From sle-security-updates at lists.suse.com Wed Apr 1 03:11:28 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 11:11:28 +0200 (CEST) Subject: SUSE-CU-2020:100-1: Security update of suse/sle15 Message-ID: <20200401091128.77F40FE02@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:100-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.176 Container Release : 4.22.176 Severity : important Type : security References : 1161816 1162152 1167223 1167631 CVE-2020-1752 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:40 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). From sle-security-updates at lists.suse.com Wed Apr 1 03:17:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 11:17:42 +0200 (CEST) Subject: SUSE-CU-2020:101-1: Security update of suse/sle15 Message-ID: <20200401091742.6587DFE02@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:101-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.194 Container Release : 6.2.194 Severity : important Type : security References : 1161816 1162152 1167163 1167223 1167631 CVE-2020-1752 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) From sle-security-updates at lists.suse.com Wed Apr 1 03:21:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 11:21:05 +0200 (CEST) Subject: SUSE-CU-2020:102-1: Security update of suse/sles12sp5 Message-ID: <20200401092105.70A59FE02@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:102-1 Container Tags : suse/sles12sp5:5.2.319 , suse/sles12sp5:latest Container Release : 5.2.319 Severity : important Type : security References : 1149332 1157893 1158996 1165784 1165915 1165919 1166510 1167631 CVE-2020-10029 CVE-2020-1751 CVE-2020-1752 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Tue Mar 31 13:06:24 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:832-1 Released: Tue Mar 31 16:15:59 2020 Summary: Security update for glibc Type: security Severity: important References: 1149332,1157893,1158996,1165784,1167631,CVE-2020-10029,CVE-2020-1751,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). - CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784). - Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834) - Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226) From sle-security-updates at lists.suse.com Wed Apr 1 03:30:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 11:30:26 +0200 (CEST) Subject: SUSE-CU-2020:103-1: Security update of suse/sles12sp4 Message-ID: <20200401093026.2F66AFE02@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:103-1 Container Tags : suse/sles12sp4:26.162 , suse/sles12sp4:latest Container Release : 26.162 Severity : important Type : security References : 1149332 1157893 1158996 1165784 1165915 1165919 1166510 1167631 CVE-2020-10029 CVE-2020-1751 CVE-2020-1752 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Tue Mar 31 13:06:24 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:832-1 Released: Tue Mar 31 16:15:59 2020 Summary: Security update for glibc Type: security Severity: important References: 1149332,1157893,1158996,1165784,1167631,CVE-2020-10029,CVE-2020-1751,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). - CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784). - Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834) - Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226) From sle-security-updates at lists.suse.com Wed Apr 1 13:15:59 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 21:15:59 +0200 (CEST) Subject: SUSE-SU-2020:0844-1: important: Security update for qemu Message-ID: <20200401191559.0A06EFE0F@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0844-1 Rating: important References: #1123156 #1154790 #1161066 #1162729 #1163018 #1165776 #1166240 #1166379 Cross-References: CVE-2019-15034 CVE-2019-20382 CVE-2019-6778 CVE-2020-1711 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has two fixes is now available. Description: This update for qemu fixes the following issues: - CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066). - CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379). - CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240). - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156). - CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018). - CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776). - Fixed a live migration error (bsc#1154790). - Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-844=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-844=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-844=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-9.14.1 qemu-block-curl-3.1.1.1-9.14.1 qemu-block-curl-debuginfo-3.1.1.1-9.14.1 qemu-block-iscsi-3.1.1.1-9.14.1 qemu-block-iscsi-debuginfo-3.1.1.1-9.14.1 qemu-block-rbd-3.1.1.1-9.14.1 qemu-block-rbd-debuginfo-3.1.1.1-9.14.1 qemu-block-ssh-3.1.1.1-9.14.1 qemu-block-ssh-debuginfo-3.1.1.1-9.14.1 qemu-debuginfo-3.1.1.1-9.14.1 qemu-debugsource-3.1.1.1-9.14.1 qemu-guest-agent-3.1.1.1-9.14.1 qemu-guest-agent-debuginfo-3.1.1.1-9.14.1 qemu-lang-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x x86_64): qemu-kvm-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64): qemu-arm-3.1.1.1-9.14.1 qemu-arm-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (ppc64le): qemu-ppc-3.1.1.1-9.14.1 qemu-ppc-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): qemu-ipxe-1.0.0+-9.14.1 qemu-seabios-1.12.0-9.14.1 qemu-sgabios-8-9.14.1 qemu-vgabios-1.12.0-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): qemu-audio-alsa-3.1.1.1-9.14.1 qemu-audio-alsa-debuginfo-3.1.1.1-9.14.1 qemu-audio-oss-3.1.1.1-9.14.1 qemu-audio-oss-debuginfo-3.1.1.1-9.14.1 qemu-audio-pa-3.1.1.1-9.14.1 qemu-audio-pa-debuginfo-3.1.1.1-9.14.1 qemu-ui-curses-3.1.1.1-9.14.1 qemu-ui-curses-debuginfo-3.1.1.1-9.14.1 qemu-ui-gtk-3.1.1.1-9.14.1 qemu-ui-gtk-debuginfo-3.1.1.1-9.14.1 qemu-x86-3.1.1.1-9.14.1 qemu-x86-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (s390x): qemu-s390-3.1.1.1-9.14.1 qemu-s390-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-block-dmg-3.1.1.1-9.14.1 qemu-block-dmg-debuginfo-3.1.1.1-9.14.1 qemu-debuginfo-3.1.1.1-9.14.1 qemu-debugsource-3.1.1.1-9.14.1 qemu-extra-3.1.1.1-9.14.1 qemu-extra-debuginfo-3.1.1.1-9.14.1 qemu-linux-user-3.1.1.1-9.14.1 qemu-linux-user-debuginfo-3.1.1.1-9.14.1 qemu-linux-user-debugsource-3.1.1.1-9.14.1 qemu-testsuite-3.1.1.1-9.14.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le x86_64): qemu-s390-3.1.1.1-9.14.1 qemu-s390-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x): qemu-audio-alsa-3.1.1.1-9.14.1 qemu-audio-alsa-debuginfo-3.1.1.1-9.14.1 qemu-audio-oss-3.1.1.1-9.14.1 qemu-audio-oss-debuginfo-3.1.1.1-9.14.1 qemu-audio-pa-3.1.1.1-9.14.1 qemu-audio-pa-debuginfo-3.1.1.1-9.14.1 qemu-ui-curses-3.1.1.1-9.14.1 qemu-ui-curses-debuginfo-3.1.1.1-9.14.1 qemu-ui-gtk-3.1.1.1-9.14.1 qemu-ui-gtk-debuginfo-3.1.1.1-9.14.1 qemu-x86-3.1.1.1-9.14.1 qemu-x86-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x x86_64): qemu-ppc-3.1.1.1-9.14.1 qemu-ppc-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le s390x x86_64): qemu-arm-3.1.1.1-9.14.1 qemu-arm-debuginfo-3.1.1.1-9.14.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): qemu-seabios-1.12.0-9.14.1 qemu-sgabios-8-9.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-3.1.1.1-9.14.1 qemu-debugsource-3.1.1.1-9.14.1 qemu-tools-3.1.1.1-9.14.1 qemu-tools-debuginfo-3.1.1.1-9.14.1 References: https://www.suse.com/security/cve/CVE-2019-15034.html https://www.suse.com/security/cve/CVE-2019-20382.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1154790 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1162729 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1165776 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1166379 From sle-security-updates at lists.suse.com Wed Apr 1 13:19:50 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 21:19:50 +0200 (CEST) Subject: SUSE-SU-2020:0843-1: moderate: Security update for memcached Message-ID: <20200401191950.6E4D5FE0F@maintenance.suse.de> SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0843-1 Rating: moderate References: #1133817 #1149110 Cross-References: CVE-2019-11596 CVE-2019-15026 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for memcached fixes the following issues: Security issue fixed: - CVE-2019-11596: Fixed a NULL pointer dereference in process_lru_command (bsc#1133817). - CVE-2019-15026: Fixed a stack-based buffer over-read (bsc#1149110). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-843=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-843=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-843=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-843=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): memcached-debuginfo-1.4.39-4.11.2 memcached-debugsource-1.4.39-4.11.2 memcached-devel-1.4.39-4.11.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): memcached-debuginfo-1.4.39-4.11.2 memcached-debugsource-1.4.39-4.11.2 memcached-devel-1.4.39-4.11.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): memcached-1.4.39-4.11.2 memcached-debuginfo-1.4.39-4.11.2 memcached-debugsource-1.4.39-4.11.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): memcached-1.4.39-4.11.2 memcached-debuginfo-1.4.39-4.11.2 memcached-debugsource-1.4.39-4.11.2 References: https://www.suse.com/security/cve/CVE-2019-11596.html https://www.suse.com/security/cve/CVE-2019-15026.html https://bugzilla.suse.com/1133817 https://bugzilla.suse.com/1149110 From sle-security-updates at lists.suse.com Wed Apr 1 13:22:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 1 Apr 2020 21:22:56 +0200 (CEST) Subject: SUSE-SU-2020:0845-1: important: Security update for qemu Message-ID: <20200401192256.A0398FE0F@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0845-1 Rating: important References: #1123156 #1154790 #1156642 #1156794 #1158880 #1161066 #1162161 #1162729 #1163018 #1165776 #1166240 #1166379 Cross-References: CVE-2019-15034 CVE-2019-20382 CVE-2019-6778 CVE-2020-1711 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 6 fixes is now available. Description: This update for qemu fixes the following issues: - CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066). - CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379). - CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240). - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156). - CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018). - CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776). - Fixed live migration errors (bsc#1154790, bsc#1156794, bsc#1156642). - Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729). - Fixed an issue where booting up a guest system with mdev passthrough device as installation device was failing (bsc#1158880). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-845=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-3.9.1 qemu-audio-alsa-3.1.1.1-3.9.1 qemu-audio-alsa-debuginfo-3.1.1.1-3.9.1 qemu-audio-oss-3.1.1.1-3.9.1 qemu-audio-oss-debuginfo-3.1.1.1-3.9.1 qemu-audio-pa-3.1.1.1-3.9.1 qemu-audio-pa-debuginfo-3.1.1.1-3.9.1 qemu-audio-sdl-3.1.1.1-3.9.1 qemu-audio-sdl-debuginfo-3.1.1.1-3.9.1 qemu-block-curl-3.1.1.1-3.9.1 qemu-block-curl-debuginfo-3.1.1.1-3.9.1 qemu-block-iscsi-3.1.1.1-3.9.1 qemu-block-iscsi-debuginfo-3.1.1.1-3.9.1 qemu-block-ssh-3.1.1.1-3.9.1 qemu-block-ssh-debuginfo-3.1.1.1-3.9.1 qemu-debugsource-3.1.1.1-3.9.1 qemu-guest-agent-3.1.1.1-3.9.1 qemu-guest-agent-debuginfo-3.1.1.1-3.9.1 qemu-lang-3.1.1.1-3.9.1 qemu-tools-3.1.1.1-3.9.1 qemu-tools-debuginfo-3.1.1.1-3.9.1 qemu-ui-curses-3.1.1.1-3.9.1 qemu-ui-curses-debuginfo-3.1.1.1-3.9.1 qemu-ui-gtk-3.1.1.1-3.9.1 qemu-ui-gtk-debuginfo-3.1.1.1-3.9.1 qemu-ui-sdl-3.1.1.1-3.9.1 qemu-ui-sdl-debuginfo-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-3.9.1 qemu-block-rbd-debuginfo-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-3.9.1 qemu-arm-debuginfo-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-3.9.1 qemu-ppc-debuginfo-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-3.9.1 qemu-seabios-1.12.0-3.9.1 qemu-sgabios-8-3.9.1 qemu-vgabios-1.12.0-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-3.9.1 qemu-s390-debuginfo-3.1.1.1-3.9.1 References: https://www.suse.com/security/cve/CVE-2019-15034.html https://www.suse.com/security/cve/CVE-2019-20382.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1154790 https://bugzilla.suse.com/1156642 https://bugzilla.suse.com/1156794 https://bugzilla.suse.com/1158880 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1162161 https://bugzilla.suse.com/1162729 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1165776 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1166379 From sle-security-updates at lists.suse.com Thu Apr 2 10:20:37 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 2 Apr 2020 18:20:37 +0200 (CEST) Subject: SUSE-SU-2020:0851-1: important: Security update for haproxy Message-ID: <20200402162037.2CF71FE0F@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0851-1 Rating: important References: #1168023 Cross-References: CVE-2020-11100 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for haproxy fixes the following issues: - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might have allowed arbitrary writes into a 32-bit relative address space (bsc#1168023). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-851=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): haproxy-2.0.10+git0.ac198b92-8.12.1 haproxy-debuginfo-2.0.10+git0.ac198b92-8.12.1 haproxy-debugsource-2.0.10+git0.ac198b92-8.12.1 References: https://www.suse.com/security/cve/CVE-2020-11100.html https://bugzilla.suse.com/1168023 From sle-security-updates at lists.suse.com Thu Apr 2 10:23:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 2 Apr 2020 18:23:38 +0200 (CEST) Subject: SUSE-SU-2020:0854-1: moderate: Security update for python3 Message-ID: <20200402162338.3AC98FE02@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0854-1 Rating: moderate References: #1155094 #1162224 #1162367 #1162825 #1165894 Cross-References: CVE-2019-18348 CVE-2019-9674 CVE-2020-8492 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Web Scripting 12 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has two fixes is now available. Description: This update for python3 fixes the following issue: - CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094). - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367). - Fixed an issue with version missmatch (bsc#1162224). - Rename idle icons to idle3 in order to not conflict with python2 variant of the package. (bsc#1165894) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-854=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-854=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-854=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-854=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-854=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-854=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-854=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-854=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-854=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-854=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-854=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-854=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-854=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-854=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-854=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-854=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-854=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-854=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE OpenStack Cloud 8 (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-dbm-3.4.10-25.45.1 python3-dbm-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-dbm-3.4.10-25.45.1 python3-dbm-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-tk-3.4.10-25.45.1 python3-tk-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython3_4m1_0-32bit-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-32bit-3.4.10-25.45.1 python3-base-debuginfo-32bit-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 - SUSE Enterprise Storage 5 (x86_64): python3-devel-debuginfo-3.4.10-25.45.1 - HPE Helion Openstack 8 (x86_64): libpython3_4m1_0-3.4.10-25.45.1 libpython3_4m1_0-debuginfo-3.4.10-25.45.1 python3-3.4.10-25.45.1 python3-base-3.4.10-25.45.1 python3-base-debuginfo-3.4.10-25.45.1 python3-base-debugsource-3.4.10-25.45.1 python3-curses-3.4.10-25.45.1 python3-curses-debuginfo-3.4.10-25.45.1 python3-debuginfo-3.4.10-25.45.1 python3-debugsource-3.4.10-25.45.1 python3-devel-3.4.10-25.45.1 python3-devel-debuginfo-3.4.10-25.45.1 References: https://www.suse.com/security/cve/CVE-2019-18348.html https://www.suse.com/security/cve/CVE-2019-9674.html https://www.suse.com/security/cve/CVE-2020-8492.html https://bugzilla.suse.com/1155094 https://bugzilla.suse.com/1162224 https://bugzilla.suse.com/1162367 https://bugzilla.suse.com/1162825 https://bugzilla.suse.com/1165894 From sle-security-updates at lists.suse.com Thu Apr 2 10:31:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 2 Apr 2020 18:31:00 +0200 (CEST) Subject: SUSE-SU-2020:0853-1: moderate: Security update for mgetty Message-ID: <20200402163100.3187AFE02@maintenance.suse.de> SUSE Security Update: Security update for mgetty ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0853-1 Rating: moderate References: #1142770 Cross-References: CVE-2019-1010190 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mgetty fixes the following issues: - CVE-2019-1010190: Fixed a denial of service which could be caused by a local attacker in putwhitespan() (bsc#1142770). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-853=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-853=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): g3utils-1.1.36-58.9.2 g3utils-debuginfo-1.1.36-58.9.2 mgetty-1.1.36-58.9.2 mgetty-debuginfo-1.1.36-58.9.2 mgetty-debugsource-1.1.36-58.9.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): g3utils-1.1.36-58.9.2 g3utils-debuginfo-1.1.36-58.9.2 mgetty-1.1.36-58.9.2 mgetty-debuginfo-1.1.36-58.9.2 mgetty-debugsource-1.1.36-58.9.2 References: https://www.suse.com/security/cve/CVE-2019-1010190.html https://bugzilla.suse.com/1142770 From sle-security-updates at lists.suse.com Thu Apr 2 10:33:53 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 2 Apr 2020 18:33:53 +0200 (CEST) Subject: SUSE-SU-2020:0852-1: important: Security update for haproxy Message-ID: <20200402163353.DF06AFE02@maintenance.suse.de> SUSE Security Update: Security update for haproxy ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0852-1 Rating: important References: #1168023 Cross-References: CVE-2020-11100 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for haproxy fixes the following issues: - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might have allowed arbitrary writes into a 32-bit relative address space (bsc#1168023). