CVE-2020-21913,CVE-2025-5222 This update for icu fixes the following issues: - CVE-2025-5222: Stack buffer overflow in the SRBRoot:addTag function (bsc#1243721). The following package changes have been done: - libicu-suse65_1-65.1-150200.4.15.1 updated - libicu65_1-ledata-65.1-150200.4.15.1 updated From sle-container-updates at lists.suse.com Wed Jun 25 07:26:18 2025 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 25 Jun 2025 09:26:18 +0200 (CEST) Subject: SUSE-CU-2025:4744-1: Security update of bci/python Message-ID: <20250625072618.2E143F78C@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2025:4744-1 Container Tags : bci/python:3.13 , bci/python:3.13.5 , bci/python:3.13.5-71.9 , bci/python:latest Container Release : 71.9 Severity : important Type : security References : 1228165 1232241 1234290 1236705 1238450 1239210 1243273 1244032 1244056 1244059 1244060 CVE-2024-12254 CVE-2024-12718 CVE-2024-9287 CVE-2025-0938 CVE-2025-1795 CVE-2025-4138 CVE-2025-4330 CVE-2025-4516 CVE-2025-4517 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2025:2074-1 Released: Tue Jun 24 09:26:29 2025 Summary: Security update for python313 Type: security Severity: important References: 1228165,1232241,1234290,1236705,1238450,1239210,1243273,1244032,1244056,1244059,1244060,CVE-2024-12254,CVE-2024-12718,CVE-2024-9287,CVE-2025-0938,CVE-2025-1795,CVE-2025-4138,CVE-2025-4330,CVE-2025-4516,CVE-2025-4517 This update for python313 fixes the following issues: Update to version 3.13.5. Security issues fixed: - CVE-2025-4517: arbitrary filesystem writes outside the extraction directory during extraction with filter='data' (bsc#1244032) - CVE-2025-4516: use-after-free in the unicode-escape decoder when using the error handler (bsc#1243273). - CVE-2025-4330: extraction filter bypass for linking outside extraction directory (bsc#1244060) - CVE-2025-4138: may allow symlink targets to point outside the destination directory, and the modification of some file metadata. (bsc#1244059) - CVE-2025-0938: domain names containing square brackets are not identified as incorrect by urlparse (bsc#1236705). - CVE-2024-12718: bypass extraction filter to modify file metadata outside extraction directory (bsc#1244056) - CVE-2024-12254: memory exhaustion due to unbounded memory buffering in `SelectorSocketTransport.writelines()` (bsc#1234290). Other changes and issues fixed: Changes from 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ???C.UTF-8??? to ???en_US.UTF-8???. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE macros in the limited C API 3.11 and older: don???t treat Py_None, Py_True and Py_False as immortal. Patch by Victor Stinner. - gh-134989: Implement PyObject_DelAttr() and PyObject_DelAttrString() as macros in the limited C API 3.12 and older. Patch by Victor Stinner. Changes from 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter='data' and filter='tar') to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). - gh-133767: Fix use-after-free in the ???unicode-escape??? decoder with a non-???strict??? error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by B??n??dikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by B??n??dikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any ???spawn??? start method platform rather than only on Windows. - gh-114177: Fix asyncio to not close subprocess pipes which would otherwise error out when the event loop is already closed. - gh-134152: Fixed UnboundLocalError that could occur during email header parsing if an expected trailing delimiter is missing in some contexts. - gh-62184: Remove import of C implementation of io.FileIO from Python implementation which has its own implementation - gh-133982: Emit RuntimeWarning in the Python implementation of io when the file-like object is not closed explicitly in the presence of multiple I/O layers. - gh-133890: The tarfile module now handles UnicodeEncodeError in the same way as OSError when cannot extract a member. - gh-134097: Fix interaction of the new REPL and -X showrefcount command line option. - gh-133889: The generated directory listing page in http.server.SimpleHTTPRequestHandler now only shows the decoded path component of the requested URL, and not the query and fragment. - gh-134098: Fix handling paths that end with a percent-encoded slash (%2f or %2F) in http.server.SimpleHTTPRequestHandler. