SUSE-IU-2025:1573-1: Security update of sles-15-sp6-chost-byos-v20250611-arm64
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Mon Jun 16 07:02:59 UTC 2025
SUSE Image Update Advisory: sles-15-sp6-chost-byos-v20250611-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2025:1573-1
Image Tags : sles-15-sp6-chost-byos-v20250611-arm64:20250611
Image Release :
Severity : important
Type : security
References : 1027519 1187939 1199853 1204549 1214715 1215199 1218069 1219007
1219454 1220718 1221202 1221757 1223809 1224013 1224597 1224757
1228659 1230764 1231103 1231910 1232493 1233075 1233098 1234074
1234157 1234698 1235501 1235526 1235550 1235870 1235958 1235971
1236086 1236177 1236704 1236826 1237111 1237230 1237496 1237874
1237882 1238052 1238212 1238471 1238527 1238565 1238714 1238737
1238742 1238745 1238746 1238862 1238961 1238970 1238983 1238990
1239066 1239079 1239108 1239470 1239475 1239476 1239487 1239510
1239651 1239671 1239684 1239906 1239925 1239997 1240167 1240168
1240171 1240176 1240181 1240184 1240185 1240375 1240557 1240575
1240576 1240581 1240582 1240583 1240584 1240585 1240587 1240590
1240591 1240592 1240594 1240595 1240596 1240600 1240612 1240616
1240639 1240643 1240647 1240648 1240655 1240691 1240700 1240701
1240703 1240708 1240709 1240712 1240713 1240714 1240715 1240716
1240717 1240718 1240719 1240720 1240722 1240727 1240739 1240740
1240742 1240779 1240783 1240784 1240785 1240795 1240796 1240797
1240799 1240801 1240802 1240806 1240808 1240809 1240811 1240812
1240813 1240815 1240816 1240819 1240821 1240825 1240829 1240835
1240869 1240873 1240934 1240936 1240937 1240938 1240940 1240942
1240943 1240944 1240978 1240979 1241010 1241012 1241038 1241051
1241123 1241151 1241167 1241175 1241204 1241250 1241265 1241266
1241280 1241332 1241333 1241341 1241343 1241344 1241347 1241357
1241361 1241369 1241371 1241373 1241378 1241394 1241402 1241412
1241413 1241416 1241424 1241426 1241433 1241436 1241441 1241442
1241443 1241451 1241452 1241456 1241458 1241459 1241526 1241528
1241537 1241541 1241545 1241547 1241548 1241550 1241573 1241574
1241575 1241578 1241590 1241593 1241598 1241599 1241601 1241626
1241640 1241648 1242006 1242044 1242060 1242172 1242283 1242300
1242307 1242313 1242314 1242315 1242321 1242326 1242327 1242328
1242332 1242333 1242335 1242336 1242342 1242343 1242344 1242345
1242346 1242347 1242348 1242414 1242490 1242526 1242528 1242534
1242535 1242536 1242537 1242538 1242539 1242540 1242546 1242556
1242596 1242710 1242778 1242831 1242842 1242938 1242971 1242985
1243117 1243254 1243259 1243313 1243317 1243505 CVE-2023-53034
CVE-2024-27018 CVE-2024-27415 CVE-2024-28956 CVE-2024-28956 CVE-2024-35840
CVE-2024-46763 CVE-2024-46865 CVE-2024-50038 CVE-2024-50083 CVE-2024-50162
CVE-2024-50163 CVE-2024-53124 CVE-2024-53139 CVE-2024-56641 CVE-2024-56702
CVE-2024-57924 CVE-2024-57998 CVE-2024-58001 CVE-2024-58018 CVE-2024-58068
CVE-2024-58070 CVE-2024-58071 CVE-2024-58088 CVE-2024-58093 CVE-2024-58094
CVE-2024-58095 CVE-2024-58096 CVE-2024-58097 CVE-2025-21683 CVE-2025-21696
CVE-2025-21707 CVE-2025-21729 CVE-2025-21755 CVE-2025-21758 CVE-2025-21768
CVE-2025-21792 CVE-2025-21806 CVE-2025-21808 CVE-2025-21812 CVE-2025-21833
CVE-2025-21836 CVE-2025-21852 CVE-2025-21853 CVE-2025-21854 CVE-2025-21863
CVE-2025-21867 CVE-2025-21873 CVE-2025-21875 CVE-2025-21881 CVE-2025-21884
CVE-2025-21887 CVE-2025-21889 CVE-2025-21894 CVE-2025-21895 CVE-2025-21904
CVE-2025-21905 CVE-2025-21906 CVE-2025-21908 CVE-2025-21909 CVE-2025-21910
CVE-2025-21912 CVE-2025-21913 CVE-2025-21914 CVE-2025-21915 CVE-2025-21916
CVE-2025-21917 CVE-2025-21918 CVE-2025-21922 CVE-2025-21923 CVE-2025-21924
CVE-2025-21925 CVE-2025-21926 CVE-2025-21927 CVE-2025-21928 CVE-2025-21930
CVE-2025-21931 CVE-2025-21934 CVE-2025-21935 CVE-2025-21936 CVE-2025-21937
CVE-2025-21941 CVE-2025-21943 CVE-2025-21948 CVE-2025-21950 CVE-2025-21951
CVE-2025-21953 CVE-2025-21956 CVE-2025-21957 CVE-2025-21960 CVE-2025-21961
CVE-2025-21962 CVE-2025-21963 CVE-2025-21964 CVE-2025-21966 CVE-2025-21968
CVE-2025-21969 CVE-2025-21970 CVE-2025-21971 CVE-2025-21972 CVE-2025-21975
CVE-2025-21978 CVE-2025-21979 CVE-2025-21980 CVE-2025-21981 CVE-2025-21985
CVE-2025-21991 CVE-2025-21992 CVE-2025-21993 CVE-2025-21995 CVE-2025-21996
CVE-2025-21999 CVE-2025-22001 CVE-2025-22003 CVE-2025-22004 CVE-2025-22007
CVE-2025-22008 CVE-2025-22009 CVE-2025-22010 CVE-2025-22013 CVE-2025-22014
CVE-2025-22015 CVE-2025-22016 CVE-2025-22017 CVE-2025-22018 CVE-2025-22020
CVE-2025-22025 CVE-2025-22027 CVE-2025-22029 CVE-2025-22033 CVE-2025-22036
CVE-2025-22044 CVE-2025-22045 CVE-2025-22050 CVE-2025-22053 CVE-2025-22055
CVE-2025-22058 CVE-2025-22060 CVE-2025-22062 CVE-2025-22064 CVE-2025-22065
CVE-2025-22075 CVE-2025-22080 CVE-2025-22086 CVE-2025-22088 CVE-2025-22090
CVE-2025-22093 CVE-2025-22097 CVE-2025-22102 CVE-2025-22104 CVE-2025-22105
CVE-2025-22106 CVE-2025-22107 CVE-2025-22108 CVE-2025-22109 CVE-2025-22115
CVE-2025-22116 CVE-2025-22121 CVE-2025-22128 CVE-2025-2312 CVE-2025-23129
CVE-2025-23131 CVE-2025-23133 CVE-2025-23136 CVE-2025-23138 CVE-2025-23145
CVE-2025-32728 CVE-2025-37785 CVE-2025-37798 CVE-2025-37799 CVE-2025-37860
CVE-2025-39728 CVE-2025-4382 CVE-2025-47268 CVE-2025-47273 CVE-2025-4802