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-852=1 Package List: - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): haproxy-2.0.10+git0.ac198b92-3.19.1 haproxy-debuginfo-2.0.10+git0.ac198b92-3.19.1 haproxy-debugsource-2.0.10+git0.ac198b92-3.19.1 References: https://www.suse.com/security/cve/CVE-2020-11100.html https://bugzilla.suse.com/1168023 From sle-security-updates at lists.suse.com Thu Apr 2 13:16:29 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 2 Apr 2020 21:16:29 +0200 (CEST) Subject: SUSE-SU-2020:0856-1: moderate: Security update for SUSE Manager Server 3.2 Message-ID: <20200402191629.928F5FE0F@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0856-1 Rating: moderate References: #1085414 #1140332 #1155372 #1157317 #1158899 #1159184 #1160246 #1161862 #1162609 #1162683 #1163001 #1163538 #1164120 #1164563 #1164771 #1165425 #1165921 Cross-References: CVE-2018-1077 CVE-2020-1693 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 15 fixes is now available. Description: This update fixes the following issues: py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425) redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly "successful" and "successfully" spacewalk-backend: - When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) spacewalk-certs-tools: - Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001) spacewalk-client-tools: - Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3 - Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921) - Spell correctly "successful" and "successfully" spacewalk-java: - Fix error when adding systems to ssm with 'add to ssm' button (bsc#1160246) - Validate the suseproductchannel table and update missing date when running mgr-sync refresh (bsc#1163538) - Read the subscriptions from the output instead of input (bsc#1140332) - Show additional headers and dependencies for deb packages - Use channel name from product tree instead of constructing it (bsc#1157317) spacewalk-setup: - Spell correctly "successful" and "successfully" spacewalk-utils: - Check for delimiter as well when detecting current phase (bsc#1164771) spacewalk-web: - Report merge_subscriptions message in a readable way (bsc#1140332) subscription-matcher: - Add missing library for SLE15 SP2 (slf4j-log4j12) - Make the code usable with Math3 on SLES - Use log4j12 package on newer SLE versions - Aggregate stackable subscriptions with same parameters - Implement new "swap move" used in optaplanner (bsc#1140332) - Enable aarch64 builds, except for SLE < 15 susemanager: - Fix salt bootstrapping on SLE15 (require python3-pycrypto or python3-M2Crypto to support all variants) (bsc#1164563) - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) - Add bootstrap-repo data for SLE15 SP2 Family susemanager-sls: - Adapt 'mgractionchains' module to work with Salt 3000 - Do not workaround util.syncmodules for SSH minions (bsc#1162609) - Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). susemanager-sync-data: - Add OES 2018 SP2 (bsc#1161862) - Rename RHEL 8 Base product - Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-856=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): susemanager-3.2.23-3.40.2 susemanager-tools-3.2.23-3.40.2 - SUSE Manager Server 3.2 (noarch): py26-compat-salt-2016.11.10-6.35.1 python2-spacewalk-certs-tools-2.8.8.14-3.23.1 python2-spacewalk-client-tools-2.8.22.7-3.12.1 redstone-xmlrpc-1.1_20071120-0.11.3.1 spacecmd-2.8.25.14-3.32.1 spacewalk-admin-2.8.4.6-3.12.1 spacewalk-backend-2.8.57.22-3.48.1 spacewalk-backend-app-2.8.57.22-3.48.1 spacewalk-backend-applet-2.8.57.22-3.48.1 spacewalk-backend-config-files-2.8.57.22-3.48.1 spacewalk-backend-config-files-common-2.8.57.22-3.48.1 spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 spacewalk-backend-iss-2.8.57.22-3.48.1 spacewalk-backend-iss-export-2.8.57.22-3.48.1 spacewalk-backend-libs-2.8.57.22-3.48.1 spacewalk-backend-package-push-server-2.8.57.22-3.48.1 spacewalk-backend-server-2.8.57.22-3.48.1 spacewalk-backend-sql-2.8.57.22-3.48.1 spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 spacewalk-backend-tools-2.8.57.22-3.48.1 spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 spacewalk-base-2.8.7.23-3.45.1 spacewalk-base-minimal-2.8.7.23-3.45.1 spacewalk-base-minimal-config-2.8.7.23-3.45.1 spacewalk-certs-tools-2.8.8.14-3.23.1 spacewalk-client-tools-2.8.22.7-3.12.1 spacewalk-html-2.8.7.23-3.45.1 spacewalk-java-2.8.78.28-3.47.1 spacewalk-java-config-2.8.78.28-3.47.1 spacewalk-java-lib-2.8.78.28-3.47.1 spacewalk-java-oracle-2.8.78.28-3.47.1 spacewalk-java-postgresql-2.8.78.28-3.47.1 spacewalk-setup-2.8.7.10-3.25.1 spacewalk-taskomatic-2.8.78.28-3.47.1 spacewalk-utils-2.8.18.6-3.12.1 subscription-matcher-0.25-4.15.1 susemanager-sls-3.2.30-3.44.1 susemanager-sync-data-3.2.19-3.35.1 susemanager-web-libs-2.8.7.23-3.45.1 References: https://www.suse.com/security/cve/CVE-2018-1077.html https://www.suse.com/security/cve/CVE-2020-1693.html https://bugzilla.suse.com/1085414 https://bugzilla.suse.com/1140332 https://bugzilla.suse.com/1155372 https://bugzilla.suse.com/1157317 https://bugzilla.suse.com/1158899 https://bugzilla.suse.com/1159184 https://bugzilla.suse.com/1160246 https://bugzilla.suse.com/1161862 https://bugzilla.suse.com/1162609 https://bugzilla.suse.com/1162683 https://bugzilla.suse.com/1163001 https://bugzilla.suse.com/1163538 https://bugzilla.suse.com/1164120 https://bugzilla.suse.com/1164563 https://bugzilla.suse.com/1164771 https://bugzilla.suse.com/1165425 https://bugzilla.suse.com/1165921 From sle-security-updates at lists.suse.com Fri Apr 3 04:23:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 12:23:22 +0200 (CEST) Subject: SUSE-SU-2020:0860-1: moderate: Security update for exiv2 Message-ID: <20200403102322.67D53FE0F@maintenance.suse.de> SUSE Security Update: Security update for exiv2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0860-1 Rating: moderate References: #1040973 #1110282 #1142678 #1142683 #1153577 #1161901 Cross-References: CVE-2017-9239 CVE-2018-17581 CVE-2019-13110 CVE-2019-13113 CVE-2019-17402 CVE-2019-20421 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for exiv2 fixes the following issues: - CVE-2018-17581: Fixed an excessive stack consumption in CiffDirectory:readDirectory() which might have led to denial of service (bsc#1110282). - CVE-2019-13110: Fixed an integer overflow and an out of bounds read in CiffDirectory:readDirectory which might have led to denial of service (bsc#1142678). - CVE-2019-13113: Fixed a potential denial of service via an invalid data location in a CRW image (bsc#1142683). - CVE-2019-17402: Fixed an improper validation of the relationship of the total size to the offset and size in Exiv2::getULong (bsc#1153577). - CVE-2019-20421: Fixed an infinite loop triggered via an input file (bsc#1161901). - CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-860=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-860=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-860=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-860=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): exiv2-debuginfo-0.23-12.8.1 exiv2-debugsource-0.23-12.8.1 libexiv2-devel-0.23-12.8.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): exiv2-debuginfo-0.23-12.8.1 exiv2-debugsource-0.23-12.8.1 libexiv2-devel-0.23-12.8.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): exiv2-debuginfo-0.23-12.8.1 exiv2-debugsource-0.23-12.8.1 libexiv2-12-0.23-12.8.1 libexiv2-12-debuginfo-0.23-12.8.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): exiv2-debuginfo-0.23-12.8.1 exiv2-debugsource-0.23-12.8.1 libexiv2-12-0.23-12.8.1 libexiv2-12-debuginfo-0.23-12.8.1 References: https://www.suse.com/security/cve/CVE-2017-9239.html https://www.suse.com/security/cve/CVE-2018-17581.html https://www.suse.com/security/cve/CVE-2019-13110.html https://www.suse.com/security/cve/CVE-2019-13113.html https://www.suse.com/security/cve/CVE-2019-17402.html https://www.suse.com/security/cve/CVE-2019-20421.html https://bugzilla.suse.com/1040973 https://bugzilla.suse.com/1110282 https://bugzilla.suse.com/1142678 https://bugzilla.suse.com/1142683 https://bugzilla.suse.com/1153577 https://bugzilla.suse.com/1161901 From sle-security-updates at lists.suse.com Fri Apr 3 07:16:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 15:16:06 +0200 (CEST) Subject: SUSE-SU-2020:0891-1: important: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP5) Message-ID: <20200403131606.F2A4CFE02@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0891-1 Rating: important References: #1165631 Cross-References: CVE-2020-1749 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-122_17 fixes one issue. The following security issue was fixed: - CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-873=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-891=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-894=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_34-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_48-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1165631 From sle-security-updates at lists.suse.com Fri Apr 3 07:19:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 15:19:25 +0200 (CEST) Subject: SUSE-SU-2020:0868-1: important: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP1) Message-ID: <20200403131925.C4168FE02@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0868-1 Rating: important References: #1159913 #1165631 Cross-References: CVE-2019-5108 CVE-2020-1749 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 3.12.74-60_64_124 fixes several issues. The following security issues were fixed: - CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631) - CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-861=1 SUSE-SLE-SAP-12-SP3-2020-903=1 SUSE-SLE-SAP-12-SP3-2020-904=1 SUSE-SLE-SAP-12-SP3-2020-905=1 SUSE-SLE-SAP-12-SP3-2020-906=1 SUSE-SLE-SAP-12-SP3-2020-907=1 SUSE-SLE-SAP-12-SP3-2020-908=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-862=1 SUSE-SLE-SAP-12-SP2-2020-863=1 SUSE-SLE-SAP-12-SP2-2020-864=1 SUSE-SLE-SAP-12-SP2-2020-865=1 SUSE-SLE-SAP-12-SP2-2020-866=1 SUSE-SLE-SAP-12-SP2-2020-867=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-868=1 SUSE-SLE-SAP-12-SP1-2020-869=1 SUSE-SLE-SAP-12-SP1-2020-870=1 SUSE-SLE-SAP-12-SP1-2020-871=1 SUSE-SLE-SAP-12-SP1-2020-872=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-861=1 SUSE-SLE-SERVER-12-SP3-2020-903=1 SUSE-SLE-SERVER-12-SP3-2020-904=1 SUSE-SLE-SERVER-12-SP3-2020-905=1 SUSE-SLE-SERVER-12-SP3-2020-906=1 SUSE-SLE-SERVER-12-SP3-2020-907=1 SUSE-SLE-SERVER-12-SP3-2020-908=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-862=1 SUSE-SLE-SERVER-12-SP2-2020-863=1 SUSE-SLE-SERVER-12-SP2-2020-864=1 SUSE-SLE-SERVER-12-SP2-2020-865=1 SUSE-SLE-SERVER-12-SP2-2020-866=1 SUSE-SLE-SERVER-12-SP2-2020-867=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-868=1 SUSE-SLE-SERVER-12-SP1-2020-869=1 SUSE-SLE-SERVER-12-SP1-2020-870=1 SUSE-SLE-SERVER-12-SP1-2020-871=1 SUSE-SLE-SERVER-12-SP1-2020-872=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-874=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-875=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-876=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-877=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-878=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-879=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-880=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-881=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-882=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-883=1 SUSE-SLE-Module-Live-Patching-15-2020-884=1 SUSE-SLE-Module-Live-Patching-15-2020-885=1 SUSE-SLE-Module-Live-Patching-15-2020-886=1 SUSE-SLE-Module-Live-Patching-15-2020-887=1 SUSE-SLE-Module-Live-Patching-15-2020-888=1 SUSE-SLE-Module-Live-Patching-15-2020-889=1 SUSE-SLE-Module-Live-Patching-15-2020-890=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-892=1 SUSE-SLE-Live-Patching-12-SP5-2020-893=1 SUSE-SLE-Live-Patching-12-SP5-2020-909=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-895=1 SUSE-SLE-Live-Patching-12-SP4-2020-896=1 SUSE-SLE-Live-Patching-12-SP4-2020-897=1 SUSE-SLE-Live-Patching-12-SP4-2020-898=1 SUSE-SLE-Live-Patching-12-SP4-2020-899=1 SUSE-SLE-Live-Patching-12-SP4-2020-900=1 SUSE-SLE-Live-Patching-12-SP4-2020-901=1 SUSE-SLE-Live-Patching-12-SP4-2020-902=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_176-94_88-default-8-2.1 kgraft-patch-4_4_176-94_88-default-debuginfo-8-2.1 kgraft-patch-4_4_178-94_91-default-8-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_100-default-6-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_103-default-6-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_107-default-4-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_113-default-3-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-3-2.1 kgraft-patch-4_4_180-94_97-default-8-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-8-2.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_104-default-9-2.1 kgraft-patch-4_4_121-92_109-default-9-2.1 kgraft-patch-4_4_121-92_114-default-8-2.1 kgraft-patch-4_4_121-92_117-default-7-2.1 kgraft-patch-4_4_121-92_120-default-6-2.1 kgraft-patch-4_4_121-92_125-default-4-2.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kgraft-patch-3_12_74-60_64_110-default-9-2.1 kgraft-patch-3_12_74-60_64_110-xen-9-2.1 kgraft-patch-3_12_74-60_64_115-default-8-2.1 kgraft-patch-3_12_74-60_64_115-xen-8-2.1 kgraft-patch-3_12_74-60_64_118-default-6-2.1 kgraft-patch-3_12_74-60_64_118-xen-6-2.1 kgraft-patch-3_12_74-60_64_121-default-6-2.1 kgraft-patch-3_12_74-60_64_121-xen-6-2.1 kgraft-patch-3_12_74-60_64_124-default-4-2.1 kgraft-patch-3_12_74-60_64_124-xen-4-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_176-94_88-default-8-2.1 kgraft-patch-4_4_176-94_88-default-debuginfo-8-2.1 kgraft-patch-4_4_178-94_91-default-8-2.1 kgraft-patch-4_4_178-94_91-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_100-default-6-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_103-default-6-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_107-default-4-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-4-2.1 kgraft-patch-4_4_180-94_113-default-3-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-3-2.1 kgraft-patch-4_4_180-94_97-default-8-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-8-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_104-default-9-2.1 kgraft-patch-4_4_121-92_109-default-9-2.1 kgraft-patch-4_4_121-92_114-default-8-2.1 kgraft-patch-4_4_121-92_117-default-7-2.1 kgraft-patch-4_4_121-92_120-default-6-2.1 kgraft-patch-4_4_121-92_125-default-4-2.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kgraft-patch-3_12_74-60_64_110-default-9-2.1 kgraft-patch-3_12_74-60_64_110-xen-9-2.1 kgraft-patch-3_12_74-60_64_115-default-8-2.1 kgraft-patch-3_12_74-60_64_115-xen-8-2.1 kgraft-patch-3_12_74-60_64_118-default-6-2.1 kgraft-patch-3_12_74-60_64_118-xen-6-2.1 kgraft-patch-3_12_74-60_64_121-default-6-2.1 kgraft-patch-3_12_74-60_64_121-xen-6-2.1 kgraft-patch-3_12_74-60_64_124-default-4-2.1 kgraft-patch-3_12_74-60_64_124-xen-4-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-195-default-10-28.2 kernel-livepatch-4_12_14-197_10-default-6-2.1 kernel-livepatch-4_12_14-197_15-default-6-2.1 kernel-livepatch-4_12_14-197_18-default-5-2.1 kernel-livepatch-4_12_14-197_21-default-5-2.1 kernel-livepatch-4_12_14-197_26-default-3-2.1 kernel-livepatch-4_12_14-197_29-default-3-2.1 kernel-livepatch-4_12_14-197_4-default-9-2.1 kernel-livepatch-4_12_14-197_7-default-8-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_14-default-8-2.1 kernel-livepatch-4_12_14-150_14-default-debuginfo-8-2.1 kernel-livepatch-4_12_14-150_17-default-8-2.1 kernel-livepatch-4_12_14-150_17-default-debuginfo-8-2.1 kernel-livepatch-4_12_14-150_22-default-7-2.1 kernel-livepatch-4_12_14-150_22-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_27-default-6-2.1 kernel-livepatch-4_12_14-150_27-default-debuginfo-6-2.1 kernel-livepatch-4_12_14-150_32-default-6-2.1 kernel-livepatch-4_12_14-150_32-default-debuginfo-6-2.1 kernel-livepatch-4_12_14-150_35-default-5-2.1 kernel-livepatch-4_12_14-150_35-default-debuginfo-5-2.1 kernel-livepatch-4_12_14-150_38-default-5-2.1 kernel-livepatch-4_12_14-150_38-default-debuginfo-5-2.1 kernel-livepatch-4_12_14-150_47-default-3-2.1 kernel-livepatch-4_12_14-150_47-default-debuginfo-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-3-6.2 kgraft-patch-4_12_14-120-default-debuginfo-3-6.2 kgraft-patch-4_12_14-122_12-default-3-2.1 kgraft-patch-4_12_14-122_7-default-3-2.1 kgraft-patch-SLE12-SP5_Update_0-debugsource-3-6.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_16-default-8-2.1 kgraft-patch-4_12_14-95_19-default-7-2.1 kgraft-patch-4_12_14-95_24-default-6-2.1 kgraft-patch-4_12_14-95_29-default-6-2.1 kgraft-patch-4_12_14-95_32-default-5-2.1 kgraft-patch-4_12_14-95_37-default-4-2.1 kgraft-patch-4_12_14-95_40-default-3-2.1 kgraft-patch-4_12_14-95_45-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2019-5108.html https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1159913 https://bugzilla.suse.com/1165631 From sle-security-updates at lists.suse.com Fri Apr 3 07:31:42 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 15:31:42 +0200 (CEST) Subject: SUSE-SU-2020:0911-1: moderate: Security update for libpng12 Message-ID: <20200403133142.AB50AFE02@maintenance.suse.de> SUSE Security Update: Security update for libpng12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0911-1 Rating: moderate References: #1141493 Cross-References: CVE-2017-12652 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libpng12 fixes the following issues: Security issue fixed: - CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-911=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-911=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-911=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-911=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libpng12-compat-devel-1.2.50-20.3.2 libpng12-debugsource-1.2.50-20.3.2 libpng12-devel-1.2.50-20.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libpng12-compat-devel-1.2.50-20.3.2 libpng12-debugsource-1.2.50-20.3.2 libpng12-devel-1.2.50-20.3.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpng12-0-1.2.50-20.3.2 libpng12-0-debuginfo-1.2.50-20.3.2 libpng12-debugsource-1.2.50-20.3.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpng12-0-32bit-1.2.50-20.3.2 libpng12-0-debuginfo-32bit-1.2.50-20.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libpng12-0-1.2.50-20.3.2 libpng12-0-debuginfo-1.2.50-20.3.2 libpng12-debugsource-1.2.50-20.3.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libpng12-0-32bit-1.2.50-20.3.2 libpng12-0-debuginfo-32bit-1.2.50-20.3.2 References: https://www.suse.com/security/cve/CVE-2017-12652.html https://bugzilla.suse.com/1141493 From sle-security-updates at lists.suse.com Fri Apr 3 10:21:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 18:21:02 +0200 (CEST) Subject: SUSE-SU-2020:0918-1: moderate: Security update for bluez Message-ID: <20200403162102.E3737FDF3@maintenance.suse.de> SUSE Security Update: Security update for bluez ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0918-1 Rating: moderate References: #1166751 Cross-References: CVE-2020-0556 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bluez fixes the following issues: - CVE-2020-0556: Fixed an improper access control which could have allowed an unauthenticated user to potentially enable escalation of privilege and denial of service (bsc#1166751). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-918=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-918=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-918=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-918=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): bluez-cups-5.48-5.25.1 bluez-cups-debuginfo-5.48-5.25.1 bluez-debuginfo-5.48-5.25.1 bluez-debugsource-5.48-5.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.25.1 bluez-debugsource-5.48-5.25.1 bluez-test-5.48-5.25.1 bluez-test-debuginfo-5.48-5.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): bluez-devel-32bit-5.48-5.25.1 libbluetooth3-32bit-5.48-5.25.1 libbluetooth3-32bit-debuginfo-5.48-5.25.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): bluez-auto-enable-devices-5.48-5.25.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-5.48-5.25.1 bluez-debuginfo-5.48-5.25.1 bluez-debugsource-5.48-5.25.1 bluez-devel-5.48-5.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): bluez-debuginfo-5.48-5.25.1 bluez-debugsource-5.48-5.25.1 libbluetooth3-5.48-5.25.1 libbluetooth3-debuginfo-5.48-5.25.1 References: https://www.suse.com/security/cve/CVE-2020-0556.html https://bugzilla.suse.com/1166751 From sle-security-updates at lists.suse.com Fri Apr 3 13:15:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 21:15:09 +0200 (CEST) Subject: SUSE-SU-2020:0920-1: moderate: Security update for libxslt Message-ID: <20200403191509.BB7FFFE16@maintenance.suse.de> SUSE Security Update: Security update for libxslt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0920-1 Rating: moderate References: #1154609 Cross-References: CVE-2019-18197 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE CaaS Platform 3.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libxslt fixes the following issue: - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-920=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-920=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-920=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-920=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libxslt-debugsource-1.1.28-17.9.1 libxslt-devel-1.1.28-17.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libxslt-debugsource-1.1.28-17.9.1 libxslt-devel-1.1.28-17.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libxslt-debugsource-1.1.28-17.9.1 libxslt-tools-1.1.28-17.9.1 libxslt-tools-debuginfo-1.1.28-17.9.1 libxslt1-1.1.28-17.9.1 libxslt1-debuginfo-1.1.28-17.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libxslt1-32bit-1.1.28-17.9.1 libxslt1-debuginfo-32bit-1.1.28-17.9.