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-133745: In 3.13.3 we accidentally changed the signature of the asyncio create_task() family of methods and how it calls a custom task factory in a backwards incompatible way. Since some 3rd party libraries have already made changes to work around the issue that might break if we simply reverted the changes, we???re instead changing things to be backwards compatible with 3.13.2 while still supporting those workarounds for 3.13.3. In particular, the special-casing of name and context is back (until 3.14) and consequently eager tasks may still find that their name hasn???t been set before they execute their first yielding await. - gh-71253: Raise ValueError in open() if opener returns a negative file-descriptor in the Python implementation of io to match the C implementation. - gh-77057: Fix handling of invalid markup declarations in html.parser.HTMLParser. - gh-133489: random.getrandbits() can now generate more that 231 bits. random.randbytes() can now generate more that 256 MiB. - gh-133290: Fix attribute caching issue when setting ctypes._Pointer._type_ in the undocumented and deprecated ctypes.SetPointerType() function and the undocumented set_type() method. - gh-132876: ldexp() on Windows doesn???t round subnormal results before Windows 11, but should. Python???s math.ldexp() wrapper now does round them, so results may change slightly, in rare cases of very small results, on Windows versions before 11. - gh-133089: Use original timeout value for subprocess.TimeoutExpired when the func subprocess.run() is called with a timeout instead of sometimes a confusing partial remaining time out value used internally on the final wait(). - gh-133009: xml.etree.ElementTree: Fix a crash in Element.__deepcopy__ when the element is concurrently mutated. Patch by B??n??dikt Tran. - gh-132995: Bump the version of pip bundled in ensurepip to version 25.1.1 - gh-132017: Fix error when pyrepl is suspended, then resumed and terminated. - gh-132673: Fix a crash when using _align_ = 0 and _fields_ = [] in a ctypes.Structure. - gh-132527: Include the valid typecode ???w??? in the error message when an invalid typecode is passed to array.array. - gh-132439: Fix PyREPL on Windows: characters entered via AltGr are swallowed. Patch by Chris Eibl. - gh-132429: Fix support of Bluetooth sockets on NetBSD and DragonFly BSD. - gh-132106: QueueListener.start now raises a RuntimeError if the listener is already started. - gh-132417: Fix a NULL pointer dereference when a C function called using ctypes with restype py_object returns NULL. - gh-132385: Fix instance error suggestions trigger potential exceptions in object.__getattr__() in traceback. - gh-132308: A traceback.TracebackException now correctly renders the __context__ and __cause__ attributes from falsey Exception, and the exceptions attribute from falsey ExceptionGroup. - gh-132250: Fixed the SystemError in cProfile when locating the actual C function of a method raises an exception. - gh-132063: Prevent exceptions that evaluate as falsey (namely, when their __bool__ method returns False or their __len__ method returns 0) from being ignored by concurrent.futures.ProcessPoolExecutor and concurrent.futures.ThreadPoolExecutor. - gh-119605: Respect follow_wrapped for __init__() and __new__() methods when getting the class signature for a class with inspect.signature(). Preserve class signature after wrapping with warnings.deprecated(). Patch by Xuehai Pan. - gh-91555: Ignore log messages generated during handling of log messages, to avoid deadlock or infinite recursion. - gh-131434: Improve error reporting for incorrect format in time.strptime(). - gh-131127: Systems using LibreSSL now successfully build. - gh-130999: Avoid exiting the new REPL and offer suggestions even if there are non-string candidates when errors occur. - gh-130941: Fix configparser.ConfigParser parsing empty interpolation with allow_no_value set to True. - gh-129098: Fix REPL traceback reporting when using compile() with an inexisting file. Patch by B??n??dikt Tran. - gh-130631: http.cookiejar.join_header_words() is now more similar to the original Perl version. It now quotes the same set of characters and always quote values that end with '\n'. - gh-129719: Fix missing socket.CAN_RAW_ERR_FILTER constant in the socket module on Linux systems. It was missing since Python 3.11. - gh-124096: Turn on virtual terminal mode and enable bracketed paste in REPL on Windows console. (If the terminal does not support bracketed paste, enabling it does nothing.) - gh-122559: Remove __reduce__() and __reduce_ex__() methods that always raise TypeError in the C implementation of io.FileIO, io.BufferedReader, io.BufferedWriter and io.BufferedRandom and replace them with default __getstate__() methods that raise TypeError. This restores fine details of behavior of Python 3.11 and older versions. - gh-122179: hashlib.file_digest() now raises BlockingIOError when no data is available during non-blocking I/O. Before, it added spurious null bytes to the digest. - gh-86155: html.parser.HTMLParser.close() no longer loses data when the