-----------------------------------------------------------------
The container sles-15-sp6-chost-byos-v20250611-arm64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:167-1
Released: Mon Jan 24 18:16:24 2022
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: moderate
References: 1187939
This update for cloud-netconfig fixes the following issues:
- Update to version 1.6:
+ Ignore proxy when accessing metadata (bsc#1187939)
+ Print warning in case metadata is not accessible
+ Documentation update
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:658-1
Released: Wed Mar 8 10:51:10 2023
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: moderate
References: 1199853,1204549
This update for cloud-netconfig fixes the following issues:
- Update to version 1.7:
+ Overhaul policy routing setup
+ Support alias IPv4 ranges
+ Add support for NetworkManager (bsc#1204549)
+ Remove dependency on netconfig
+ Install into libexec directory
+ Clear stale ifcfg files for accelerated NICs (bsc#1199853)
+ More debug messages
+ Documentation update
- /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in
Tumbleweed, update path
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3637-1
Released: Mon Sep 18 13:02:23 2023
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: important
References: 1214715
This update for cloud-netconfig fixes the following issues:
- Update to version 1.8:
- Fix Automatic Addition of Secondary IP Addresses in Azure Using cloud-netconfig. (bsc#1214715)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:630-1
Released: Tue Feb 27 09:14:49 2024
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: moderate
References: 1218069,1219007
This update for cloud-netconfig fixes the following issues:
- Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007)
- Drop package dependency on sysconfig-netconfig
- Improve log level handling
- Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:781-1
Released: Wed Mar 6 15:05:13 2024
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: moderate
References: 1219454,1220718
This update for cloud-netconfig fixes the following issues:
- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory
- Update to version 1.11:
+ Revert address metadata lookup in GCE to local lookup (bsc#1219454)
+ Fix hang on warning log messages
+ Check whether getting IPv4 addresses from metadata failed and abort if true
+ Only delete policy rules if they exist
+ Skip adding/removing IPv4 ranges if metdata lookup failed
+ Improve error handling and logging in Azure
+ Set SCRIPTDIR when installing netconfig wrapper
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:869-1
Released: Wed Mar 13 10:48:51 2024
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: important
References: 1221202
This update for cloud-netconfig fixes the following issues:
- Update to version 1.12 (bsc#1221202)
* If token access succeeds using IPv4 do not use the IPv6 endpoint
only use the IPv6 IMDS endpoint if IPv4 access fails.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1085-1
Released: Tue Apr 2 11:24:09 2024
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: moderate
References: 1221757
This update for cloud-netconfig fixes the following issues:
- Update to version 1.14
+ Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1606-1
Released: Tue May 20 15:53:14 2025
Summary: Recommended update for librdkafka
Type: recommended
Severity: moderate
References: 1242842
This update for librdkafka fixes the following issues:
- Avoid endless loops under certain circumstances (bsc#1242842)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1614-1
Released: Wed May 21 11:52:34 2025
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1215199,1223809,1224013,1224597,1224757,1228659,1230764,1231103,1231910,1232493,1233075,1233098,1234074,1234157,1234698,1235501,1235526,1235550,1235870,1236086,1236704,1237111,1237874,1237882,1238052,1238212,1238471,1238527,1238565,1238714,1238737,1238742,1238745,1238746,1238862,1238961,1238970,1238983,1238990,1239066,1239079,1239108,1239470,1239475,1239476,1239487,1239510,1239684,1239906,1239925,1239997,1240167,1240168,1240171,1240176,1240181,1240184,1240185,1240375,1240557,1240575,1240576,1240581,1240582,1240583,1240584,1240585,1240587,1240590,1240591,1240592,1240594,1240595,1240596,1240600,1240612,1240616,1240639,1240643,1240647,1240655,1240691,1240700,1240701,1240703,1240708,1240709,1240712,1240713,1240714,1240715,1240716,1240717,1240718,1240719,1240720,1240722,1240727,1240739,1240740,1240742,1240779,1240783,1240784,1240785,1240795,1240796,1240797,1240799,1240801,1240802,1240806,1240808,1240809,1240811,1240812,1240813,1240815,1240816,1240819,1240821,1240825,1240829,1
240835,1240873,1240934,1240936,1240937,1240938,1240940,1240942,1240943,1240944,1240978,1240979,1241010,1241038,1241051,1241123,1241151,1241167,1241175,1241204,1241250,1241265,1241266,1241280,1241332,1241333,1241341,1241343,1241344,1241347,1241357,1241361,1241369,1241371,1241373,1241378,1241394,1241402,1241412,1241413,1241416,1241424,1241426,1241433,1241436,1241441,1241442,1241443,1241451,1241452,1241456,1241458,1241459,1241526,1241528,1241537,1241541,1241545,1241547,1241548,1241550,1241573,1241574,1241575,1241578,1241590,1241593,1241598,1241599,1241601,1241626,1241640,1241648,1242006,1242044,1242172,1242283,1242307,1242313,1242314,1242315,1242321,1242326,1242327,1242328,1242332,1242333,1242335,1242336,1242342,1242343,1242344,1242345,1242346,1242347,1242348,1242414,1242526,1242528,1242534,1242535,1242536,1242537,1242538,1242539,1242540,1242546,1242556,1242596,1242710,1242778,1242831,1242985,CVE-2023-53034,CVE-2024-27018,CVE-2024-27415,CVE-2024-28956,CVE-2024-35840,CVE-2024-46763,CVE-