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libxslt-debugsource-1.1.28-17.9.1 libxslt-tools-1.1.28-17.9.1 libxslt-tools-debuginfo-1.1.28-17.9.1 libxslt1-1.1.28-17.9.1 libxslt1-debuginfo-1.1.28-17.9.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libxslt1-32bit-1.1.28-17.9.1 libxslt1-debuginfo-32bit-1.1.28-17.9.1 - SUSE CaaS Platform 3.0 (x86_64): libxslt1-1.1.28-17.9.1 libxslt1-debuginfo-1.1.28-17.9.1 References: https://www.suse.com/security/cve/CVE-2019-18197.html https://bugzilla.suse.com/1154609 From sle-security-updates at lists.suse.com Fri Apr 3 13:18:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 3 Apr 2020 21:18:09 +0200 (CEST) Subject: SUSE-SU-2020:0921-1: moderate: Security update for exiv2 Message-ID: <20200403191809.D3D0BFE02@maintenance.suse.de> SUSE Security Update: Security update for exiv2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0921-1 Rating: moderate References: #1040973 #1068873 #1088424 #1097599 #1097600 #1109175 #1109176 #1109299 #1115364 #1117513 #1142684 Cross-References: CVE-2017-1000126 CVE-2017-9239 CVE-2018-12264 CVE-2018-12265 CVE-2018-17229 CVE-2018-17230 CVE-2018-17282 CVE-2018-19108 CVE-2018-19607 CVE-2018-9305 CVE-2019-13114 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for exiv2 fixes the following issues: exiv2 was updated to latest 0.26 branch, fixing bugs and security issues: - CVE-2017-1000126: Fixed an out of bounds read in webp parser (bsc#1068873). - CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973). - CVE-2018-12264: Fixed an integer overflow in LoaderTiff::getData() which might have led to an out-of-bounds read (bsc#1097600). - CVE-2018-12265: Fixed integer overflows in LoaderExifJpeg which could have led to memory corruption (bsc#1097599). - CVE-2018-17229: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109175). - CVE-2018-17230: Fixed a heap based buffer overflow in Exiv2::d2Data via a crafted image (bsc#1109176). - CVE-2018-17282: Fixed a null pointer dereference in Exiv2::DataValue::copy (bsc#1109299). - CVE-2018-19108: Fixed an integer overflow in Exiv2::PsdImage::readMetadata which could have led to infinite loop (bsc#1115364). - CVE-2018-19607: Fixed a null pointer dereference in Exiv2::isoSpeed which might have led to denial of service (bsc#1117513). - CVE-2018-9305: Fixed an out of bounds read in IptcData::printStructure which might have led to to information leak or denial of service (bsc#1088424). - CVE-2019-13114: Fixed a null pointer dereference which might have led to denial of service via a crafted response of an malicious http server (bsc#1142684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-921=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-921=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): exiv2-0.26-6.8.1 exiv2-debuginfo-0.26-6.8.1 exiv2-debugsource-0.26-6.8.1 libexiv2-doc-0.26-6.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libexiv2-26-32bit-0.26-6.8.1 libexiv2-26-32bit-debuginfo-0.26-6.8.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): exiv2-lang-0.26-6.8.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): exiv2-debuginfo-0.26-6.8.1 exiv2-debugsource-0.26-6.8.1 libexiv2-26-0.26-6.8.1 libexiv2-26-debuginfo-0.26-6.8.1 libexiv2-devel-0.26-6.8.1 References: https://www.suse.com/security/cve/CVE-2017-1000126.html https://www.suse.com/security/cve/CVE-2017-9239.html https://www.suse.com/security/cve/CVE-2018-12264.html https://www.suse.com/security/cve/CVE-2018-12265.html https://www.suse.com/security/cve/CVE-2018-17229.html https://www.suse.com/security/cve/CVE-2018-17230.html https://www.suse.com/security/cve/CVE-2018-17282.html https://www.suse.com/security/cve/CVE-2018-19108.html https://www.suse.com/security/cve/CVE-2018-19607.html https://www.suse.com/security/cve/CVE-2018-9305.html https://www.suse.com/security/cve/CVE-2019-13114.html https://bugzilla.suse.com/1040973 https://bugzilla.suse.com/1068873 https://bugzilla.suse.com/1088424 https://bugzilla.suse.com/1097599 https://bugzilla.suse.com/1097600 https://bugzilla.suse.com/1109175 https://bugzilla.suse.com/1109176 https://bugzilla.suse.com/1109299 https://bugzilla.suse.com/1115364 https://bugzilla.suse.com/1117513 https://bugzilla.suse.com/1142684 From sle-security-updates at lists.suse.com Mon Apr 6 10:15:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 6 Apr 2020 18:15:57 +0200 (CEST) Subject: SUSE-SU-2020:0928-1: important: Security update for MozillaFirefox Message-ID: <20200406161557.3FD2CFE0F@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0928-1 Rating: important References: #1168630 Cross-References: CVE-2020-6819 CVE-2020-6820 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Mozilla Firefox 68.6.1esr MFSA 2020-11 (bsc#1168630) * CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-928=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-928=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-928=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-928=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-928=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-928=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-928=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-928=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-928=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-928=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-928=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-928=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-928=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-928=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-928=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-928=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-928=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-devel-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.6.1-109.113.1 MozillaFirefox-debuginfo-68.6.1-109.113.1 MozillaFirefox-debugsource-68.6.1-109.113.1 MozillaFirefox-translations-common-68.6.1-109.113.1 References: https://www.suse.com/security/cve/CVE-2020-6819.html https://www.suse.com/security/cve/CVE-2020-6820.html https://bugzilla.suse.com/1168630 From sle-security-updates at lists.suse.com Mon Apr 6 13:15:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 6 Apr 2020 21:15:41 +0200 (CEST) Subject: SUSE-SU-2020:0929-1: important: Security update for MozillaFirefox Message-ID: <20200406191541.B707BFE16@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0929-1 Rating: important References: #1168630 Cross-References: CVE-2020-6819 CVE-2020-6820 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Mozilla Firefox 68.6.1esr MFSA 2020-11 (bsc#1168630) * CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-929=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-929=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-929=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-929=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.6.1-3.81.1 MozillaFirefox-debuginfo-68.6.1-3.81.1 MozillaFirefox-debugsource-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (x86_64): MozillaFirefox-buildsymbols-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (s390x): MozillaFirefox-devel-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.6.1-3.81.1 MozillaFirefox-debuginfo-68.6.1-3.81.1 MozillaFirefox-debugsource-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.1-3.81.1 MozillaFirefox-debuginfo-68.6.1-3.81.1 MozillaFirefox-debugsource-68.6.1-3.81.1 MozillaFirefox-translations-common-68.6.1-3.81.1 MozillaFirefox-translations-other-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.6.1-3.81.1 MozillaFirefox-debuginfo-68.6.1-3.81.1 MozillaFirefox-debugsource-68.6.1-3.81.1 MozillaFirefox-translations-common-68.6.1-3.81.1 MozillaFirefox-translations-other-68.6.1-3.81.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.6.1-3.81.1 References: https://www.suse.com/security/cve/CVE-2020-6819.html https://www.suse.com/security/cve/CVE-2020-6820.html https://bugzilla.suse.com/1168630 From sle-security-updates at lists.suse.com Mon Apr 6 16:16:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 00:16:17 +0200 (CEST) Subject: SUSE-SU-2020:0930-1: important: Security update for ceph Message-ID: <20200406221617.CF2C0FE0F@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0930-1 Rating: important References: #1166403 #1166484 Cross-References: CVE-2020-1759 CVE-2020-1760 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-930=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-930=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-930=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-14.2.5.389+gb0f23ac248-3.35.2 ceph-base-14.2.5.389+gb0f23ac248-3.35.2 ceph-base-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-debugsource-14.2.5.389+gb0f23ac248-3.35.2 ceph-fuse-14.2.5.389+gb0f23ac248-3.35.2 ceph-fuse-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mds-14.2.5.389+gb0f23ac248-3.35.2 ceph-mds-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mon-14.2.5.389+gb0f23ac248-3.35.2 ceph-mon-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-osd-14.2.5.389+gb0f23ac248-3.35.2 ceph-osd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-radosgw-14.2.5.389+gb0f23ac248-3.35.2 ceph-radosgw-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 cephfs-shell-14.2.5.389+gb0f23ac248-3.35.2 rbd-fuse-14.2.5.389+gb0f23ac248-3.35.2 rbd-fuse-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rbd-mirror-14.2.5.389+gb0f23ac248-3.35.2 rbd-mirror-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rbd-nbd-14.2.5.389+gb0f23ac248-3.35.2 rbd-nbd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): ceph-test-14.2.5.389+gb0f23ac248-3.35.2 ceph-test-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-test-debugsource-14.2.5.389+gb0f23ac248-3.35.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-diskprediction-cloud-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-rook-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-ssh-14.2.5.389+gb0f23ac248-3.35.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.5.389+gb0f23ac248-3.35.2 ceph-common-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-debugsource-14.2.5.389+gb0f23ac248-3.35.2 libcephfs-devel-14.2.5.389+gb0f23ac248-3.35.2 libcephfs2-14.2.5.389+gb0f23ac248-3.35.2 libcephfs2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librados-devel-14.2.5.389+gb0f23ac248-3.35.2 librados-devel-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librados2-14.2.5.389+gb0f23ac248-3.35.2 librados2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 libradospp-devel-14.2.5.389+gb0f23ac248-3.35.2 librbd-devel-14.2.5.389+gb0f23ac248-3.35.2 librbd1-14.2.5.389+gb0f23ac248-3.35.2 librbd1-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librgw-devel-14.2.5.389+gb0f23ac248-3.35.2 librgw2-14.2.5.389+gb0f23ac248-3.35.2 librgw2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-ceph-argparse-14.2.5.389+gb0f23ac248-3.35.2 python3-cephfs-14.2.5.389+gb0f23ac248-3.35.2 python3-cephfs-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rados-14.2.5.389+gb0f23ac248-3.35.2 python3-rados-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rbd-14.2.5.389+gb0f23ac248-3.35.2 python3-rbd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rgw-14.2.5.389+gb0f23ac248-3.35.2 python3-rgw-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rados-objclass-devel-14.2.5.389+gb0f23ac248-3.35.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.5.389+gb0f23ac248-3.35.2 ceph-base-14.2.5.389+gb0f23ac248-3.35.2 ceph-base-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-common-14.2.5.389+gb0f23ac248-3.35.2 ceph-common-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-debugsource-14.2.5.389+gb0f23ac248-3.35.2 ceph-fuse-14.2.5.389+gb0f23ac248-3.35.2 ceph-fuse-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mds-14.2.5.389+gb0f23ac248-3.35.2 ceph-mds-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-mon-14.2.5.389+gb0f23ac248-3.35.2 ceph-mon-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-osd-14.2.5.389+gb0f23ac248-3.35.2 ceph-osd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 ceph-radosgw-14.2.5.389+gb0f23ac248-3.35.2 ceph-radosgw-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 cephfs-shell-14.2.5.389+gb0f23ac248-3.35.2 libcephfs2-14.2.5.389+gb0f23ac248-3.35.2 libcephfs2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librados2-14.2.5.389+gb0f23ac248-3.35.2 librados2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librbd1-14.2.5.389+gb0f23ac248-3.35.2 librbd1-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 librgw2-14.2.5.389+gb0f23ac248-3.35.2 librgw2-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-ceph-argparse-14.2.5.389+gb0f23ac248-3.35.2 python3-cephfs-14.2.5.389+gb0f23ac248-3.35.2 python3-cephfs-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rados-14.2.5.389+gb0f23ac248-3.35.2 python3-rados-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rbd-14.2.5.389+gb0f23ac248-3.35.2 python3-rbd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 python3-rgw-14.2.5.389+gb0f23ac248-3.35.2 python3-rgw-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rbd-fuse-14.2.5.389+gb0f23ac248-3.35.2 rbd-fuse-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rbd-mirror-14.2.5.389+gb0f23ac248-3.35.2 rbd-mirror-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 rbd-nbd-14.2.5.389+gb0f23ac248-3.35.2 rbd-nbd-debuginfo-14.2.5.389+gb0f23ac248-3.35.2 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-dashboard-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-diskprediction-local-14.2.5.389+gb0f23ac248-3.35.2 ceph-mgr-rook-14.2.5.389+gb0f23ac248-3.35.2 ceph-prometheus-alerts-14.2.5.389+gb0f23ac248-3.35.2 References: https://www.suse.com/security/cve/CVE-2020-1759.html https://www.suse.com/security/cve/CVE-2020-1760.html https://bugzilla.suse.com/1166403 https://bugzilla.suse.com/1166484 From sle-security-updates at lists.suse.com Tue Apr 7 03:52:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 11:52:47 +0200 (CEST) Subject: SUSE-CU-2020:110-1: Security update of ses/6/cephcsi/cephcsi Message-ID: <20200407095247.8862EFDF3@maintenance.suse.de> SUSE Container Update Advisory: ses/6/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:110-1 Container Tags : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.158 , ses/6/cephcsi/cephcsi:latest Container Release : 1.5.158 Severity : important Type : security References : 1084671 1092920 1102840 1106383 1122669 1133495 1135114 1136184 1139459 1139939 1146853 1146854 1148788 1150021 1151023 1151377 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155337 1155350 1155357 1155360 1155574 1155678 1155819 1155951 1156158 1156213 1156482 1157377 1158485 1158504 1158509 1158630 1158630 1158758 1158763 1158921 1159003 1159018 1159814 1160039 1160086 1160160 1160590 1160594 1160595 1160735 1160764 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161770 1161779 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1163184 1163922 1164260 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1165894 1166106 1166403 1166481 1166484 1166510 1166510 1166748 1166880 1167163 1167205 1167206 1167223 1167631 1167674 CVE-2019-18634 CVE-2019-18802 CVE-2019-18900 CVE-2019-20386 CVE-2019-3687 CVE-2019-9674 CVE-2020-10029 CVE-2020-1712 CVE-2020-1712 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 ----------------------------------------------------------------- The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:395-1 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1160086 This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:722-1 Released: Thu Mar 19 11:21:57 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1159003,1166481,CVE-2019-18802 This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:931-1 Released: Mon Apr 6 20:23:35 2020 Summary: Security update for ceph Type: security Severity: important References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760 This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command From sle-security-updates at lists.suse.com Tue Apr 7 03:54:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 11:54:43 +0200 (CEST) Subject: SUSE-CU-2020:111-1: Security update of ses/6/ceph/ceph Message-ID: <20200407095443.67773FDF3@maintenance.suse.de> SUSE Container Update Advisory: ses/6/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:111-1 Container Tags : ses/6/ceph/ceph:14.2.5.389 , ses/6/ceph/ceph:14.2.5.389.1.5.156 , ses/6/ceph/ceph:latest Container Release : 1.5.156 Severity : important Type : security References : 1084671 1092920 1102840 1106383 1122669 1133495 1135114 1136184 1139459 1139939 1146853 1146854 1148788 1150021 1151023 1151377 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155337 1155350 1155357 1155360 1155574 1155678 1155819 1155951 1156158 1156213 1156482 1157377 1158485 1158504 1158509 1158630 1158630 1158758 1158763 1158921 1159003 1159018 1159814 1160039 1160086 1160160 1160590 1160594 1160595 1160735 1160764 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161770 1161779 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1163184 1163922 1164260 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1165894 1166106 1166403 1166481 1166484 1166510 1166510 1166748 1166880 1167163 1167205 1167206 1167223 1167631 1167674 CVE-2019-18634 CVE-2019-18802 CVE-2019-18900 CVE-2019-20386 CVE-2019-3687 CVE-2019-9674 CVE-2020-10029 CVE-2020-1712 CVE-2020-1712 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 ----------------------------------------------------------------- The container ses/6/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:395-1 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1160086 This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:722-1 Released: Thu Mar 19 11:21:57 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1159003,1166481,CVE-2019-18802 This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:931-1 Released: Mon Apr 6 20:23:35 2020 Summary: Security update for ceph Type: security Severity: important References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760 This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command From sle-security-updates at lists.suse.com Tue Apr 7 03:58:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 11:58:36 +0200 (CEST) Subject: SUSE-CU-2020:113-1: Security update of ses/6/rook/ceph Message-ID: <20200407095836.1B3ECFDF3@maintenance.suse.de> SUSE Container Update Advisory: ses/6/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:113-1 Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.157 , ses/6/rook/ceph:latest Container Release : 1.5.157 Severity : important Type : security References : 1084671 1092920 1102840 1106383 1122669 1133495 1135114 1136184 1139459 1139939 1146853 1146854 1148788 1150021 1151023 1151377 1154256 1154804 1154805 1155198 1155205 1155207 1155298 1155337 1155350 1155357 1155360 1155574 1155678 1155819 1155951 1156158 1156213 1156482 1157377 1158485 1158504 1158509 1158630 1158630 1158758 1158763 1158921 1159003 1159018 1159814 1160039 1160086 1160160 1160590 1160594 1160595 1160735 1160764 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161770 1161779 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1163184 1163922 1164260 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1165894 1166106 1166403 1166481 1166484 1166510 1166510 1166748 1166880 1167163 1167205 1167206 1167223 1167631 1167674 CVE-2019-18634 CVE-2019-18802 CVE-2019-18900 CVE-2019-20386 CVE-2019-3687 CVE-2019-9674 CVE-2020-10029 CVE-2020-1712 CVE-2020-1712 CVE-2020-1752 CVE-2020-1759 CVE-2020-1760 CVE-2020-8013 CVE-2020-8492 ----------------------------------------------------------------- The container ses/6/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:395-1 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1160086 This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:722-1 Released: Thu Mar 19 11:21:57 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1159003,1166481,CVE-2019-18802 This update for nghttp2 fixes the following issues: nghttp2 was update to version 1.40.0 (bsc#1166481) - lib: Add nghttp2_check_authority as public API - lib: Fix the bug that stream is closed with wrong error code - lib: Faster huffman encoding and decoding - build: Avoid filename collision of static and dynamic lib - build: Add new flag ENABLE_STATIC_CRT for Windows - build: cmake: Support building nghttpx with systemd - third-party: Update neverbleed to fix memory leak - nghttpx: Fix bug that mruby is incorrectly shared between backends - nghttpx: Reconnect h1 backend if it lost connection before sending headers - nghttpx: Returns 408 if backend timed out before sending headers - nghttpx: Fix request stal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:931-1 Released: Mon Apr 6 20:23:35 2020 Summary: Security update for ceph Type: security Severity: important References: 1166403,1166484,CVE-2020-1759,CVE-2020-1760 This update for ceph fixes the following issues: - CVE-2020-1759: Fixed once reuse in msgr V2 secure mode (bsc#1166403) - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command From sle-security-updates at lists.suse.com Tue Apr 7 07:15:32 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 15:15:32 +0200 (CEST) Subject: SUSE-SU-2020:0940-1: important: Security update for the Linux Kernel (Live Patch 16 for SLE 15) Message-ID: <20200407131532.30C09FE0F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 16 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0940-1 Rating: important References: #1159913 #1165631 Cross-References: CVE-2019-5108 CVE-2020-1749 Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_41 fixes several issues. The following security issues were fixed: - CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631) - CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-940=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_41-default-3-2.2 kernel-livepatch-4_12_14-150_41-default-debuginfo-3-2.2 References: https://www.suse.com/security/cve/CVE-2019-5108.html https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1159913 https://bugzilla.suse.com/1165631 From sle-security-updates at lists.suse.com Tue Apr 7 07:18:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 15:18:36 +0200 (CEST) Subject: SUSE-SU-2020:14337-1: important: Security update for MozillaFirefox Message-ID: <20200407131836.3CAC5FE0F@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14337-1 Rating: important References: #1168630 Cross-References: CVE-2020-6819 CVE-2020-6820 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 68.6.1 ESR MFSA 2020-11 (bsc#1168630) * CVE-2020-6819 (bmo#1620818) Use-after-free while running the nsDocShell destructor * CVE-2020-6820 (bmo#1626728) Use-after-free when handling a ReadableStream Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14337=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.6.1-78.67.1 MozillaFirefox-translations-common-68.6.1-78.67.1 MozillaFirefox-translations-other-68.6.1-78.67.1 References: https://www.suse.com/security/cve/CVE-2020-6819.html https://www.suse.com/security/cve/CVE-2020-6820.html https://bugzilla.suse.com/1168630 From sle-security-updates at lists.suse.com Tue Apr 7 13:15:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 7 Apr 2020 21:15:38 +0200 (CEST) Subject: SUSE-SU-2020:0944-1: moderate: Security update for runc Message-ID: <20200407191538.81C6FFE16@maintenance.suse.de> SUSE Security Update: Security update for runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0944-1 Rating: moderate References: #1149954 #1160452 Cross-References: CVE-2019-19921 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Containers 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for runc fixes the following issues: runc was updated to v1.0.0~rc10 - CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452). - Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-944=1 - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-944=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): runc-test-1.0.0~rc10-1.9.1 - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): runc-1.0.0~rc10-1.9.1 runc-debuginfo-1.0.0~rc10-1.9.1 References: https://www.suse.com/security/cve/CVE-2019-19921.html https://bugzilla.suse.com/1149954 https://bugzilla.suse.com/1160452 From sle-security-updates at lists.suse.com Wed Apr 8 04:15:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 12:15:49 +0200 (CEST) Subject: SUSE-SU-2020:0948-1: moderate: Security update for gmp, gnutls, libnettle Message-ID: <20200408101549.496B7FE17@maintenance.suse.de> SUSE Security Update: Security update for gmp, gnutls, libnettle ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0948-1 Rating: moderate References: #1152692 #1155327 #1166881 #1168345 Cross-References: CVE-2020-11501 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-948=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-948=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-948=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-948=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-948=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-948=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-948=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-948=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-948=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-948=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): gmp-devel-32bit-6.1.2-4.3.1 libgmp10-32bit-6.1.2-4.3.1 libgmp10-32bit-debuginfo-6.1.2-4.3.1 libgmpxx4-32bit-6.1.2-4.3.1 libgmpxx4-32bit-debuginfo-6.1.2-4.3.1 libgnutls30-32bit-3.6.7-6.14.1 libgnutls30-32bit-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-32bit-3.6.7-6.14.1 libhogweed4-32bit-3.4.1-4.12.1 libhogweed4-32bit-debuginfo-3.4.1-4.12.1 libnettle6-32bit-3.4.1-4.12.1 libnettle6-32bit-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 gnutls-guile-3.6.7-6.14.1 gnutls-guile-debuginfo-3.6.7-6.14.1 libnettle-debugsource-3.4.1-4.12.1 nettle-3.4.1-4.12.1 nettle-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (x86_64): libgnutls-devel-32bit-3.6.7-6.14.1 libnettle-devel-32bit-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 gnutls-guile-3.6.7-6.14.1 gnutls-guile-debuginfo-3.6.7-6.14.1 libnettle-debugsource-3.4.1-4.12.1 nettle-3.4.1-4.12.1 nettle-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libgnutls-devel-32bit-3.6.7-6.14.1 libnettle-devel-32bit-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-32bit-6.1.2-4.3.1 libgmpxx4-32bit-6.1.2-4.3.1 libgmpxx4-32bit-debuginfo-6.1.2-4.3.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-32bit-6.1.2-4.3.1 libgmpxx4-32bit-6.1.2-4.3.1 libgmpxx4-32bit-debuginfo-6.1.2-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libgmp10-32bit-6.1.2-4.3.1 libgmp10-32bit-debuginfo-6.1.2-4.3.1 libgnutls30-32bit-3.6.7-6.14.1 libgnutls30-32bit-debuginfo-3.6.7-6.14.1 libhogweed4-32bit-3.4.1-4.12.1 libhogweed4-32bit-debuginfo-3.4.1-4.12.1 libnettle6-32bit-3.4.1-4.12.1 libnettle6-32bit-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libgmp10-32bit-6.1.2-4.3.1 libgmp10-32bit-debuginfo-6.1.2-4.3.1 libgnutls30-32bit-3.6.7-6.14.1 libgnutls30-32bit-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-32bit-3.6.7-6.14.1 libhogweed4-32bit-3.4.1-4.12.1 libhogweed4-32bit-debuginfo-3.4.1-4.12.1 libnettle6-32bit-3.4.1-4.12.1 libnettle6-32bit-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): gmp-devel-32bit-6.1.2-4.3.1 libgmp10-32bit-6.1.2-4.3.1 libgmp10-32bit-debuginfo-6.1.2-4.3.1 libgmpxx4-32bit-6.1.2-4.3.1 libgmpxx4-32bit-debuginfo-6.1.2-4.3.1 libgnutls30-32bit-3.6.7-6.14.1 libgnutls30-32bit-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-32bit-3.6.7-6.14.1 libhogweed4-32bit-3.4.1-4.12.1 libhogweed4-32bit-debuginfo-3.4.1-4.12.1 libnettle6-32bit-3.4.1-4.12.1 libnettle6-32bit-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): gmp-debugsource-6.1.2-4.3.1 gmp-devel-6.1.2-4.3.1 gnutls-3.6.7-6.14.1 gnutls-debuginfo-3.6.7-6.14.1 gnutls-debugsource-3.6.7-6.14.1 libgmp10-6.1.2-4.3.1 libgmp10-debuginfo-6.1.2-4.3.1 libgmpxx4-6.1.2-4.3.1 libgmpxx4-debuginfo-6.1.2-4.3.1 libgnutls-devel-3.6.7-6.14.1 libgnutls30-3.6.7-6.14.1 libgnutls30-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-3.6.7-6.14.1 libgnutlsxx-devel-3.6.7-6.14.1 libgnutlsxx28-3.6.7-6.14.1 libgnutlsxx28-debuginfo-3.6.7-6.14.1 libhogweed4-3.4.1-4.12.1 libhogweed4-debuginfo-3.4.1-4.12.1 libnettle-debugsource-3.4.1-4.12.1 libnettle-devel-3.4.1-4.12.1 libnettle6-3.4.1-4.12.1 libnettle6-debuginfo-3.4.1-4.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): gmp-devel-32bit-6.1.2-4.3.1 libgmp10-32bit-6.1.2-4.3.1 libgmp10-32bit-debuginfo-6.1.2-4.3.1 libgmpxx4-32bit-6.1.2-4.3.1 libgmpxx4-32bit-debuginfo-6.1.2-4.3.1 libgnutls30-32bit-3.6.7-6.14.1 libgnutls30-32bit-debuginfo-3.6.7-6.14.1 libgnutls30-hmac-32bit-3.6.7-6.14.1 libhogweed4-32bit-3.4.1-4.12.1 libhogweed4-32bit-debuginfo-3.4.1-4.12.1 libnettle6-32bit-3.4.1-4.12.1 libnettle6-32bit-debuginfo-3.4.1-4.12.1 References: https://www.suse.com/security/cve/CVE-2020-11501.html https://bugzilla.suse.com/1152692 https://bugzilla.suse.com/1155327 https://bugzilla.suse.com/1166881 https://bugzilla.suse.com/1168345 From sle-security-updates at lists.suse.com Wed Apr 8 10:19:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 18:19:44 +0200 (CEST) Subject: SUSE-SU-2020:0954-1: moderate: Security update for rubygem-actionview-4_2 Message-ID: <20200408161944.24C95FE0F@maintenance.suse.de> SUSE Security Update: Security update for rubygem-actionview-4_2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0954-1 Rating: moderate References: #1167240 Cross-References: CVE-2020-5267 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-actionview-4_2 fixes the following issues: - CVE-2020-5267: Fixed an XSS vulnerability in ActionView (bsc#1167240). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-954=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-954=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-954=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ruby2.1-rubygem-actionview-4_2-4.2.9-9.6.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-actionview-4_2-4.2.9-9.6.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-actionview-4_2-4.2.9-9.6.1 References: https://www.suse.com/security/cve/CVE-2020-5267.html https://bugzilla.suse.com/1167240 From sle-security-updates at lists.suse.com Wed Apr 8 10:22:38 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 18:22:38 +0200 (CEST) Subject: SUSE-SU-2020:0955-1: moderate: Security update for vino Message-ID: <20200408162238.54CEDFE0F@maintenance.suse.de> SUSE Security Update: Security update for vino ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0955-1 Rating: moderate References: #1155419 Cross-References: CVE-2019-15681 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for vino fixes the following issues: - CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-955=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-955=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): vino-3.20.2-7.3.21 vino-debuginfo-3.20.2-7.3.21 vino-debugsource-3.20.2-7.3.21 - SUSE Linux Enterprise Server 12-SP5 (noarch): vino-lang-3.20.2-7.3.21 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): vino-3.20.2-7.3.21 vino-debuginfo-3.20.2-7.3.21 vino-debugsource-3.20.2-7.3.21 - SUSE Linux Enterprise Server 12-SP4 (noarch): vino-lang-3.20.2-7.3.21 References: https://www.suse.com/security/cve/CVE-2019-15681.html https://bugzilla.suse.com/1155419 From sle-security-updates at lists.suse.com Wed Apr 8 10:26:07 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 18:26:07 +0200 (CEST) Subject: SUSE-SU-2020:0957-1: moderate: Security update for mgetty Message-ID: <20200408162607.1C701FE0F@maintenance.suse.de> SUSE Security Update: Security update for mgetty ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0957-1 Rating: moderate References: #1142770 #1168170 Cross-References: CVE-2019-1010190 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for mgetty fixes the following issues: - CVE-2019-1010190: Fixed a denial of service which could be caused by a local attacker in putwhitespan() (bsc#1142770). - Fixed a permission issue which have resulted in build failures (bsc#1168170). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-957=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-957=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): mgetty-debuginfo-1.1.37-3.8.1 mgetty-debugsource-1.1.37-3.8.1 sendfax-1.1.37-3.8.1 sendfax-debuginfo-1.1.37-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): g3utils-1.1.37-3.8.1 g3utils-debuginfo-1.1.37-3.8.1 mgetty-1.1.37-3.8.1 mgetty-debuginfo-1.1.37-3.8.1 mgetty-debugsource-1.1.37-3.8.1 References: https://www.suse.com/security/cve/CVE-2019-1010190.html https://bugzilla.suse.com/1142770 https://bugzilla.suse.com/1168170 From sle-security-updates at lists.suse.com Wed Apr 8 10:36:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 18:36:23 +0200 (CEST) Subject: SUSE-SU-2020:0959-1: important: Security update for python-PyYAML Message-ID: <20200408163623.B09BFFE0F@maintenance.suse.de> SUSE Security Update: Security update for python-PyYAML ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0959-1 Rating: important References: #1165439 Cross-References: CVE-2020-1747 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-959=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-959=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-PyYAML-debuginfo-5.1.2-6.6.1 python-PyYAML-debugsource-5.1.2-6.6.1 python2-PyYAML-5.1.2-6.6.1 python2-PyYAML-debuginfo-5.1.2-6.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): python-PyYAML-debuginfo-5.1.2-6.6.1 python-PyYAML-debugsource-5.1.2-6.6.1 python3-PyYAML-5.1.2-6.6.1 python3-PyYAML-debuginfo-5.1.2-6.6.1 References: https://www.suse.com/security/cve/CVE-2020-1747.html https://bugzilla.suse.com/1165439 From sle-security-updates at lists.suse.com Wed Apr 8 13:19:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 8 Apr 2020 21:19:24 +0200 (CEST) Subject: SUSE-SU-2020:0962-1: important: Security update for ceph Message-ID: <20200408191924.ECED4FE16@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0962-1 Rating: important References: #1166484 Cross-References: CVE-2020-1760 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ceph fixes the following issues: - CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-962=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-962=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-962=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-962=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-962=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs-devel-12.2.12+git.1585658687.363df3a813-2.42.4 librados-devel-12.2.12+git.1585658687.363df3a813-2.42.4 librados-devel-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librbd-devel-12.2.12+git.1585658687.363df3a813-2.42.4 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs-devel-12.2.12+git.1585658687.363df3a813-2.42.4 librados-devel-12.2.12+git.1585658687.363df3a813-2.42.4 librados-devel-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librbd-devel-12.2.12+git.1585658687.363df3a813-2.42.4 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-common-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-debugsource-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-common-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-debugsource-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 - SUSE Enterprise Storage 5 (aarch64 x86_64): ceph-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-base-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-base-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-common-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-common-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-debugsource-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-fuse-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-fuse-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mds-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mds-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mgr-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mgr-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mon-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-mon-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-osd-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-osd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-radosgw-12.2.12+git.1585658687.363df3a813-2.42.4 ceph-radosgw-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-12.2.12+git.1585658687.363df3a813-2.42.4 libcephfs2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-12.2.12+git.1585658687.363df3a813-2.42.4 librados2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-12.2.12+git.1585658687.363df3a813-2.42.4 libradosstriper1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-12.2.12+git.1585658687.363df3a813-2.42.4 librbd1-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-12.2.12+git.1585658687.363df3a813-2.42.4 librgw2-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-ceph-compat-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-12.2.12+git.1585658687.363df3a813-2.42.4 python-cephfs-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-12.2.12+git.1585658687.363df3a813-2.42.4 python-rados-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-12.2.12+git.1585658687.363df3a813-2.42.4 python-rbd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-12.2.12+git.1585658687.363df3a813-2.42.4 python-rgw-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python3-ceph-argparse-12.2.12+git.1585658687.363df3a813-2.42.4 python3-cephfs-12.2.12+git.1585658687.363df3a813-2.42.4 python3-cephfs-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rados-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rados-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rbd-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rbd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rgw-12.2.12+git.1585658687.363df3a813-2.42.4 python3-rgw-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-fuse-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-fuse-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-mirror-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-mirror-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-nbd-12.2.12+git.1585658687.363df3a813-2.42.4 rbd-nbd-debuginfo-12.2.12+git.1585658687.363df3a813-2.42.4 References: https://www.suse.com/security/cve/CVE-2020-1760.html https://bugzilla.suse.com/1166484 From sle-security-updates at lists.suse.com Thu Apr 9 07:15:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 15:15:23 +0200 (CEST) Subject: SUSE-SU-2020:0968-1: moderate: Security update for libssh Message-ID: <20200409131523.C152DFE16@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0968-1 Rating: moderate References: #1168699 Cross-References: CVE-2020-1730 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-968=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-968=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-3.9.1 libssh-devel-0.8.7-3.9.1 libssh4-0.8.7-3.9.1 libssh4-debuginfo-0.8.7-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-3.9.1 libssh4-0.8.7-3.9.1 libssh4-debuginfo-0.8.7-3.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libssh4-32bit-0.8.7-3.9.1 libssh4-debuginfo-32bit-0.8.7-3.9.1 References: https://www.suse.com/security/cve/CVE-2020-1730.html https://bugzilla.suse.com/1168699 From sle-security-updates at lists.suse.com Thu Apr 9 07:18:21 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 15:18:21 +0200 (CEST) Subject: SUSE-SU-2020:0969-1: moderate: Security update for permissions Message-ID: <20200409131821.A2F92FE16@maintenance.suse.de> SUSE Security Update: Security update for permissions ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0969-1 Rating: moderate References: #1168364 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-969=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): permissions-20181116-9.29.1 permissions-debuginfo-20181116-9.29.1 permissions-debugsource-20181116-9.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): permissions-zypp-plugin-20181116-9.29.1 References: https://bugzilla.suse.com/1168364 From sle-security-updates at lists.suse.com Thu Apr 9 07:25:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 15:25:19 +0200 (CEST) Subject: SUSE-SU-2020:0967-1: moderate: Security update for libssh Message-ID: <20200409132519.8B0EFFE16@maintenance.suse.de> SUSE Security Update: Security update for libssh ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0967-1 Rating: moderate References: #1168699 Cross-References: CVE-2020-1730 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-967=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-967=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-10.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libssh-debugsource-0.8.7-10.12.1 libssh-devel-0.8.7-10.12.1 libssh4-0.8.7-10.12.1 libssh4-debuginfo-0.8.7-10.