2024-46865,CVE-2024-50038,CVE-2024-50083,CVE-2024-50162,CVE-2024-50163,CVE-2024-53124,CVE-2024-53139,CVE-2024-56641,CVE-2024-56702,CVE-2024-57924,CVE-2024-57998,CVE-2024-58001,CVE-2024-58018,CVE-2024-58068,CVE-2024-58070,CVE-2024-58071,CVE-2024-58088,CVE-2024-58093,CVE-2024-58094,CVE-2024-58095,CVE-2024-58096,CVE-2024-58097,CVE-2025-21683,CVE-2025-21696,CVE-2025-21707,CVE-2025-21729,CVE-2025-21755,CVE-2025-21758,CVE-2025-21768,CVE-2025-21792,CVE-2025-21806,CVE-2025-21808,CVE-2025-21812,CVE-2025-21833,CVE-2025-21836,CVE-2025-21852,CVE-2025-21853,CVE-2025-21854,CVE-2025-21863,CVE-2025-21867,CVE-2025-21873,CVE-2025-21875,CVE-2025-21881,CVE-2025-21884,CVE-2025-21887,CVE-2025-21889,CVE-2025-21894,CVE-2025-21895,CVE-2025-21904,CVE-2025-21905,CVE-2025-21906,CVE-2025-21908,CVE-2025-21909,CVE-2025-21910,CVE-2025-21912,CVE-2025-21913,CVE-2025-21914,CVE-2025-21915,CVE-2025-21916,CVE-2025-21917,CVE-2025-21918,CVE-2025-21922,CVE-2025-21923,CVE-2025-21924,CVE-2025-21925,CVE-2025-21926,CVE-2025-21
927,CVE-2025-21928,CVE-2025-21930,CVE-2025-21931,CVE-2025-21934,CVE-2025-21935,CVE-2025-21936,CVE-2025-21937,CVE-2025-21941,CVE-2025-21943,CVE-2025-21948,CVE-2025-21950,CVE-2025-21951,CVE-2025-21953,CVE-2025-21956,CVE-2025-21957,CVE-2025-21960,CVE-2025-21961,CVE-2025-21962,CVE-2025-21963,CVE-2025-21964,CVE-2025-21966,CVE-2025-21968,CVE-2025-21969,CVE-2025-21970,CVE-2025-21971,CVE-2025-21972,CVE-2025-21975,CVE-2025-21978,CVE-2025-21979,CVE-2025-21980,CVE-2025-21981,CVE-2025-21985,CVE-2025-21991,CVE-2025-21992,CVE-2025-21993,CVE-2025-21995,CVE-2025-21996,CVE-2025-21999,CVE-2025-22001,CVE-2025-22003,CVE-2025-22004,CVE-2025-22007,CVE-2025-22008,CVE-2025-22009,CVE-2025-22010,CVE-2025-22013,CVE-2025-22014,CVE-2025-22015,CVE-2025-22016,CVE-2025-22017,CVE-2025-22018,CVE-2025-22020,CVE-2025-22025,CVE-2025-22027,CVE-2025-22029,CVE-2025-22033,CVE-2025-22036,CVE-2025-22044,CVE-2025-22045,CVE-2025-22050,CVE-2025-22053,CVE-2025-22055,CVE-2025-22058,CVE-2025-22060,CVE-2025-22062,CVE-2025-22064,CVE
-2025-22065,CVE-2025-22075,CVE-2025-22080,CVE-2025-22086,CVE-2025-22088,CVE-2025-22090,CVE-2025-22093,CVE-2025-22097,CVE-2025-22102,CVE-2025-22104,CVE-2025-22105,CVE-2025-22106,CVE-2025-22107,CVE-2025-22108,CVE-2025-22109,CVE-2025-22115,CVE-2025-22116,CVE-2025-22121,CVE-2025-22128,CVE-2025-2312,CVE-2025-23129,CVE-2025-23131,CVE-2025-23133,CVE-2025-23136,CVE-2025-23138,CVE-2025-23145,CVE-2025-37785,CVE-2025-37798,CVE-2025-37799,CVE-2025-37860,CVE-2025-39728
The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes.
The following security bugs were fixed:
- CVE-2024-28956: x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006).
- CVE-2024-35840: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (bsc#1224597).
- CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910).
- CVE-2024-50162: bpf: selftests: send packet to devmap redirect XDP (bsc#1233075).
- CVE-2024-50163: bpf: Make sure internal and UAPI bpf_redirect flags do not overlap (bsc#1233098).
- CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074).
- CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157).
- CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086).
- CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990).
- CVE-2024-58068: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (bsc#1238961).
- CVE-2024-58070: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (bsc#1238983).
- CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970).
- CVE-2024-58088: bpf: Fix deadlock when freeing cgroup storage (bsc#1239510).
- CVE-2025-21683: bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704).
- CVE-2025-21696: mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111).
- CVE-2025-21707: mptcp: consolidate suboption status (bsc#1238862).
- CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874).
- CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882).
- CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737).
- CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714).
- CVE-2025-21792: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (bsc#1238745).
- CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746).
- CVE-2025-21808: net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742).
- CVE-2025-21812: ax25: rcu protect dev->ax25_ptr (bsc#1238471).
- CVE-2025-21833: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (bsc#1239108).
- CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066).
- CVE-2025-21854: selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470).
- CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475).
- CVE-2025-21867: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181).
- CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184).
- CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168).
- CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185).
- CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171).
- CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176).
- CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167).
- CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581).
- CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585).
- CVE-2025-21904: caif_virtio: fix wrong pointer check in cfv_probe() (bsc#1240576).
- CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587).
- CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600).
- CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591).
- CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639).
- CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720).
- CVE-2025-21925: llc: do not use skb_get() before dev_queue_xmit() (bsc#1240713).
- CVE-2025-21926: net: gso: fix ownership in __udp_gso_segment (bsc#1240712).
- CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709).
- CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742).
- CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815).
- CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816).
- CVE-2025-21962: cifs: Fix integer overflow while processing closetimeo mount option (bsc#1240655).
- CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717).
- CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740).
- CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784).
- CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819).
- CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813).
- CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812).
- CVE-2025-21980: sched: address a potential NULL pointer dereference in the GRED scheduler (bsc#1240809).
- CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612).
- CVE-2025-21985: drm/amd/display: Fix out-of-bound accesses (bsc#1240811).
- CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795).
- CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797).
- CVE-2025-21999: proc: fix UAF in proc_get_inode() (bsc#1240802).
- CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835).
- CVE-2025-22015: mm/migrate: fix shmem xarray update during migration (bsc#1240944).
- CVE-2025-22016: dpll: fix xa_alloc_cyclic() error handling (bsc#1240934).
- CVE-2025-22017: devlink: fix xa_alloc_cyclic() error handling (bsc#1240936).
- CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266).
- CVE-2025-22029: exec: fix the racy usage of fs_struct->in_exec (bsc#1241378).
- CVE-2025-22036: exfat: fix random stack corruption after get_block (bsc#1241426).
- CVE-2025-22045: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (bsc#1241433).
- CVE-2025-22053: net: ibmveth: make veth_pool_store stop hanging (bsc#1241373).
- CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371).
- CVE-2025-22058: udp: Fix memory accounting leak (bsc#1241332).
- CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526).
- CVE-2025-22064: netfilter: nf_tables: do not unregister hook when table is dormant (bsc#1241413).
- CVE-2025-22080: fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416).
- CVE-2025-22090: mm: (un)track_pfn_copy() fix + doc improvements (bsc#1241537).
- CVE-2025-22102: Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456).
- CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps (bsc#1241550).
- CVE-2025-22105, CVE-2025-37860: Add missing bugzilla references (bsc#1241452 bsc#1241548).
- CVE-2025-22107: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (bsc#1241575).
- CVE-2025-22109: ax25: Remove broken autobind (bsc#1241573).
- CVE-2025-22115: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241578).
- CVE-2025-22121: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593).
- CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684).
- CVE-2025-23133: wifi: ath11k: update channel list in reg notifier instead reg worker (bsc#1241451).
- CVE-2025-23138: watch_queue: fix pipe accounting mismatch (bsc#1241648).
- CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242596).
- CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640).
- CVE-2025-37798: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (bsc#1242414).
- CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (bsc#1242283).
- CVE-2025-39728: clk: samsung: Fix UBSAN panic in samsung_clk_init() (bsc#1241626).
The following non-security bugs were fixed:
- ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes).
- ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes).
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes).
- ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes).
- ALSA: hda/realtek - Enable speaker for HP platform (git-fixes).
- ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes).
- ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes).
- ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes).
- ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes).
- ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes).
- ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044).
- ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes).
- ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes).
- ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes).
- ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes).
- ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes).
- ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes).
- ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes).
- ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes).
- ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes).
- ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes).
- ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes).
- ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes).
- Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes).
- Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes).
- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes).
- Bluetooth: hci_uart: Fix another race during initialization (git-fixes).
- Bluetooth: hci_uart: fix race during initialization (stable-fixes).
- Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes).
- Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes).
- Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes).
- HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes).
- HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes).
- Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes).
- Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes).
- OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961)
- PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes).
- PCI: Fix BAR resizing when VF BARs are assigned (git-fixes).
- PCI: Fix reference leak in pci_register_host_bridge() (git-fixes).
- PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes).
- PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes).
- RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes)
- RDMA/core: Silence oversized kvmalloc() warning (git-fixes)
- RDMA/hns: Fix wrong maximum DMA segment size (git-fixes)
- RDMA/mana_ib: Ensure variable err is initialized (git-fixes).
- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes)
- Reapply 'Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6'.
- Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
- Revert 'drivers: core: synchronize really_probe() and dev_uevent()' (stable-fixes).
- Revert 'drm/meson: vclk: fix calculation of 59.94 fractional rates' (git-fixes).
- Revert 'tcp: Fix bind() regression for v6-only wildcard and'.
- Revert 'wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()' (git-fixes).
- Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 ('kernel-binary: Support livepatch_rt with merged RT branch')
- USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes).
- USB: VLI disk crashes if LPM is used (stable-fixes).
- USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes).
- USB: serial: option: add Sierra Wireless EM9291 (stable-fixes).
- USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes).
- USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes).
- USB: wdm: add annotation (git-fixes).
- USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes).
- USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes).
- USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes).
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes).
- affs: do not write overlarge OFS data block size fields (git-fixes).
- affs: generate OFS sequence numbers starting at 1 (git-fixes).
- ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes).
- arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052)
- arch_topology: init capacity_freq_ref to 0 (bsc#1238052)
- arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052)
- arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes)
- arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052)
- arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052)
- arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052)
- arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052)
- arm64: mm: Correct the update of max_pfn (git-fixes)
- asus-laptop: Fix an uninitialized variable (git-fixes).
- ata: libata-sata: Save all fields from sense data descriptor (git-fixes).
- ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes).
- ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes).
- ata: libata-scsi: Improve CDL control (git-fixes).
- ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes).
- ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes).
- auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes).
- auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes).
- badblocks: Fix error shitf ops (git-fixes).
- badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes).
- badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes).
- badblocks: fix the using of MAX_BADBLOCKS (git-fixes).
- badblocks: return error directly when setting badblocks exceeds 512 (git-fixes).
- badblocks: return error if any badblock set fails (git-fixes).
- blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes).
- block: change blk_mq_add_to_batch() third argument type to bool (git-fixes).
- block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes).
- block: fix conversion of GPT partition name to 7-bit (git-fixes).
- block: fix resource leak in blk_register_queue() error path (git-fixes).
- block: integrity: Do not call set_page_dirty_lock() (git-fixes).
- block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes).
- bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes).
- bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes).
- bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes).
- bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes).
- bpf: Check size for BTF-based ctx access of pointer members (git-fixes).
- bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes).
- bpf: add find_containing_subprog() utility function (bsc#1241590).
- bpf: avoid holding freeze_mutex during mmap operation (git-fixes).
- bpf: check changes_pkt_data property for extension programs (bsc#1241590).
- bpf: consider that tail calls invalidate packet pointers (bsc#1241590).
- bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590).
- bpf: fix potential error return (git-fixes).
- bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590).
- bpf: track changes_pkt_data property for global functions (bsc#1241590).
- bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes).
- btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204).
- btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710).
- btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151).
- btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204).
- btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204).
- btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204).
- cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes).
- char: misc: register chrdev region with all possible minors (git-fixes).
- cifs: Fix integer overflow while processing actimeo mount option (git-fixes).
- counter: fix privdata alignment (git-fixes).
- counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes).
- counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes).
- cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052)
- cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052)
- cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64
- crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes).
- crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes).
- crypto: ccp - Add support for PCI device 0x1134 (stable-fixes).
- cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes).
- dm-bufio: do not schedule in atomic context (git-fixes).
- dm-ebs: fix prefetch-vs-suspend race (git-fixes).
- dm-integrity: set ti->error on memory allocation failure (git-fixes).
- dm-verity: fix prefetch-vs-suspend race (git-fixes).
- dm: add missing unlock on in dm_keyslot_evict() (git-fixes).
- dm: always update the array size in realloc_argv on success (git-fixes).
- dm: fix copying after src array boundaries (git-fixes).
- dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes).
- drivers: base: devres: Allow to release group on device release (stable-fixes).
- drm/amd/display: Fix gpu reset in multidisplay config (git-fixes).
- drm/amd/display: Force full update in gpu reset (stable-fixes).
- drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes).
- drm/amd/pm/smu11: Prevent division by zero (git-fixes).
- drm/amd/pm: Prevent division by zero (git-fixes).
- drm/amd: Handle being compiled without SI or CIK support better (stable-fixes).
- drm/amd: Keep display off while going into S4 (stable-fixes).
- drm/amdgpu/dma_buf: fix page_link check (git-fixes).
- drm/amdgpu/gfx11: fix num_mec (git-fixes).
- drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes).
- drm/amdkfd: Fix mode1 reset crash issue (stable-fixes).
- drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes).
- drm/amdkfd: clamp queue size to minimum (stable-fixes).
- drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes).
- drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes).
- drm/dp_mst: Add a helper to queue a topology probe (stable-fixes).
- drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes).
- drm/fdinfo: Protect against driver unbind (git-fixes).
- drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes).
- drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes).
- drm/i915/huc: Fix fence not released on early probe errors (git-fixes).
- drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes).
- drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes).
- drm/i915: Disable RPG during live selftest (git-fixes).
- drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes).
- drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes).
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes).
- drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes).
- drm/sti: remove duplicate object names (git-fixes).
- drm/tests: Add helper to create mock crtc (stable-fixes).
- drm/tests: Add helper to create mock plane (stable-fixes).
- drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes).
- drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes).
- drm/tests: helpers: Add atomic helpers (stable-fixes).
- drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes).
- drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes).
- drm/tests: helpers: Fix compiler warning (git-fixes).
- drm/tests: modes: Fix drm_display_mode memory leak (git-fixes).
- drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes).
- drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes).
- drm: allow encoder mode_set even when connectors change for crtc (stable-fixes).
- drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes).
- drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes).
- drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes).
- drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes).
- drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes).
- e1000e: change k1 configuration on MTP and later platforms (git-fixes).
- eth: bnxt: fix missing ring index trim on error path (git-fixes).
- ethtool: Fix context creation with no parameters (git-fixes).
- ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes).
- ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes).
- ethtool: do not propagate EOPNOTSUPP from dumps (git-fixes).
- ethtool: fix setting key and resetting indir at once (git-fixes).
- ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes).
- ethtool: netlink: do not return SQI value if link is down (git-fixes).
- ethtool: plca: fix plca enable data type while parsing the value (git-fixes).
- ethtool: rss: echo the context number back (git-fixes).
- exfat: do not fallback to buffered write (git-fixes).
- exfat: drop ->i_size_ondisk (git-fixes).
- exfat: fix soft lockup in exfat_clear_bitmap (git-fixes).
- exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes).
- exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes).
- ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342).
- ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540).
- ext4: do not over-report free space or inodes in statvfs (bsc#1242345).
- ext4: do not treat fhandle lookup of ea_inode as FS corruption (bsc#1242347).
- ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557).
- ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556).
- ext4: make block validity check resistent to sb bh corruption (bsc#1242348).
- ext4: partial zero eof block on unaligned inode size extension (bsc#1242336).
- ext4: protect ext4_release_dquot against freezing (bsc#1242335).
- ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536).
- ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539).
- ext4: unify the type of flexbg_size to unsigned int (bsc#1242538).
- fbdev: omapfb: Add 'plane' value check (stable-fixes).
- firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes).
- firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes).
- firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes).
- fs/jfs: Prevent integer overflow in AG size calculation (git-fixes).
- fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes).
- fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250).
- fs: better handle deep ancestor chains in is_subdir() (bsc#1242528).
- fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535).
- fs: do not allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526).
- fs: support relative paths with FSCONFIG_SET_STRING (git-fixes).
- gpio: tegra186: fix resource handling in ACPI probe path (git-fixes).
- gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes).
- gve: handle overflow when reporting TX consumed descriptors (git-fixes).
- gve: set xdp redirect target only when it is available (git-fixes).
- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes).
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes).
- i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes).
- i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes).