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libssh4-32bit-0.8.7-10.12.1 libssh4-32bit-debuginfo-0.8.7-10.12.1 References: https://www.suse.com/security/cve/CVE-2020-1730.html https://bugzilla.suse.com/1168699 From sle-security-updates at lists.suse.com Thu Apr 9 10:15:49 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 18:15:49 +0200 (CEST) Subject: SUSE-SU-2020:0971-1: important: Security update for MozillaFirefox Message-ID: <20200409161549.5F8FEFE16@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0971-1 Rating: important References: #1168874 Cross-References: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 CVE-2020-6827 CVE-2020-6828 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues: - CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874). - CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874). - CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874). - CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874). - CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-971=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-971=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-branding-upstream-68.7.0-3.84.2 MozillaFirefox-debuginfo-68.7.0-3.84.2 MozillaFirefox-debugsource-68.7.0-3.84.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): MozillaFirefox-buildsymbols-68.7.0-3.84.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): MozillaFirefox-devel-68.7.0-3.84.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.7.0-3.84.2 MozillaFirefox-debuginfo-68.7.0-3.84.2 MozillaFirefox-debugsource-68.7.0-3.84.2 MozillaFirefox-translations-common-68.7.0-3.84.2 MozillaFirefox-translations-other-68.7.0-3.84.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.7.0-3.84.2 References: https://www.suse.com/security/cve/CVE-2020-6821.html https://www.suse.com/security/cve/CVE-2020-6822.html https://www.suse.com/security/cve/CVE-2020-6825.html https://www.suse.com/security/cve/CVE-2020-6827.html https://www.suse.com/security/cve/CVE-2020-6828.html https://bugzilla.suse.com/1168874 From sle-security-updates at lists.suse.com Thu Apr 9 10:24:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 18:24:31 +0200 (CEST) Subject: SUSE-SU-2020:0970-1: Security update for djvulibre Message-ID: <20200409162431.98021FE16@maintenance.suse.de> SUSE Security Update: Security update for djvulibre ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0970-1 Rating: low References: #1156188 Cross-References: CVE-2019-18804 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for djvulibre fixes the following issues: - CVE-2019-18804: Fixed a null pointer dereference (bsc#1156188). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-970=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-970=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-970=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-970=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.25.3-5.6.10 djvulibre-debugsource-3.5.25.3-5.6.10 libdjvulibre-devel-3.5.25.3-5.6.10 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.25.3-5.6.10 djvulibre-debugsource-3.5.25.3-5.6.10 libdjvulibre-devel-3.5.25.3-5.6.10 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.25.3-5.6.10 djvulibre-debugsource-3.5.25.3-5.6.10 libdjvulibre21-3.5.25.3-5.6.10 libdjvulibre21-debuginfo-3.5.25.3-5.6.10 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.25.3-5.6.10 djvulibre-debugsource-3.5.25.3-5.6.10 libdjvulibre21-3.5.25.3-5.6.10 libdjvulibre21-debuginfo-3.5.25.3-5.6.10 References: https://www.suse.com/security/cve/CVE-2019-18804.html https://bugzilla.suse.com/1156188 From sle-security-updates at lists.suse.com Thu Apr 9 10:27:25 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 18:27:25 +0200 (CEST) Subject: SUSE-SU-2020:14339-1: important: Security update for MozillaFirefox Message-ID: <20200409162725.98B09FE16@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14339-1 Rating: important References: #1168874 Cross-References: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 CVE-2020-6827 CVE-2020-6828 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues: - CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874). - CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874). - CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874). - CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874). - CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14339=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.7.0-78.70.1 MozillaFirefox-translations-common-68.7.0-78.70.1 MozillaFirefox-translations-other-68.7.0-78.70.1 References: https://www.suse.com/security/cve/CVE-2020-6821.html https://www.suse.com/security/cve/CVE-2020-6822.html https://www.suse.com/security/cve/CVE-2020-6825.html https://www.suse.com/security/cve/CVE-2020-6827.html https://www.suse.com/security/cve/CVE-2020-6828.html https://bugzilla.suse.com/1168874 From sle-security-updates at lists.suse.com Thu Apr 9 10:30:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 18:30:23 +0200 (CEST) Subject: SUSE-SU-2020:0978-1: important: Security update for MozillaFirefox Message-ID: <20200409163023.1A278FE16@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0978-1 Rating: important References: #1168874 Cross-References: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 CVE-2020-6827 CVE-2020-6828 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues: - CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874). - CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874). - CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874). - CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874). - CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-978=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-978=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-978=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-978=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-978=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-978=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-978=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-978=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-978=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-978=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-978=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-978=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-978=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-978=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-978=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-978=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-978=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-devel-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.7.0-109.116.1 MozillaFirefox-debuginfo-68.7.0-109.116.1 MozillaFirefox-debugsource-68.7.0-109.116.1 MozillaFirefox-translations-common-68.7.0-109.116.1 References: https://www.suse.com/security/cve/CVE-2020-6821.html https://www.suse.com/security/cve/CVE-2020-6822.html https://www.suse.com/security/cve/CVE-2020-6825.html https://www.suse.com/security/cve/CVE-2020-6827.html https://www.suse.com/security/cve/CVE-2020-6828.html https://bugzilla.suse.com/1168874 From sle-security-updates at lists.suse.com Thu Apr 9 11:37:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 19:37:19 +0200 (CEST) Subject: SUSE-CU-2020:114-1: Security update of suse/sle15 Message-ID: <20200409173719.A0621FE16@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:114-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.180 Container Release : 4.22.180 Severity : moderate Type : security References : 1152692 1155327 1160979 1166881 1168345 CVE-2020-11501 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) From sle-security-updates at lists.suse.com Thu Apr 9 11:42:44 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 19:42:44 +0200 (CEST) Subject: SUSE-CU-2020:115-1: Security update of suse/sle15 Message-ID: <20200409174244.9A74DFE16@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:115-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.203 Container Release : 6.2.203 Severity : moderate Type : security References : 1152692 1155327 1160979 1166881 1168345 CVE-2020-11501 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) From sle-security-updates at lists.suse.com Thu Apr 9 12:30:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 20:30:52 +0200 (CEST) Subject: SUSE-CU-2020:118-1: Security update of caasp/v4/velero Message-ID: <20200409183052.35B3EFE16@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velero ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:118-1 Container Tags : caasp/v4/velero:1.3.1 , caasp/v4/velero:1.3.1-rev1 , caasp/v4/velero:1.3.1-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162108 1162108 1162152 1162518 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167434 1167631 1167674 1168345 1168364 1168699 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/velero was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:973-1 Released: Thu Apr 9 13:57:57 2020 Summary: Add Disaster Recovery Feature by using Velero Type: recommended Severity: important References: 1167434 Add Velero packages, images, helm chart, and documents In order to conduct disaster and recovery for CaaSP cluster, you need to make sure that: * install Helm and Tiller in both disaster and recovery cluster. * deploy Velero helm chart from SUSE helm chart repository. * store back/recovery data on S3-compatible storage providers * install CLI Velero to conduct backup and restore. Recommended Procedure Please refer to Disaster and Recovery in Administration Guide for detailed procedure to run discovery and recovery in different platforms and scenarios. From sle-security-updates at lists.suse.com Thu Apr 9 12:31:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 20:31:02 +0200 (CEST) Subject: SUSE-CU-2020:119-1: Security update of caasp/v4/velero-plugin-for-aws Message-ID: <20200409183102.B7BC8FE16@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velero-plugin-for-aws ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:119-1 Container Tags : caasp/v4/velero-plugin-for-aws:1.0.1 , caasp/v4/velero-plugin-for-aws:1.0.1-rev1 , caasp/v4/velero-plugin-for-aws:1.0.1-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162108 1162108 1162152 1162518 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167434 1167631 1167674 1168345 1168364 1168699 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/velero-plugin-for-aws was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:973-1 Released: Thu Apr 9 13:57:57 2020 Summary: Add Disaster Recovery Feature by using Velero Type: recommended Severity: important References: 1167434 Add Velero packages, images, helm chart, and documents In order to conduct disaster and recovery for CaaSP cluster, you need to make sure that: * install Helm and Tiller in both disaster and recovery cluster. * deploy Velero helm chart from SUSE helm chart repository. * store back/recovery data on S3-compatible storage providers * install CLI Velero to conduct backup and restore. Recommended Procedure Please refer to Disaster and Recovery in Administration Guide for detailed procedure to run discovery and recovery in different platforms and scenarios. From sle-security-updates at lists.suse.com Thu Apr 9 12:31:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 20:31:10 +0200 (CEST) Subject: SUSE-CU-2020:120-1: Security update of caasp/v4/velero-plugin-for-gcp Message-ID: <20200409183110.5D10BFE16@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velero-plugin-for-gcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:120-1 Container Tags : caasp/v4/velero-plugin-for-gcp:1.0.1 , caasp/v4/velero-plugin-for-gcp:1.0.1-rev1 , caasp/v4/velero-plugin-for-gcp:1.0.1-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162108 1162108 1162152 1162518 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167434 1167631 1167674 1168345 1168364 1168699 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/velero-plugin-for-gcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:973-1 Released: Thu Apr 9 13:57:57 2020 Summary: Add Disaster Recovery Feature by using Velero Type: recommended Severity: important References: 1167434 Add Velero packages, images, helm chart, and documents In order to conduct disaster and recovery for CaaSP cluster, you need to make sure that: * install Helm and Tiller in both disaster and recovery cluster. * deploy Velero helm chart from SUSE helm chart repository. * store back/recovery data on S3-compatible storage providers * install CLI Velero to conduct backup and restore. Recommended Procedure Please refer to Disaster and Recovery in Administration Guide for detailed procedure to run discovery and recovery in different platforms and scenarios. From sle-security-updates at lists.suse.com Thu Apr 9 12:31:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 20:31:22 +0200 (CEST) Subject: SUSE-CU-2020:121-1: Security update of caasp/v4/velero-plugin-for-microsoft-azure Message-ID: <20200409183122.26F0BFE16@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velero-plugin-for-microsoft-azure ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:121-1 Container Tags : caasp/v4/velero-plugin-for-microsoft-azure:1.0.1 , caasp/v4/velero-plugin-for-microsoft-azure:1.0.1-rev1 , caasp/v4/velero-plugin-for-microsoft-azure:1.0.1-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162108 1162108 1162152 1162518 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167434 1167631 1167674 1168345 1168364 1168699 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/velero-plugin-for-microsoft-azure was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:973-1 Released: Thu Apr 9 13:57:57 2020 Summary: Add Disaster Recovery Feature by using Velero Type: recommended Severity: important References: 1167434 Add Velero packages, images, helm chart, and documents In order to conduct disaster and recovery for CaaSP cluster, you need to make sure that: * install Helm and Tiller in both disaster and recovery cluster. * deploy Velero helm chart from SUSE helm chart repository. * store back/recovery data on S3-compatible storage providers * install CLI Velero to conduct backup and restore. Recommended Procedure Please refer to Disaster and Recovery in Administration Guide for detailed procedure to run discovery and recovery in different platforms and scenarios. From sle-security-updates at lists.suse.com Thu Apr 9 12:31:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 9 Apr 2020 20:31:31 +0200 (CEST) Subject: SUSE-CU-2020:122-1: Security update of caasp/v4/velero-restic-restore-helper Message-ID: <20200409183131.E99FAFE16@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/velero-restic-restore-helper ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:122-1 Container Tags : caasp/v4/velero-restic-restore-helper:1.3.1 , caasp/v4/velero-restic-restore-helper:1.3.1-rev1 , caasp/v4/velero-restic-restore-helper:1.3.1-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1047002 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1087550 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094735 1095096 1095148 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138869 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159814 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161779 1161816 1162108 1162108 1162152 1162518 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165579 1165784 1166106 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167434 1167631 1167674 1168345 1168364 1168699 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-20386 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/velero-restic-restore-helper was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:973-1 Released: Thu Apr 9 13:57:57 2020 Summary: Add Disaster Recovery Feature by using Velero Type: recommended Severity: important References: 1167434 Add Velero packages, images, helm chart, and documents In order to conduct disaster and recovery for CaaSP cluster, you need to make sure that: * install Helm and Tiller in both disaster and recovery cluster. * deploy Velero helm chart from SUSE helm chart repository. * store back/recovery data on S3-compatible storage providers * install CLI Velero to conduct backup and restore. Recommended Procedure Please refer to Disaster and Recovery in Administration Guide for detailed procedure to run discovery and recovery in different platforms and scenarios. From sle-security-updates at lists.suse.com Fri Apr 10 11:41:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 10 Apr 2020 19:41:12 +0200 (CEST) Subject: SUSE-CU-2020:123-1: Security update of suse/sle15 Message-ID: <20200410174112.84431FE16@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:123-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.204 Container Release : 6.2.204 Severity : moderate Type : security References : 1168364 1168699 CVE-2020-1730 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) From sle-security-updates at lists.suse.com Fri Apr 10 11:44:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 10 Apr 2020 19:44:15 +0200 (CEST) Subject: SUSE-CU-2020:124-1: Security update of suse/sles12sp5 Message-ID: <20200410174415.CE656FE16@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:124-1 Container Tags : suse/sles12sp5:5.2.329 , suse/sles12sp5:latest Container Release : 5.2.329 Severity : moderate Type : security References : 1168699 CVE-2020-1730 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:968-1 Released: Thu Apr 9 11:42:14 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). From sle-security-updates at lists.suse.com Tue Apr 14 07:19:36 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 14 Apr 2020 15:19:36 +0200 (CEST) Subject: SUSE-SU-2020:0984-1: moderate: Security update for quartz Message-ID: <20200414131936.8B628FE0F@maintenance.suse.de> SUSE Security Update: Security update for quartz ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0984-1 Rating: moderate References: #1143227 Cross-References: CVE-2019-13990 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for quartz fixes the following issues: - CVE-2019-13990: Fixed XML External Entity attack in initDocumentParser (bsc#1143227). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-984=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): quartz-2.3.0-4.3.1 References: https://www.suse.com/security/cve/CVE-2019-13990.html https://bugzilla.suse.com/1143227 From sle-security-updates at lists.suse.com Tue Apr 14 16:19:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 15 Apr 2020 00:19:00 +0200 (CEST) Subject: SUSE-SU-2020:0992-1: important: Security update for git Message-ID: <20200414221900.DE97BFE16@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0992-1 Rating: important References: #1167890 #1168930 Cross-References: CVE-2020-5260 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for git fixes the following issues: Security issue fixed: - CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Non-security issue fixed: git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608): - the xinetd snippet was removed - the System V init script for the git-daemon was replaced by a systemd service file of the same name. git 2.26.0: * "git rebase" now uses a different backend that is based on the 'merge' machinery by default. The 'rebase.backend' configuration variable reverts to old behaviour when set to 'apply' * Improved handling of sparse checkouts * Improvements to many commands and internal features git 2.25.1: * "git commit" now honors advise.statusHints * various updates, bug fixes and documentation updates git 2.25.0: * The branch description ("git branch --edit-description") has been used to fill the body of the cover letters by the format-patch command; this has been enhanced so that the subject can also be filled. * A few commands learned to take the pathspec from the standard input or a named file, instead of taking it as the command line arguments, with the "--pathspec-from-file" option. * Test updates to prepare for SHA-2 transition continues. * Redo "git name-rev" to avoid recursive calls. * When all files from some subdirectory were renamed to the root directory, the directory rename heuristics would fail to detect that as a rename/merge of the subdirectory to the root directory, which has been corrected. * HTTP transport had possible allocator/deallocator mismatch, which has been corrected. git 2.24.1: * CVE-2019-1348: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785) * CVE-2019-1349: on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787) * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788) * CVE-2019-1351: on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789) * CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790) * CVE-2019-1353: when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791) * CVE-2019-1354: on Windows refuses to write tracked files with filenames that contain backslashes (bsc#1158792) * CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793) * CVE-2019-19604: a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795) - Fix building with asciidoctor and without DocBook4 stylesheets. git 2.24.0 * The command line parser learned "--end-of-options" notation. * A mechanism to affect the default setting for a (related) group of configuration variables is introduced. * "git fetch" learned "--set-upstream" option to help those who first clone from their private fork they intend to push to, add the true upstream via "git remote add" and then "git fetch" from it. * fixes and improvements to UI, workflow and features, bash completion fixes * part of it merged upstream * the Makefile attempted to download some documentation, banned git 2.23.0: * The "--base" option of "format-patch" computed the patch-ids for prerequisite patches in an unstable way, which has been updated to compute in a way that is compatible with "git patch-id --stable". * The "git log" command by default behaves as if the --mailmap option was given. * fixes and improvements to UI, workflow and features git 2.22.1: * A relative pathname given to "git init --template= " ought to be relative to the directory "git init" gets invoked in, but it instead was made relative to the repository, which has been corrected. * "git worktree add" used to fail when another worktree connected to the same repository was corrupt, which has been corrected. * "git am -i --resolved" segfaulted after trying to see a commit as if it were a tree, which has been corrected. * "git merge --squash" is designed to update the working tree and the index without creating the commit, and this cannot be countermanded by adding the "--commit" option; the command now refuses to work when both options are given. * Update to Unicode 12.1 width table. * "git request-pull" learned to warn when the ref we ask them to pull from in the local repository and in the published repository are different. * "git fetch" into a lazy clone forgot to fetch base objects that are necessary to complete delta in a thin packfile, which has been corrected. * The URL decoding code has been updated to avoid going past the end of the string while parsing %-- sequence. * "git clean" silently skipped a path when it cannot lstat() it; now it gives a warning. * "git rm" to resolve a conflicted path leaked an internal message "needs merge" before actually removing the path, which was confusing. This has been corrected. * Many more bugfixes and code cleanups. - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html git 2.22.0: * The filter specification "--filter=sparse:path=" used to create a lazy/partial clone has been removed. Using a blob that is part of the project as sparse specification is still supported with the "--filter=sparse:oid=" option * "git checkout --no-overlay" can be used to trigger a new mode of checking out paths out of the tree-ish, that allows paths that match the pathspec that are in the current index and working tree and are not in the tree-ish. * Four new configuration variables {author,committer}.{name,email} have been introduced to override user.{name,email} in more specific cases. * "git branch" learned a new subcommand "--show-current". * The command line completion (in contrib/) has been taught to complete more subcommand parameters. * The completion helper code now pays attention to repository-local configuration (when available), which allows --list-cmds to honour a repository specific setting of completion.commands, for example. * The list of conflicted paths shown in the editor while concluding a conflicted merge was shown above the scissors line when the clean-up mode is set to "scissors", even though it was commented out just like the list of updated paths and other information to help the user explain the merge better. * "git rebase" that was reimplemented in C did not set ORIG_HEAD correctly, which has been corrected. * "git worktree add" used to do a "find an available name with stat and then mkdir", which is race-prone. This has been fixed by using mkdir and reacting to EEXIST in a loop. - update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350) git 2.21.0: * Historically, the "-m" (mainline) option can only be used for "git cherry-pick" and "git revert" when working with a merge commit. This version of Git no longer warns or errors out when working with a single-parent commit, as long as the argument to the "-m" option is 1 (i.e. it has only one parent, and the request is to pick or revert relative to that first parent). Scripts that relied on the behaviour may get broken with this change. * Small fixes and features for fast-export and fast-import. * The "http.version" configuration variable can be used with recent enough versions of cURL library to force the version of HTTP used to talk when fetching and pushing. * "git push $there $src:$dst" rejects when $dst is not a fully qualified refname and it is not clear what the end user meant. * Update "git multimail" from the upstream. * A new date format "--date=human" that morphs its output depending on how far the time is from the current time has been introduced. "--date=auto:human" can be used to use this new format (or any existing format) when the output is going to the pager or to the terminal, and otherwise the default format. - Fix worktree creation race (bsc#1114225). git 2.20.1: * portability fixes * "git help -a" did not work well when an overly long alias was defined * no longer squelched an error message when the run_command API failed to run a missing command git 2.20.0: * "git help -a" now gives verbose output (same as "git help -av"). Those who want the old output may say "git help --no-verbose -a".. * "git send-email" learned to grab address-looking string on any trailer whose name ends with "-by". * "git format-patch" learned new "--interdiff" and "--range-diff" options to explain the difference between this version and the previous attempt in the cover letter (or after the three-dashes as a comment). * Developer builds now use -Wunused-function compilation option. * Fix a bug in which the same path could be registered under multiple worktree entries if the path was missing (for instance, was removed manually). Also, as a convenience, expand the number of cases in which --force is applicable. * The overly large Documentation/config.txt file have been split into million little pieces. This potentially allows each individual piece to be included into the manual page of the command it affects more easily. * Malformed or crafted data in packstream can make our code attempt to read or write past the allocated buffer and abort, instead of reporting an error, which has been fixed. * Fix for a long-standing bug that leaves the index file corrupt when it shrinks during a partial commit. * "git merge" and "git pull" that merges into an unborn branch used to completely ignore "--verify-signatures", which has been corrected. * ...and much more features and fixes - fix CVE-2018-19486 (bsc#1117257) git 2.19.2: * various bug fixes for multiple subcommands and operations git 2.19.1: * CVE-2018-17456: Specially crafted .gitmodules files may have allowed arbitrary code execution when the repository is cloned with --recurse-submodules (bsc#1110949) git 2.19.0: * "git diff" compares the index and the working tree. For paths added with intent-to-add bit, the command shows the full contents of them as added, but the paths themselves were not marked as new files. They are now shown as new by default. * "git apply" learned the "--intent-to-add" option so that an otherwise working-tree-only application of a patch will add new paths to the index marked with the "intent-to-add" bit. * "git grep" learned the "--column" option that gives not just the line number but the column number of the hit. * The "-l" option in "git branch -l" is an unfortunate short-hand for "--create-reflog", but many users, both old and new, somehow expect it to be something else, perhaps "--list". This step warns when "-l" is used as a short-hand for "--create-reflog" and warns about the future repurposing of the it when it is used. * The userdiff pattern for .php has been updated. * The content-transfer-encoding of the message "git send-email" sends out by default was 8bit, which can cause trouble when there is an overlong line to bust RFC 5322/2822 limit. A new option 'auto' to automatically switch to quoted-printable when there is such a line in the payload has been introduced and is made the default. * "git checkout" and "git worktree add" learned to honor checkout.defaultRemote when auto-vivifying a local branch out of a remote tracking branch in a repository with multiple remotes that have tracking branches that share the same names. (merge 8d7b558bae ab/checkout-default-remote later to maint). * "git grep" learned the "--only-matching" option. * "git rebase --rebase-merges" mode now handles octopus merges as well. * Add a server-side knob to skip commits in exponential/fibbonacci stride in an attempt to cover wider swath of history with a smaller number of iterations, potentially accepting a larger packfile transfer, instead of going back one commit a time during common ancestor discovery during the "git fetch" transaction. (merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint). * A new configuration variable core.usereplacerefs has been added, primarily to help server installations that want to ignore the replace mechanism altogether. * Teach "git tag -s" etc. a few configuration variables (gpg.format that can be set to "openpgp" or "x509", and gpg..program that is used to specify what program to use to deal with the format) to allow x.509 certs with CMS via "gpgsm" to be used instead of openpgp via "gnupg". * Many more strings are prepared for l10n. * "git p4 submit" learns to ask its own pre-submit hook if it should continue with submitting. * The test performed at the receiving end of "git push" to prevent bad objects from entering repository can be customized via receive.fsck.* configuration variables; we now have gained a counterpart to do the same on the "git fetch" side, with fetch.fsck.* configuration variables. * "git pull --rebase=interactive" learned "i" as a short-hand for "interactive". * "git instaweb" has been adjusted to run better with newer Apache on RedHat based distros. * "git range-diff" is a reimplementation of "git tbdiff" that lets us compare individual patches in two iterations of a topic. * The sideband code learned to optionally paint selected keywords at the beginning of incoming lines on the receiving end. * "git branch --list" learned to take the default sort order from the 'branch.sort' configuration variable, just like "git tag --list" pays attention to 'tag.sort'. * "git worktree" command learned "--quiet" option to make it less verbose. git 2.18.0: * improvements to rename detection logic * When built with more recent cURL, GIT_SSL_VERSION can now specify "tlsv1.3" as its value. * "git mergetools" learned talking to guiffy. * various other workflow improvements and fixes * performance improvements and other developer visible fixes Update to git 2.16.4: security fix release git 2.17.1: * Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235, bsc#1095219) * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233, bsc#1095218) * Support on the server side to reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers by preventing malicious contents from spreading. git 2.17.0: * "diff" family of commands learned "--find-object=" option to limit the findings to changes that involve the named object. * "git format-patch" learned to give 72-cols to diffstat, which is consistent with other line length limits the subcommand uses for its output meant for e-mails. * The log from "git daemon" can be redirected with a new option; one relevant use case is to send the log to standard error (instead of syslog) when running it from inetd. * "git rebase" learned to take "--allow-empty-message" option. * "git am" has learned the "--quit" option, in addition to the existing "--abort" option; having the pair mirrors a few other commands like "rebase" and "cherry-pick". * "git worktree add" learned to run the post-checkout hook, just like "git clone" runs it upon the initial checkout. * "git tag" learned an explicit "--edit" option that allows the message given via "-m" and "-F" to be further edited. * "git fetch --prune-tags" may be used as a handy short-hand for getting rid of stale tags that are locally held. * The new "--show-current-patch" option gives an end-user facing way to get the diff being applied when "git rebase" (and "git am") stops with a conflict. * "git add -p" used to offer "/" (look for a matching hunk) as a choice, even there was only one hunk, which has been corrected. Also the single-key help is now given only for keys that are enabled (e.g. help for '/' won't be shown when there is only one hunk). * Since Git 1.7.9, "git merge" defaulted to --no-ff (i.e. even when the side branch being merged is a descendant of the current commit, create a merge commit instead of fast-forwarding) when merging a tag object. This was appropriate default for integrators who pull signed tags from their downstream contributors, but caused an unnecessary merges when used by downstream contributors who habitually "catch up" their topic branches with tagged releases from the upstream. Update "git merge" to default to --no-ff only when merging a tag object that does *not* sit at its usual place in refs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate the problem. * "git status" can spend a lot of cycles to compute the relation between the current branch and its upstream, which can now be disabled with "--no-ahead-behind" option. * "git diff" and friends learned funcname patterns for Go language source files. * "git send-email" learned "--reply-to=
" option. * Funcname pattern used for C# now recognizes "async" keyword. * In a way similar to how "git tag" learned to honor the pager setting only in the list mode, "git config" learned to ignore the pager setting when it is used for setting values (i.e. when the purpose of the operation is not to "show"). - Use %license instead of %doc [bsc#1082318] git 2.16.3: * "git status" after moving a path in the working tree (hence making it appear "removed") and then adding with the -N option (hence making that appear "added") detected it as a rename, but did not report the old and new pathnames correctly. * "git commit --fixup" did not allow "-m" option to be used at the same time; allow it to annotate resulting commit with more text. * When resetting the working tree files recursively, the working tree of submodules are now also reset to match. * Fix for a commented-out code to adjust it to a rather old API change around object ID. * When there are too many changed paths, "git diff" showed a warning message but in the middle of a line. * The http tracing code, often used to debug connection issues, learned to redact potentially sensitive information from its output so that it can be more safely sharable. * Crash fix for a corner case where an error codepath tried to unlock what it did not acquire lock on. * The split-index mode had a few corner case bugs fixed. * Assorted fixes to "git daemon". * Completion of "git merge -s" (in contrib/) did not work well in non-C locale. * Workaround for segfault with more recent versions of SVN. * Recently introduced leaks in fsck have been plugged. * Travis CI integration now builds the executable in 'script' phase to follow the established practice, rather than during 'before_script' phase. This allows the CI categorize the failures better ('failed' is project's fault, 'errored' is build environment's). - Drop superfluous xinetd snippet, no longer used (bsc#1084460) - Build with asciidoctor for the recent distros (bsc#1075764) - Move %{?systemd_requires} to daemon subpackage - Create subpackage for libsecret credential helper. git 2.16.2: * An old regression in "git describe --all $annotated_tag^0" has been fixed. * "git svn dcommit" did not take into account the fact that a svn+ssh:// URL with a username@ (typically used for pushing) refers to the same SVN repository without the username@ and failed when svn.pushmergeinfo option is set. * "git merge -Xours/-Xtheirs" learned to use our/their version when resolving a conflicting updates to a symbolic link. * "git clone $there $here" is allowed even when here directory exists as long as it is an empty directory, but the command incorrectly removed it upon a failure of the operation. * "git stash -- " incorrectly blew away untracked files in the directory that matched the pathspec, which has been corrected. * "git add -p" was taught to ignore local changes to submodules as they do not interfere with the partial addition of regular changes anyway. git 2.16.1: * "git clone" segfaulted when cloning a project that happens to track two paths that differ only in case on a case insensitive filesystem git 2.16.0 (CVE-2017-15298, bsc#1063412): * See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt git 2.15.1: * fix "auto" column output * fixes to moved lines diffing * documentation updates * fix use of repositories immediately under the root directory * improve usage of libsecret * fixes to various error conditions in git commands - Rewrite from sysv init to systemd unit file for git-daemon (bsc#1069803) - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (bsc#1069468) - split off p4 to a subpackage (bsc#1067502) - Build with the external libsha1detectcoll (bsc#1042644) git 2.15.0: * Use of an empty string as a pathspec element that is used for 'everything matches' is still warned and Git asks users to use a more explicit '.' for that instead. Removal scheduled for 2.16 * Git now avoids blindly falling back to ".git" when the setup sequence said we are _not_ in Git repository (another corner case removed) * "branch --set-upstream" was retired, deprecated since 1.8 * many other improvements and updates git 2.14.3: * git send-email understands more cc: formats * fixes so gitk --bisect * git commit-tree fixed to handle -F file alike * Prevent segfault in "git cat-file --textconv" * Fix function header parsing for HTML * Various small fixes to user commands and and internal functions git 2.14.2: * fixes to color output * http.