- ice: Add check for devm_kzalloc() (git-fixes).
- ice: fix reservation of resources for RDMA when disabled (git-fixes).
- ice: stop truncating queue ids when checking (git-fixes).
- idpf: check error for register_netdev() on init (git-fixes).
- idpf: fix adapter NULL pointer dereference on reboot (git-fixes).
- igb: reject invalid external timestamp requests for 82580-based HW (git-fixes).
- igc: add lock preventing multiple simultaneous PTM transactions (git-fixes).
- igc: cleanup PTP module if probe fails (git-fixes).
- igc: fix PTM cycle trigger logic (git-fixes).
- igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes).
- igc: increase wait time before retrying PTM (git-fixes).
- igc: move ktime snapshot into PTM retry loop (git-fixes).
- iio: adc: ad7768-1: Fix conversion result sign (git-fixes).
- iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes).
- iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes).
- ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr (git-fixes).
- irqchip/davinci: Remove leftover header (git-fixes).
- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes).
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307).
- jbd2: add a missing data flush during file and fs synchronization (bsc#1242346).
- jbd2: fix off-by-one while erasing journal (bsc#1242344).
- jbd2: flush filesystem device before updating tail sequence (bsc#1242333).
- jbd2: increase IO priority for writing revoke records (bsc#1242332).
- jbd2: increase the journal IO's priority (bsc#1242537).
- jbd2: remove wrong sb->s_sequence check (bsc#1242343).
- jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes).
- jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes).
- jfs: add sanity check for agwidth in dbMount (git-fixes).
- kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes).
- kABI workaround for powercap update (bsc#1241010).
- kernel-binary: Support livepatch_rt with merged RT branch
- kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env'
- ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes).
- kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes).
- lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes).
- libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309).
- libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309).
- loop: LOOP_SET_FD: send uevents for partitions (git-fixes).
- loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes).
- loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes).
- md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212)
- media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes).
- mei: me: add panther lake H DID (stable-fixes).
- misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes).
- misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes).
- mm/readahead: fix large folio support in async readahead (bsc#1242321).
- mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326).
- mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327).
- mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546).
- mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes).
- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes).
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes).
- mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes).
- mptcp: refine opt_mp_capable determination (git-fixes).
- mptcp: relax check on MPC passive fallback (git-fixes).
- mptcp: strict validation before using mp_opt->hmac (git-fixes).
- mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes).
- mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes).
- mtd: rawnand: Add status chack in r852_ready() (git-fixes).
- net/mlx5: Fill out devlink dev info only for PFs (git-fixes).
- net/mlx5: IRQ, Fix null string in debug print (git-fixes).
- net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes).
- net/mlx5: Start health poll after enable hca (git-fixes).
- net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes).
- net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes).
- net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes).
- net/tcp: refactor tcp_inet6_sk() (git-fixes).
- net: annotate data-races around sk->sk_dst_pending_confirm (git-fixes).
- net: annotate data-races around sk->sk_tx_queue_mapping (git-fixes).
- net: blackhole_dev: fix build warning for ethh set but not used (git-fixes).
- net: ethtool: Do not call .cleanup_data when prepare_data fails (git-fixes).
- net: ethtool: Fix RSS setting (git-fixes).
- net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes).
- net: mana: Switch to page pool for jumbo frames (git-fixes).
- net: mark racy access on sk->sk_rcvbuf (git-fixes).
- net: phy: leds: fix memory leak (git-fixes).
- net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes).
- net: sctp: fix skb leak in sctp_inq_free() (git-fixes).
- net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes).
- net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes).
- net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes).
- net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes).
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes).
- net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes).
- netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes).
- nfs: add missing selections of CONFIG_CRC32 (git-fixes).
- nfs: clear SB_RDONLY before getting superblock (bsc#1238565).
- nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565).
- nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes).
- nfsd: put dl_stid if fail to queue dl_recall (git-fixes).
- ntb: Force physically contiguous allocation of rx ring buffers (git-fixes).
- ntb: intel: Fix using link status DB's (git-fixes).
- ntb: reduce stack usage in idt_scan_mws (stable-fixes).
- ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes).
- ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes).
- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes).
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes).
- ntb_perf: Fix printk format (git-fixes).
- nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes).
- nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes).
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes).
- nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes).
- nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes).
- nvme/ioctl: do not warn on vectorized uring_cmd with fixed buffer (git-fixes).
- nvmet-fcloop: swap list_add_tail arguments (git-fixes).
- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes).
- objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes).
- objtool: Fix segfault in ignore_unreachable_insn() (git-fixes).
- perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309).
- perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309).
- perf tools: annotate asm_pure_loop.S (bsc#1239906).
- perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309).
- perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172)
- perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172)
- perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172)
- perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172)
- phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes).
- pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes).
- platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes).
- platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes).
- platform/x86: ISST: Correct command storage data length (git-fixes).
- platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes).
- pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes).
- powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes).
- powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010).
- powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010).
- powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes).
- powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes).
- powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes).
- powerpc/boot: Check for ld-option support (bsc#1215199).
- powerpc/boot: Fix dash warning (bsc#1215199).
- powerpc: Do not use --- in kernel logs (git-fixes).
- pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes).
- pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes).
- pwm: rcar: Improve register calculation (git-fixes).
- rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN
- rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE
- rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64.
- rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038).
- rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659)
- rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires The recent change using OrderWithRequires addresses the known issues, but also caused regressions for the existing image or package builds. For SLE15-SPx, better to be conservative and stick with the older way.
- rpm/package-descriptions: Add rt and rt_debug descriptions
- rtc: pcf85063: do a SW reset if POR failed (stable-fixes).
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013).
- s390/cio: Fix CHPID 'configure' attribute caching (git-fixes bsc#1240979).
- s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978).
- sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052)
- scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes).
- scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes).
- scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes).
- scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag (git-fixes).
- scsi: mpi3mr: Fix locking in an error path (git-fixes).
- scsi: mpt3sas: Fix a locking bug in an error path (git-fixes).
- scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes).
- scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes).
- sctp: Fix undefined behavior in left shift operation (git-fixes).
- sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes).
- sctp: detect and prevent references to a freed transport in sendmsg (git-fixes).
- sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes).
- sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes).
- sctp: fix busy polling (git-fixes).
- sctp: prefer struct_size over open coded arithmetic (git-fixes).
- sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes).
- security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375).
- selftests/bpf: Add a few tests to cover (git-fixes).
- selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes).
- selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590).
- selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590).
- selftests/bpf: test for changing packet data from global functions (bsc#1241590).
- selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590).
- selftests/futex: futex_waitv wouldblock test should fail (git-fixes).
- selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes).
- selinux: Implement mptcp_add_subflow hook (bsc#1240375).
- serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes).
- serial: msm: Configure correct working mode before starting earlycon (git-fixes).
- serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes).
- smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265).
- smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616).
- sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes).
- spi: tegra114: Do not fail set_cs_timing when delays are zero (git-fixes).
- spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes).
- spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes).
- splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328).
- staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes).
- string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes).
- tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes).
- thunderbolt: Scan retimers after device router has been enumerated (stable-fixes).
- tools/hv: update route parsing in kvp daemon (git-fixes).
- tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175).
- tools/power turbostat: report CoreThr per measurement interval (git-fixes).
- topology: Set capacity_freq_ref in all cases (bsc#1238052)
- tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870).
- tpm: tis: Double the timeout B to 4s (bsc#1235870).
- tpm_tis: Move CRC check to generic send routine (bsc#1235870).
- tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870).
- tty: n_tty: use uint for space returned by tty_write_room() (git-fixes).
- tty: serial: 8250: Add Brainboxes XC devices (stable-fixes).
- tty: serial: 8250: Add some more device IDs (stable-fixes).
- tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes).
- tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes).
- ublk: set_params: properly check if parameters can be applied (git-fixes).
- ucsi_ccg: Do not show failed to get FW build information error (git-fixes).
- udf: Fix inode_getblk() return value (bsc#1242313).
- udf: Skip parent dir link count update if corrupted (bsc#1242315).
- udf: Verify inode link counts before performing rename (bsc#1242314).
- usb: cdns3: Fix deadlock when using NCM gadget (git-fixes).
- usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes).
- usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes).
- usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes).
- usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes).
- usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes).
- usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes).
- usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes).
- usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes).
- usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes).
- usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() func (stable-fixes).
- usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes).
- usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes).
- usb: xhci: correct debug message page size calculation (git-fixes).
- usbnet:fix NPE during rx_complete (git-fixes).
- vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes).
- vfs: do not mod negative dentry count when on shrinker list (bsc#1242534).
- virtchnl: make proto and filter action count unsigned (git-fixes).
- vmxnet3: Fix tx queue race condition with XDP (bsc#1241394).
- vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394).
- wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes).
- wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes).
- wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes).
- wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes).
- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes).
- wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes).
- wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes).
- wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes).
- wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes).
- wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes).
- wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes).
- wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes).
- wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes).
- wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes).
- x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778).
- x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
- x86/bpf: Call branch history clearing sequence on exit (bsc#1242778).
- x86/bugs: Add RSB mitigation document (git-fixes).
- x86/bugs: Do not fill RSB on VMEXIT with eIBRS+retpoline (git-fixes).
- x86/bugs: Do not fill RSB on context switch with eIBRS (git-fixes).
- x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes).
- x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes).
- x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes).
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes).
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes).
- x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes).
- x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes).
- x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes).
- x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes).
- x86/microcode/AMD: Split load_microcode_amd() (git-fixes).
- x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes).
- x86/microcode/intel: Set new revision only after a successful update (git-fixes).
- x86/microcode: Remove the driver announcement and version (git-fixes).
- x86/microcode: Rework early revisions reporting (git-fixes).
- x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes).
- x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes).
- x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes).
- x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes).
- xfs: flush inodegc before swapon (git-fixes).
- xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550).
- xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550).
- xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550).
- zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1615-1
Released: Wed May 21 11:53:06 2025
Summary: Security update for grub2
Type: security
Severity: moderate
References: 1235958,1235971,1239651,1242971,CVE-2025-4382
This update for grub2 rebuilds the existing package with the new 4k RSA secure boot key for IBM Power and Z.
Note: the signing key of x86 / x86_64 and aarch64 architectures are unchanged.
Also the following issue were fixed:
- CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971)
- Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1638-1
Released: Wed May 21 12:48:35 2025
Summary: Security update for openssh
Type: security
Severity: moderate
References: 1236826,1239671,1241012,CVE-2025-32728
This update for openssh fixes the following issue:
Security fixes:
- CVE-2025-32728: Fixed logic error in DisableForwarding option (bsc#1241012)
Other fixes:
- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
due to gssapi proposal not being correctly initialized (bsc#1236826).
The problem was introduced in the rebase of the patch for 9.6p1
- Enable --with-logind to call the SetTTY dbus method in systemd.