{sslkey,sslCert} now interpret "~[username]/" prefix * fixes to walking of reflogs via "log -g" and friends * various fixes to output correctness * "git push --recurse-submodules $there HEAD:$target" is now propagated down to the submodules * "git clone --recurse-submodules --quiet" c$how propagates quiet option down to submodules. * "git svn --localtime" correctness fixes * "git grep -L" and "git grep --quiet -L" now report same exit code * fixes to "git apply" when converting line endings * Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to end-user input. CVE-2017-14867 bsc#1061041 * "git cvsserver" no longer is invoked by "git daemon" by default git 2.14.1 (bsc#1052481): * Security fix for CVE-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. * A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage). * Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage). * In the same spirit, a repository name that begins with a dash "-" is also forbidden now. git 2.14.0: * Use of an empty string as a pathspec element that is used for 'everything matches' is deprecated, use '.' * Avoid blindly falling back to ".git" when the setup sequence indicates operation not on a Git repository * "indent heuristics" are now the default. * Builds with pcre2 * Many bug fixes, improvements and updates git 2.13.4: * Update the character width tables. * Fix an alias that contained an uppercase letter * Progress meter fixes * git gc concurrency fixes git 2.13.3: * various internal bug fixes * Fix a regression to "git rebase -i" * Correct unaligned 32-bit access in pack-bitmap code * Tighten error checks for invalid "git apply" input * The split index code did not honor core.sharedrepository setting correctly * Fix "git branch --list" handling of color.branch.local git 2.13.2: * "collision detecting" SHA-1 update for platform fixes * "git checkout --recurse-submodules" did not quite work with a submodule that itself has submodules. * The "run-command" API implementation has been made more robust against dead-locking in a threaded environment. * "git clean -d" now only cleans ignored files with "-x" * "git status --ignored" did not list ignored and untracked files without "-uall" * "git pull --rebase --autostash" didn't auto-stash when the local history fast-forwards to the upstream. * "git describe --contains" gives as much weight to lightweight tags as annotated tags * Fix "git stash push " from a subdirectory git 2.13.1: * Setting "log.decorate=false" in the configuration file did not take effect in v2.13, which has been corrected. * corrections to documentation and command help output * garbage collection fixes * memory leaks fixed * receive-pack now makes sure that the push certificate records the same set of push options used for pushing * shell completion corrections for git stash * fix "git clone --config var=val" with empty strings * internal efficiency improvements * Update sha1 collision detection code for big-endian platforms and platforms not supporting unaligned fetches - Fix packaging of documentation git 2.13.0: * empty string as a pathspec element for 'everything matches' is still warned, for future removal. * deprecated argument order "git merge HEAD ..." was removed * default location "~/.git-credential-cache/socket" for the socket used to communicate with the credential-cache daemon moved to "~/.cache/git/credential/socket". * now avoid blindly falling back to ".git" when the setup sequence indicated otherwise * many workflow features, improvements and bug fixes * add a hardened implementation of SHA1 in response to practical collision attacks (CVE-2005-4900, bsc#1042640) * CVE-2017-8386: On a server running git-shell as login shell to restrict user to git commands, remote users may have been able to have git service programs spawn an interactive pager and thus escape the shell restrictions. (bsc#1038395) Changes in pcre2: - Include the libraries, development and tools packages. git uses only libpcre2-8 so far, but this allows further application usage of pcre2. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-992=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-992=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-992=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-992=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-992=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-992=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-992=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-992=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-992=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-992=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-992=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-992=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-992=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-992=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-992=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-992=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-992=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): perl-CGI-4.38-1.3.1 - SUSE OpenStack Cloud 8 (noarch): perl-CGI-4.38-1.3.1 - SUSE OpenStack Cloud 8 (x86_64): git-2.26.0-27.27.1 git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE OpenStack Cloud 7 (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.0-27.27.1 git-arch-2.26.0-27.27.1 git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-cvs-2.26.0-27.27.1 git-daemon-2.26.0-27.27.1 git-daemon-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 git-email-2.26.0-27.27.1 git-gui-2.26.0-27.27.1 git-svn-2.26.0-27.27.1 git-svn-debuginfo-2.26.0-27.27.1 git-web-2.26.0-27.27.1 gitk-2.26.0-27.27.1 pcre2-debugsource-10.34-1.3.1 pcre2-devel-10.34-1.3.1 pcre2-devel-static-10.34-1.3.1 pcre2-tools-10.34-1.3.1 pcre2-tools-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): git-doc-2.26.0-27.27.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): git-2.26.0-27.27.1 git-arch-2.26.0-27.27.1 git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-cvs-2.26.0-27.27.1 git-daemon-2.26.0-27.27.1 git-daemon-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 git-email-2.26.0-27.27.1 git-gui-2.26.0-27.27.1 git-svn-2.26.0-27.27.1 git-svn-debuginfo-2.26.0-27.27.1 git-web-2.26.0-27.27.1 gitk-2.26.0-27.27.1 pcre2-debugsource-10.34-1.3.1 pcre2-devel-10.34-1.3.1 pcre2-devel-static-10.34-1.3.1 pcre2-tools-10.34-1.3.1 pcre2-tools-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): git-doc-2.26.0-27.27.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): git-doc-2.26.0-27.27.1 perl-CGI-4.38-1.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - SUSE Enterprise Storage 5 (noarch): perl-CGI-4.38-1.3.1 - HPE Helion Openstack 8 (x86_64): git-2.26.0-27.27.1 git-core-2.26.0-27.27.1 git-core-debuginfo-2.26.0-27.27.1 git-debugsource-2.26.0-27.27.1 libpcre2-16-0-10.34-1.3.1 libpcre2-16-0-debuginfo-10.34-1.3.1 libpcre2-32-0-10.34-1.3.1 libpcre2-32-0-debuginfo-10.34-1.3.1 libpcre2-8-0-10.34-1.3.1 libpcre2-8-0-debuginfo-10.34-1.3.1 libpcre2-posix2-10.34-1.3.1 libpcre2-posix2-debuginfo-10.34-1.3.1 - HPE Helion Openstack 8 (noarch): perl-CGI-4.38-1.3.1 References: https://www.suse.com/security/cve/CVE-2020-5260.html https://bugzilla.suse.com/1167890 https://bugzilla.suse.com/1168930 From sle-security-updates at lists.suse.com Tue Apr 14 16:22:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 15 Apr 2020 00:22:09 +0200 (CEST) Subject: SUSE-SU-2020:0991-1: important: Security update for git Message-ID: <20200414222209.DB0DBFE17@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0991-1 Rating: important References: #1168930 Cross-References: CVE-2020-5260 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-991=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-991=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-991=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-991=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-991=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-991=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-991=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): git-2.16.4-3.20.1 git-arch-2.16.4-3.20.1 git-core-2.16.4-3.20.1 git-core-debuginfo-2.16.4-3.20.1 git-cvs-2.16.4-3.20.1 git-daemon-2.16.4-3.20.1 git-daemon-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-email-2.16.4-3.20.1 git-gui-2.16.4-3.20.1 git-svn-2.16.4-3.20.1 git-svn-debuginfo-2.16.4-3.20.1 git-web-2.16.4-3.20.1 gitk-2.16.4-3.20.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): git-doc-2.16.4-3.20.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): git-2.16.4-3.20.1 git-arch-2.16.4-3.20.1 git-core-2.16.4-3.20.1 git-core-debuginfo-2.16.4-3.20.1 git-cvs-2.16.4-3.20.1 git-daemon-2.16.4-3.20.1 git-daemon-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-email-2.16.4-3.20.1 git-gui-2.16.4-3.20.1 git-svn-2.16.4-3.20.1 git-svn-debuginfo-2.16.4-3.20.1 git-web-2.16.4-3.20.1 gitk-2.16.4-3.20.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): git-doc-2.16.4-3.20.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-credential-gnome-keyring-2.16.4-3.20.1 git-credential-gnome-keyring-debuginfo-2.16.4-3.20.1 git-credential-libsecret-2.16.4-3.20.1 git-credential-libsecret-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-p4-2.16.4-3.20.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-2.16.4-3.20.1 git-arch-2.16.4-3.20.1 git-cvs-2.16.4-3.20.1 git-daemon-2.16.4-3.20.1 git-daemon-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-email-2.16.4-3.20.1 git-gui-2.16.4-3.20.1 git-svn-2.16.4-3.20.1 git-svn-debuginfo-2.16.4-3.20.1 git-web-2.16.4-3.20.1 gitk-2.16.4-3.20.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): git-doc-2.16.4-3.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): git-core-2.16.4-3.20.1 git-core-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): git-2.16.4-3.20.1 git-arch-2.16.4-3.20.1 git-core-2.16.4-3.20.1 git-core-debuginfo-2.16.4-3.20.1 git-cvs-2.16.4-3.20.1 git-daemon-2.16.4-3.20.1 git-daemon-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-email-2.16.4-3.20.1 git-gui-2.16.4-3.20.1 git-svn-2.16.4-3.20.1 git-svn-debuginfo-2.16.4-3.20.1 git-web-2.16.4-3.20.1 gitk-2.16.4-3.20.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): git-doc-2.16.4-3.20.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): git-2.16.4-3.20.1 git-arch-2.16.4-3.20.1 git-core-2.16.4-3.20.1 git-core-debuginfo-2.16.4-3.20.1 git-cvs-2.16.4-3.20.1 git-daemon-2.16.4-3.20.1 git-daemon-debuginfo-2.16.4-3.20.1 git-debuginfo-2.16.4-3.20.1 git-debugsource-2.16.4-3.20.1 git-email-2.16.4-3.20.1 git-gui-2.16.4-3.20.1 git-svn-2.16.4-3.20.1 git-svn-debuginfo-2.16.4-3.20.1 git-web-2.16.4-3.20.1 gitk-2.16.4-3.20.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): git-doc-2.16.4-3.20.1 References: https://www.suse.com/security/cve/CVE-2020-5260.html https://bugzilla.suse.com/1168930 From sle-security-updates at lists.suse.com Wed Apr 15 04:19:12 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 15 Apr 2020 12:19:12 +0200 (CEST) Subject: SUSE-SU-2020:0995-1: moderate: Security update for ruby2.5 Message-ID: <20200415101912.6AC87FE17@maintenance.suse.de> SUSE Security Update: Security update for ruby2.5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0995-1 Rating: moderate References: #1167244 #1168938 Cross-References: CVE-2020-10663 CVE-2020-10933 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ruby2.5 to version 2.5.8 fixes the following issues: - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244). - CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-995=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-995=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-debuginfo-2.5.8-4.11.1 ruby2.5-debugsource-2.5.8-4.11.1 ruby2.5-doc-2.5.8-4.11.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ruby2.5-doc-ri-2.5.8-4.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.8-4.11.1 libruby2_5-2_5-debuginfo-2.5.8-4.11.1 ruby2.5-2.5.8-4.11.1 ruby2.5-debuginfo-2.5.8-4.11.1 ruby2.5-debugsource-2.5.8-4.11.1 ruby2.5-devel-2.5.8-4.11.1 ruby2.5-devel-extra-2.5.8-4.11.1 ruby2.5-stdlib-2.5.8-4.11.1 ruby2.5-stdlib-debuginfo-2.5.8-4.11.1 References: https://www.suse.com/security/cve/CVE-2020-10663.html https://www.suse.com/security/cve/CVE-2020-10933.html https://bugzilla.suse.com/1167244 https://bugzilla.suse.com/1168938 From sle-security-updates at lists.suse.com Thu Apr 16 04:30:14 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 16 Apr 2020 12:30:14 +0200 (CEST) Subject: SUSE-SU-2020:1009-1: moderate: Security update for quartz Message-ID: <20200416103014.53063FE17@maintenance.suse.de> SUSE Security Update: Security update for quartz ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1009-1 Rating: moderate References: #1143227 Cross-References: CVE-2019-13990 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for quartz fixes the following issues: - CVE-2019-13990: Fixed XML External Entity attack in initDocumentParser (bsc#1143227). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1009=1 Package List: - SUSE Manager Server 3.2 (noarch): quartz-2.3.0-14.3.1 References: https://www.suse.com/security/cve/CVE-2019-13990.html https://bugzilla.suse.com/1143227 From sle-security-updates at lists.suse.com Fri Apr 17 04:16:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Apr 2020 12:16:15 +0200 (CEST) Subject: SUSE-SU-2020:1018-1: moderate: Security update for freeradius-server Message-ID: <20200417101615.2F3D9FFE8@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1018-1 Rating: moderate References: #1144524 #1146848 #1166847 Cross-References: CVE-2019-13456 CVE-2019-17185 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for freeradius-server fixes the following issues: - CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd (bsc#1144524). - CVE-2019-17185: Fixed a debial of service due to multithreaded BN_CTX access (bsc#1166847). - Fixed an issue in TLS-EAP where the OCSP verification, when an intermediate client certificate was not explicitly trusted (bsc#1146848). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1018=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1018=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1018=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1018=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1018=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1018=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1018=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1018=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1018=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE OpenStack Cloud 8 (x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-devel-3.0.15-2.14.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 - HPE Helion Openstack 8 (x86_64): freeradius-server-3.0.15-2.14.1 freeradius-server-debuginfo-3.0.15-2.14.1 freeradius-server-debugsource-3.0.15-2.14.1 freeradius-server-doc-3.0.15-2.14.1 freeradius-server-krb5-3.0.15-2.14.1 freeradius-server-krb5-debuginfo-3.0.15-2.14.1 freeradius-server-ldap-3.0.15-2.14.1 freeradius-server-ldap-debuginfo-3.0.15-2.14.1 freeradius-server-libs-3.0.15-2.14.1 freeradius-server-libs-debuginfo-3.0.15-2.14.1 freeradius-server-mysql-3.0.15-2.14.1 freeradius-server-mysql-debuginfo-3.0.15-2.14.1 freeradius-server-perl-3.0.15-2.14.1 freeradius-server-perl-debuginfo-3.0.15-2.14.1 freeradius-server-postgresql-3.0.15-2.14.1 freeradius-server-postgresql-debuginfo-3.0.15-2.14.1 freeradius-server-python-3.0.15-2.14.1 freeradius-server-python-debuginfo-3.0.15-2.14.1 freeradius-server-sqlite-3.0.15-2.14.1 freeradius-server-sqlite-debuginfo-3.0.15-2.14.1 freeradius-server-utils-3.0.15-2.14.1 freeradius-server-utils-debuginfo-3.0.15-2.14.1 References: https://www.suse.com/security/cve/CVE-2019-13456.html https://www.suse.com/security/cve/CVE-2019-17185.html https://bugzilla.suse.com/1144524 https://bugzilla.suse.com/1146848 https://bugzilla.suse.com/1166847 From sle-security-updates at lists.suse.com Fri Apr 17 07:17:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Apr 2020 15:17:06 +0200 (CEST) Subject: SUSE-SU-2020:1020-1: moderate: Security update for freeradius-server Message-ID: <20200417131706.27AEEFFE8@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1020-1 Rating: moderate References: #1144524 #1146848 #1166847 Cross-References: CVE-2019-13456 CVE-2019-17185 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for freeradius-server fixes the following issues: - CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd (bsc#1144524). - CVE-2019-17185: Fixed a debial of service due to multithreaded BN_CTX access (bsc#1166847). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1020=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1020=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-debuginfo-3.0.19-3.3.1 freeradius-server-debugsource-3.0.19-3.3.1 freeradius-server-devel-3.0.19-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.19-3.3.1 freeradius-server-debuginfo-3.0.19-3.3.1 freeradius-server-debugsource-3.0.19-3.3.1 freeradius-server-doc-3.0.19-3.3.1 freeradius-server-krb5-3.0.19-3.3.1 freeradius-server-krb5-debuginfo-3.0.19-3.3.1 freeradius-server-ldap-3.0.19-3.3.1 freeradius-server-ldap-debuginfo-3.0.19-3.3.1 freeradius-server-libs-3.0.19-3.3.1 freeradius-server-libs-debuginfo-3.0.19-3.3.1 freeradius-server-mysql-3.0.19-3.3.1 freeradius-server-mysql-debuginfo-3.0.19-3.3.1 freeradius-server-perl-3.0.19-3.3.1 freeradius-server-perl-debuginfo-3.0.19-3.3.1 freeradius-server-postgresql-3.0.19-3.3.1 freeradius-server-postgresql-debuginfo-3.0.19-3.3.1 freeradius-server-python-3.0.19-3.3.1 freeradius-server-python-debuginfo-3.0.19-3.3.1 freeradius-server-sqlite-3.0.19-3.3.1 freeradius-server-sqlite-debuginfo-3.0.19-3.3.1 freeradius-server-utils-3.0.19-3.3.1 freeradius-server-utils-debuginfo-3.0.19-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-13456.html https://www.suse.com/security/cve/CVE-2019-17185.html https://bugzilla.suse.com/1144524 https://bugzilla.suse.com/1146848 https://bugzilla.suse.com/1166847 From sle-security-updates at lists.suse.com Fri Apr 17 07:24:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Apr 2020 15:24:35 +0200 (CEST) Subject: SUSE-SU-2020:1021-1: moderate: Security update for libqt4 Message-ID: <20200417132435.24DB4FFE8@maintenance.suse.de> SUSE Security Update: Security update for libqt4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1021-1 Rating: moderate References: #1118595 #1118596 #1118599 #1121214 Cross-References: CVE-2018-15518 CVE-2018-19869 CVE-2018-19873 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for libqt4 fixes the following issues: - CVE-2018-15518: Fixed a double free in QXmlStreamReader (bsc#1118595) - CVE-2018-19873: Fixed a segmantation fault via a malformed BMP file (bsc#1118596). - CVE-2018-19869: Fixed an improper checking which might lead to a crach via a malformed url reference (bsc#1118599). - Added stricter toplevel asm parsing by dropping volatile qualification that has no effect (bsc#1121214). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1021=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1021=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1021=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1021=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1021=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1021=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libqt4-debuginfo-32bit-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-sql-mysql-32bit-4.8.7-8.13.1 libqt4-sql-mysql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-postgresql-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-4.8.7-8.13.1 libqt4-sql-sqlite-32bit-4.8.7-8.13.1 libqt4-sql-sqlite-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libqt4-debuginfo-32bit-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-sql-mysql-32bit-4.8.7-8.13.1 libqt4-sql-mysql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-postgresql-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-4.8.7-8.13.1 libqt4-sql-sqlite-32bit-4.8.7-8.13.1 libqt4-sql-sqlite-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libqt4-debuginfo-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-devel-4.8.7-8.13.1 libqt4-devel-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-4.8.7-8.13.1 libqt4-devel-doc-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-debugsource-4.8.7-8.13.1 libqt4-linguist-4.8.7-8.13.1 libqt4-linguist-debuginfo-4.8.7-8.13.1 libqt4-private-headers-devel-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-postgresql-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-4.8.7-8.13.1 libqt4-sql-unixODBC-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libqt4-sql-postgresql-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): libqt4-devel-doc-data-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libqt4-debuginfo-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-devel-4.8.7-8.13.1 libqt4-devel-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-4.8.7-8.13.1 libqt4-devel-doc-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-debugsource-4.8.7-8.13.1 libqt4-linguist-4.8.7-8.13.1 libqt4-linguist-debuginfo-4.8.7-8.13.1 libqt4-private-headers-devel-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-postgresql-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-4.8.7-8.13.1 libqt4-sql-unixODBC-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x x86_64): libqt4-sql-postgresql-32bit-4.8.7-8.13.1 libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-32bit-4.8.7-8.13.1 libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.13.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): libqt4-devel-doc-data-4.8.7-8.13.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libqt4-4.8.7-8.13.1 libqt4-debuginfo-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-devel-doc-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-debugsource-4.8.7-8.13.1 libqt4-qt3support-4.8.7-8.13.1 libqt4-qt3support-debuginfo-4.8.7-8.13.1 libqt4-sql-4.8.7-8.13.1 libqt4-sql-debuginfo-4.8.7-8.13.1 libqt4-sql-mysql-4.8.7-8.13.1 libqt4-sql-mysql-debuginfo-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-sqlite-4.8.7-8.13.1 libqt4-sql-sqlite-debuginfo-4.8.7-8.13.1 libqt4-x11-4.8.7-8.13.1 libqt4-x11-debuginfo-4.8.7-8.13.1 qt4-x11-tools-4.8.7-8.13.1 qt4-x11-tools-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libqt4-32bit-4.8.7-8.13.1 libqt4-debuginfo-32bit-4.8.7-8.13.1 libqt4-qt3support-32bit-4.8.7-8.13.1 libqt4-qt3support-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-32bit-4.8.7-8.13.1 libqt4-sql-debuginfo-32bit-4.8.7-8.13.1 libqt4-x11-32bit-4.8.7-8.13.1 libqt4-x11-debuginfo-32bit-4.8.7-8.13.