This allows 'wall' to print messages in ssh ttys (bsc#1239671)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1648-1
Released: Wed May 21 22:43:46 2025
Summary: Recommended update for kbd
Type: recommended
Severity: moderate
References: 1237230
This update for kbd fixes the following issues:
- Don't search for resources in the current directory. It can cause
unwanted side effects or even infinite loop (bsc#1237230).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1689-1
Released: Fri May 23 12:46:42 2025
Summary: Recommended update for hwinfo
Type: recommended
Severity: moderate
References: 1240648
This update for hwinfo fixes the following issues:
- Version update v21.88
- Fix network card detection on aarch64 (bsc#1240648).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1702-1
Released: Sat May 24 11:50:53 2025
Summary: Security update for glibc
Type: security
Severity: important
References: 1243317,CVE-2025-4802
This update for glibc fixes the following issues:
- CVE-2025-4802: possible execution of attacker controlled code when statically linked setuid binaries using dlopen
search for libraries to load in LD_LIBRARY_PATH (bsc#1243317).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1703-1
Released: Sun May 25 23:42:28 2025
Summary: Security update for xen
Type: security
Severity: moderate
References: 1027519,1242490,1243117,CVE-2024-28956
This update for xen fixes the following issues:
Update to Xen 4.18.5:
Security fixes:
- CVE-2024-28956: Fixed Intel CPU Indirect Target Selection (ITS) (bsc#1243117)
Other fixes:
- Fixed boot failing with XEN kernel on DL580 Gen12 (bsc#1242490)
- Added missing upstream bug fixes (bsc#1027519)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1714-1
Released: Tue May 27 13:23:20 2025
Summary: Recommended update for ncurses
Type: recommended
Severity: moderate
References:
This update for ncurses fixes the following issues:
- Backport sclp terminfo description entry if for s390 sclp terminal lines
- Add a further sclp entry for qemu s390 based systems
- Make use of dumb
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1721-1
Released: Tue May 27 17:59:31 2025
Summary: Recommended update for hwdata
Type: recommended
Severity: moderate
References:
This update for hwdata fixes the following issue:
- Version update 0.394:
* Update pci, usb and vendor ids
* Fix usb.ids encoding and a couple of typos
* Fix configure to honor --prefix
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1733-1
Released: Wed May 28 17:59:52 2025
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1242060
This update for krb5 fixes the following issue:
- Remove references to the LMDB backend in the kdc.conf manpage (bsc#1242060).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1739-1
Released: Thu May 29 11:40:51 2025
Summary: Recommended update for systemd
Type: recommended
Severity: important
References: 1236177,1237496,1242938,1243259
This update for systemd fixes the following issues:
- Add missing 'systemd-journal-remote' package
to 15-SP7 (bsc#1243259)
- umount: do not move busy network mounts (bsc#1236177)
- Apply coredump sysctl settings on systemd-coredump updates/removals.
- Fix the issue with journalctl not working
for users in Container UID range (bsc#1242938)
Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids.
- man/pstore.conf: pstore.conf template is not always installed in /etc
- man: coredump.conf template is not always installed in /etc (bsc#1237496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1776-1
Released: Fri May 30 15:02:52 2025
Summary: Security update for iputils
Type: security
Severity: moderate
References: 1242300,CVE-2025-47268
This update for iputils fixes the following issues:
- CVE-2025-47268: Fixed integer overflow in RTT calculation can lead to undefined behavior (bsc#1242300)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1810-1
Released: Wed Jun 4 11:28:57 2025
Summary: Security update for python3-setuptools
Type: security
Severity: important
References: 1243313,CVE-2025-47273
This update for python3-setuptools fixes the following issues:
- CVE-2025-47273: path traversal in PackageIndex.download may lead to an arbitrary file write (bsc#1243313).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1825-1
Released: Thu Jun 5 16:38:39 2025
Summary: Recommended update for google-guest-agent
Type: recommended
Severity: moderate
References: 1243254,1243505
This update for google-guest-agent fixes the following issues:
- Update to version 20250506.01 (bsc#1243254, bsc#1243505)
- Make sure agent added connections are activated by NM
- Wrap NSS cache refresh in a goroutine
- Wicked: Only reload interfaces for which configurations are written or changed.
- Add AuthorizedKeysCompat to windows packaging
- Remove error messages from gce_workload_cert_refresh and metadata script runner
- Update guest-logging-go dependency
- Add 'created-by' metadata, and pass it as option to logging library
- Re-enable disabled services if the core plugin was enabled
- Enable guest services on package upgrade
- Fix core plugin path
- Fix package build issues
- Fix dependencies ran go mod tidy -v
- Bundle compat metadata script runner binary in package
- Bump golang.org/x/net from 0.27.0 to 0.36.0
- Update startup/shutdown services to launch compat manager
- Bundle new gce metadata script runner binary in agent package
- Revert 'Revert bundling new binaries in the package'
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:1836-1
Released: Mon Jun 9 16:11:28 2025
Summary: Recommended update for cloud-netconfig
Type: recommended
Severity: important
References: 1240869
This update for cloud-netconfig fixes the following issues:
- Add support for creating IPv6 default route in GCE (bsc#1240869)
- Minor fix when looking up IPv6 default route
The following package changes have been done:
- cloud-netconfig-gce-1.15-150000.25.26.1 added
- curl-8.6.0-150600.4.21.1 added
- glibc-locale-base-2.38-150600.14.32.1 updated
- glibc-locale-2.38-150600.14.32.1 updated
- glibc-2.38-150600.14.32.1 updated
- google-guest-agent-20250506.01-150000.1.63.1 updated
- grub2-i386-pc-2.12-150600.8.27.1 updated
- grub2-x86_64-efi-2.12-150600.8.27.1 updated
- grub2-2.12-150600.8.27.1 updated
- hwdata-0.394-150000.3.77.2 updated
- hwinfo-21.88-150500.3.9.2 updated
- iputils-20221126-150500.3.11.1 updated
- kbd-legacy-2.4.0-150400.5.9.1 updated
- kbd-2.4.0-150400.5.9.1 updated
- kernel-default-6.4.0-150600.23.50.1 updated
- krb5-1.20.1-150600.11.11.2 updated
- libncurses6-6.1-150000.5.30.1 updated
- librdkafka1-0.11.6-150600.16.3.1 updated
- libsystemd0-254.24-150600.4.33.1 updated
- libudev1-254.24-150600.4.33.1 updated
- ncurses-utils-6.1-150000.5.30.1 updated
- openssh-clients-9.6p1-150600.6.26.1 updated
- openssh-common-9.6p1-150600.6.26.1 updated
- openssh-server-config-disallow-rootlogin-9.6p1-150600.6.26.1 updated
- openssh-server-9.6p1-150600.6.26.1 updated
- openssh-9.6p1-150600.6.26.1 updated
- python3-setuptools-44.1.1-150400.9.12.1 updated
- systemd-254.24-150600.4.33.1 updated
- terminfo-base-6.1-150000.5.30.1 updated
- terminfo-6.1-150000.5.30.1 updated
- udev-254.24-150600.4.33.1 updated
- xen-libs-4.18.5_02-150600.3.23.1 updated
More information about the sle-container-updates
mailing list