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libqt4-4.8.7-8.13.1 libqt4-debuginfo-4.8.7-8.13.1 libqt4-debugsource-4.8.7-8.13.1 libqt4-devel-doc-debuginfo-4.8.7-8.13.1 libqt4-devel-doc-debugsource-4.8.7-8.13.1 libqt4-qt3support-4.8.7-8.13.1 libqt4-qt3support-debuginfo-4.8.7-8.13.1 libqt4-sql-4.8.7-8.13.1 libqt4-sql-debuginfo-4.8.7-8.13.1 libqt4-sql-mysql-4.8.7-8.13.1 libqt4-sql-mysql-debuginfo-4.8.7-8.13.1 libqt4-sql-plugins-debugsource-4.8.7-8.13.1 libqt4-sql-sqlite-4.8.7-8.13.1 libqt4-sql-sqlite-debuginfo-4.8.7-8.13.1 libqt4-x11-4.8.7-8.13.1 libqt4-x11-debuginfo-4.8.7-8.13.1 qt4-x11-tools-4.8.7-8.13.1 qt4-x11-tools-debuginfo-4.8.7-8.13.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libqt4-32bit-4.8.7-8.13.1 libqt4-debuginfo-32bit-4.8.7-8.13.1 libqt4-qt3support-32bit-4.8.7-8.13.1 libqt4-qt3support-debuginfo-32bit-4.8.7-8.13.1 libqt4-sql-32bit-4.8.7-8.13.1 libqt4-sql-debuginfo-32bit-4.8.7-8.13.1 libqt4-x11-32bit-4.8.7-8.13.1 libqt4-x11-debuginfo-32bit-4.8.7-8.13.1 References: https://www.suse.com/security/cve/CVE-2018-15518.html https://www.suse.com/security/cve/CVE-2018-19869.html https://www.suse.com/security/cve/CVE-2018-19873.html https://bugzilla.suse.com/1118595 https://bugzilla.suse.com/1118596 https://bugzilla.suse.com/1118599 https://bugzilla.suse.com/1121214 From sle-security-updates at lists.suse.com Fri Apr 17 07:31:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Apr 2020 15:31:08 +0200 (CEST) Subject: SUSE-SU-2020:1023-1: moderate: Security update for freeradius-server Message-ID: <20200417133108.1C7CDFFE8@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1023-1 Rating: moderate References: #1144524 #1146848 #1166847 Cross-References: CVE-2019-13456 CVE-2019-17185 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for freeradius-server fixes the following issues: - CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd (bsc#1144524). - CVE-2019-17185: Fixed a debial of service due to multithreaded BN_CTX access (bsc#1166847). - Fixed an issue in TLS-EAP where the OCSP verification, when an intermediate client certificate was not explicitly trusted (bsc#1146848). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1023=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1023=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1023=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1023=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1023=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1023=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): freeradius-server-3.0.16-3.6.1 freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-devel-3.0.16-3.6.1 freeradius-server-krb5-3.0.16-3.6.1 freeradius-server-krb5-debuginfo-3.0.16-3.6.1 freeradius-server-ldap-3.0.16-3.6.1 freeradius-server-ldap-debuginfo-3.0.16-3.6.1 freeradius-server-libs-3.0.16-3.6.1 freeradius-server-libs-debuginfo-3.0.16-3.6.1 freeradius-server-mysql-3.0.16-3.6.1 freeradius-server-mysql-debuginfo-3.0.16-3.6.1 freeradius-server-perl-3.0.16-3.6.1 freeradius-server-perl-debuginfo-3.0.16-3.6.1 freeradius-server-postgresql-3.0.16-3.6.1 freeradius-server-postgresql-debuginfo-3.0.16-3.6.1 freeradius-server-python-3.0.16-3.6.1 freeradius-server-python-debuginfo-3.0.16-3.6.1 freeradius-server-sqlite-3.0.16-3.6.1 freeradius-server-sqlite-debuginfo-3.0.16-3.6.1 freeradius-server-utils-3.0.16-3.6.1 freeradius-server-utils-debuginfo-3.0.16-3.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): freeradius-server-3.0.16-3.6.1 freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-devel-3.0.16-3.6.1 freeradius-server-krb5-3.0.16-3.6.1 freeradius-server-krb5-debuginfo-3.0.16-3.6.1 freeradius-server-ldap-3.0.16-3.6.1 freeradius-server-ldap-debuginfo-3.0.16-3.6.1 freeradius-server-libs-3.0.16-3.6.1 freeradius-server-libs-debuginfo-3.0.16-3.6.1 freeradius-server-mysql-3.0.16-3.6.1 freeradius-server-mysql-debuginfo-3.0.16-3.6.1 freeradius-server-perl-3.0.16-3.6.1 freeradius-server-perl-debuginfo-3.0.16-3.6.1 freeradius-server-postgresql-3.0.16-3.6.1 freeradius-server-postgresql-debuginfo-3.0.16-3.6.1 freeradius-server-python-3.0.16-3.6.1 freeradius-server-python-debuginfo-3.0.16-3.6.1 freeradius-server-sqlite-3.0.16-3.6.1 freeradius-server-sqlite-debuginfo-3.0.16-3.6.1 freeradius-server-utils-3.0.16-3.6.1 freeradius-server-utils-debuginfo-3.0.16-3.6.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.16-3.6.1 freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-devel-3.0.16-3.6.1 freeradius-server-krb5-3.0.16-3.6.1 freeradius-server-krb5-debuginfo-3.0.16-3.6.1 freeradius-server-ldap-3.0.16-3.6.1 freeradius-server-ldap-debuginfo-3.0.16-3.6.1 freeradius-server-libs-3.0.16-3.6.1 freeradius-server-libs-debuginfo-3.0.16-3.6.1 freeradius-server-mysql-3.0.16-3.6.1 freeradius-server-mysql-debuginfo-3.0.16-3.6.1 freeradius-server-perl-3.0.16-3.6.1 freeradius-server-perl-debuginfo-3.0.16-3.6.1 freeradius-server-postgresql-3.0.16-3.6.1 freeradius-server-postgresql-debuginfo-3.0.16-3.6.1 freeradius-server-python-3.0.16-3.6.1 freeradius-server-python-debuginfo-3.0.16-3.6.1 freeradius-server-sqlite-3.0.16-3.6.1 freeradius-server-sqlite-debuginfo-3.0.16-3.6.1 freeradius-server-utils-3.0.16-3.6.1 freeradius-server-utils-debuginfo-3.0.16-3.6.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-doc-3.0.16-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): freeradius-server-3.0.16-3.6.1 freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-devel-3.0.16-3.6.1 freeradius-server-krb5-3.0.16-3.6.1 freeradius-server-krb5-debuginfo-3.0.16-3.6.1 freeradius-server-ldap-3.0.16-3.6.1 freeradius-server-ldap-debuginfo-3.0.16-3.6.1 freeradius-server-libs-3.0.16-3.6.1 freeradius-server-libs-debuginfo-3.0.16-3.6.1 freeradius-server-mysql-3.0.16-3.6.1 freeradius-server-mysql-debuginfo-3.0.16-3.6.1 freeradius-server-perl-3.0.16-3.6.1 freeradius-server-perl-debuginfo-3.0.16-3.6.1 freeradius-server-postgresql-3.0.16-3.6.1 freeradius-server-postgresql-debuginfo-3.0.16-3.6.1 freeradius-server-python-3.0.16-3.6.1 freeradius-server-python-debuginfo-3.0.16-3.6.1 freeradius-server-sqlite-3.0.16-3.6.1 freeradius-server-sqlite-debuginfo-3.0.16-3.6.1 freeradius-server-utils-3.0.16-3.6.1 freeradius-server-utils-debuginfo-3.0.16-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): freeradius-server-3.0.16-3.6.1 freeradius-server-debuginfo-3.0.16-3.6.1 freeradius-server-debugsource-3.0.16-3.6.1 freeradius-server-devel-3.0.16-3.6.1 freeradius-server-krb5-3.0.16-3.6.1 freeradius-server-krb5-debuginfo-3.0.16-3.6.1 freeradius-server-ldap-3.0.16-3.6.1 freeradius-server-ldap-debuginfo-3.0.16-3.6.1 freeradius-server-libs-3.0.16-3.6.1 freeradius-server-libs-debuginfo-3.0.16-3.6.1 freeradius-server-mysql-3.0.16-3.6.1 freeradius-server-mysql-debuginfo-3.0.16-3.6.1 freeradius-server-perl-3.0.16-3.6.1 freeradius-server-perl-debuginfo-3.0.16-3.6.1 freeradius-server-postgresql-3.0.16-3.6.1 freeradius-server-postgresql-debuginfo-3.0.16-3.6.1 freeradius-server-python-3.0.16-3.6.1 freeradius-server-python-debuginfo-3.0.16-3.6.1 freeradius-server-sqlite-3.0.16-3.6.1 freeradius-server-sqlite-debuginfo-3.0.16-3.6.1 freeradius-server-utils-3.0.16-3.6.1 freeradius-server-utils-debuginfo-3.0.16-3.6.1 References: https://www.suse.com/security/cve/CVE-2019-13456.html https://www.suse.com/security/cve/CVE-2019-17185.html https://bugzilla.suse.com/1144524 https://bugzilla.suse.com/1146848 https://bugzilla.suse.com/1166847 From sle-security-updates at lists.suse.com Fri Apr 17 13:20:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 17 Apr 2020 21:20:02 +0200 (CEST) Subject: SUSE-SU-2020:1027-1: important: Security update for MozillaThunderbird Message-ID: <20200417192002.6F9B9FFEB@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1027-1 Rating: important References: #1168630 #1168874 Cross-References: CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for MozillaThunderbird to version 68.7.0 fixes the following issues: - CVE-2020-6819: Use-after-free while running the nsDocShell destructor (boo#1168630) - CVE-2020-6820: Use-after-free when handling a ReadableStream (boo#1168630) - CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage() (boo#1168874) - CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images (boo#1168874) - CVE-2020-6825: Memory safety bugs fixed (boo#1168874) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1027=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.7.0-3.77.1 MozillaThunderbird-debuginfo-68.7.0-3.77.1 MozillaThunderbird-debugsource-68.7.0-3.77.1 MozillaThunderbird-translations-common-68.7.0-3.77.1 MozillaThunderbird-translations-other-68.7.0-3.77.1 References: https://www.suse.com/security/cve/CVE-2020-6819.html https://www.suse.com/security/cve/CVE-2020-6820.html https://www.suse.com/security/cve/CVE-2020-6821.html https://www.suse.com/security/cve/CVE-2020-6822.html https://www.suse.com/security/cve/CVE-2020-6825.html https://bugzilla.suse.com/1168630 https://bugzilla.suse.com/1168874 From sle-security-updates at lists.suse.com Sat Apr 18 13:56:24 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 18 Apr 2020 21:56:24 +0200 (CEST) Subject: SUSE-CU-2020:129-1: Security update of sles12/registry Message-ID: <20200418195624.1CD1DFFE8@maintenance.suse.de> SUSE Container Update Advisory: sles12/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:129-1 Container Tags : sles12/registry:2.6.2 , sles12/registry:2.6.2-build4.15.1 Container Release : 4.15.1 Severity : important Type : security References : 1106383 1110929 1114592 1117951 1123886 1133495 1135254 1139459 1141897 1142649 1142654 1148517 1149145 1151377 1151506 1154043 1154871 1155574 1156482 1157578 1158809 1159814 1160100 1160163 1160594 1160764 1161675 1161779 1162027 1162108 1162518 1163922 1165915 1165919 1166510 1168195 CVE-2019-14250 CVE-2019-1551 CVE-2019-15847 CVE-2020-1712 CVE-2020-8013 ----------------------------------------------------------------- The container sles12/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:276-1 Released: Thu Jan 30 18:01:53 2020 Summary: Recommended update for apache2 Type: recommended Severity: important References: 1160100,1161675 This update for apache2 fixes the following issues: - Fix crash in mod_ssl: work around leaks on (graceful) restart (bsc#1161675) - apache2-devel now provides httpd-devel [bsc#1160100] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:403-1 Released: Wed Feb 19 09:05:00 2020 Summary: Recommended update for apache2 Type: recommended Severity: moderate References: 1162027 This update for apache2 fixes the following issues: - For for SSL Certificate chain error when using mod_ssl and mod_md in a complex setup. (bsc#1162027) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:404-1 Released: Wed Feb 19 09:05:47 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1154871 This update for p11-kit fixes the following issues: - Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:474-1 Released: Tue Feb 25 13:24:15 2020 Summary: Security update for openssl Type: security Severity: moderate References: 1117951,1158809,1160163,CVE-2019-1551 This update for openssl fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Non-security issue fixed: - Fixed a crash in BN_copy (bsc#1160163). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:545-1 Released: Fri Feb 28 15:50:46 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:561-1 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1110929,1157578 This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:571-1 Released: Tue Mar 3 13:23:35 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:331-1 Released: Wed Mar 18 12:52:46 2020 Summary: Security update for systemd Type: security Severity: important References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459) - Fix warnings thrown during package installation. (bsc#1154043) - Fix for system-udevd prevent crash within OES2018. (bsc#1151506) - Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482) - Wait for workers to finish when exiting. (bsc#1106383) - Improve log message when inotify limit is reached. (bsc#1155574) - Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:786-1 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1165915,1165919 This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Tue Mar 31 13:06:24 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:915-1 Released: Fri Apr 3 13:15:11 2020 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1168195 This update for openldap2 fixes the following issue: - The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:394-1 Released: Tue Apr 14 17:25:16 2020 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) From sle-security-updates at lists.suse.com Tue Apr 21 07:13:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 21 Apr 2020 15:13:52 +0200 (CEST) Subject: SUSE-SU-2020:14342-1: important: Security update for apache2 Message-ID: <20200421131352.3D2F7FE29@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14342-1 Rating: important References: #1168404 #1169066 Cross-References: CVE-2020-1934 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404). - CVE-2020-1938: mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-apache2-14342=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-apache2-14342=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-apache2-14342=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-apache2-14342=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): apache2-2.2.34-70.27.1 apache2-doc-2.2.34-70.27.1 apache2-example-pages-2.2.34-70.27.1 apache2-prefork-2.2.34-70.27.1 apache2-utils-2.2.34-70.27.1 apache2-worker-2.2.34-70.27.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-2.2.34-70.27.1 apache2-devel-2.2.34-70.27.1 apache2-doc-2.2.34-70.27.1 apache2-example-pages-2.2.34-70.27.1 apache2-prefork-2.2.34-70.27.1 apache2-utils-2.2.34-70.27.1 apache2-worker-2.2.34-70.27.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): apache2-debuginfo-2.2.34-70.27.1 apache2-debugsource-2.2.34-70.27.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): apache2-debuginfo-2.2.34-70.27.1 apache2-debugsource-2.2.34-70.27.1 References: https://www.suse.com/security/cve/CVE-2020-1934.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1168404 https://bugzilla.suse.com/1169066 From sle-security-updates at lists.suse.com Tue Apr 21 07:18:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 21 Apr 2020 15:18:19 +0200 (CEST) Subject: SUSE-SU-2020:1049-1: important: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP1) Message-ID: <20200421131819.E5F3DFE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1049-1 Rating: important References: #1165631 Cross-References: CVE-2020-1749 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-197_37 fixes one issue. The following security issue was fixed: - CVE-2020-1749: Fixed a vulnerability where in some cases IPv6 traffic would not be encrypted over an IPsec tunnel (bsc#1165629). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1049=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_37-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1165631 From sle-security-updates at lists.suse.com Tue Apr 21 13:16:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 21 Apr 2020 21:16:05 +0200 (CEST) Subject: SUSE-SU-2020:1057-1: moderate: Security update for puppet Message-ID: <20200421191605.5E463FFEB@maintenance.suse.de> SUSE Security Update: Security update for puppet ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1057-1 Rating: moderate References: #1167645 Cross-References: CVE-2020-7942 Affected Products: SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for puppet fixes the following issues: - CVE-2020-7942: Added a warning for a vulnerable configuration option, which could allow for information disclosure in certain setups. Disabling it my break some setups. (bsc#1167645) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1057=1 Package List: - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): puppet-3.8.5-15.12.1 puppet-server-3.8.5-15.12.1 References: https://www.suse.com/security/cve/CVE-2020-7942.html https://bugzilla.suse.com/1167645 From sle-security-updates at lists.suse.com Tue Apr 21 13:18:11 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 21 Apr 2020 21:18:11 +0200 (CEST) Subject: SUSE-SU-2020:1058-1: important: Security update for openssl-1_1 Message-ID: <20200421191811.A3A15FFEB@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1058-1 Rating: important References: #1169407 Cross-References: CVE-2020-1967 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openssl-1_1 fixes the following issues: - CVE-2020-1967: Fixed a denial of service via NULL pointer dereference in SSL_check_chain (bsc#1169407). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1058=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1058=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1058=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1058=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.23.1 openssl-1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-debugsource-1.1.1d-2.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.23.1 openssl-1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-debugsource-1.1.1d-2.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.23.1 libopenssl1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-debugsource-1.1.1d-2.23.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.23.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.23.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.23.1 libopenssl1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-1.1.1d-2.23.1 openssl-1_1-debuginfo-1.1.1d-2.23.1 openssl-1_1-debugsource-1.1.1d-2.23.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.23.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.23.1 References: https://www.suse.com/security/cve/CVE-2020-1967.html https://bugzilla.suse.com/1169407 From sle-security-updates at lists.suse.com Wed Apr 22 10:14:00 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 22 Apr 2020 18:14:00 +0200 (CEST) Subject: SUSE-SU-2020:1066-1: moderate: Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper Message-ID: <20200422161400.1A9E4FE29@maintenance.suse.de> SUSE Security Update: Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1066-1 Rating: moderate References: #1040519 #1048688 #1077718 #1111180 #1114157 #1114169 #1115904 #1125357 #1129734 #1132852 #1133817 #1135773 #1145498 #1146206 #1148426 #1149110 #1149535 #1151206 #1165402 #1165643 #1166290 #1167240 #144694 Cross-References: CVE-2017-5637 CVE-2018-10851 CVE-2018-14626 CVE-2019-0201 CVE-2019-11596 CVE-2019-15026 CVE-2019-3871 CVE-2020-5247 CVE-2020-9543 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 14 fixes is now available. Description: This update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper contains the following fixes: Security fix for rubygem-puma: - CVE-2020-5247: Fixed an issue where the newlines in headers according to Rack spec were not split (bsc#1165402) Security fix for openstack-manila: - CVE-2020-9543: Fixed an issue where an attacker could view, update, delete, or share resources that do not Security fixes for memcached: - CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str() in memcached.c (bsc#1149110). - CVE-2019-11596: Fixed NULL pointer dereference in process_lru_command() in memcached.c (bsc#1133817). Security fixes for pdns: - CVE-2019-3871: Fixed a denial of service with the HTTP remote backend when the attacker can send crafted DNS queries (bsc#1129734). - CVE-2018-10851: Fixed a denial of service via crafted zone record (bnc#1114157). - CVE-2018-14626: Fixed a denial of service by hiding DNSSEC records using a crafted DNS query (bsc#1114169). Security fixes for zookeeper: - CVE-2019-0201: Fixed an information disclosure in the ACL handling (bsc#1135773). - CVE-2017-5637: Fixed incorrect input validation with wchp/wchc four letter words (bsc#1040519). Changes in ardana-ansible: - Update to version 8.0+git.1583432621.24fa60e: * Upgrade pre-checks in Cloud 8 and Cloud 9 (SOC-10300) Changes in ardana-barbican: - Update to version 8.0+git.1585152761.8ef3d61: * monitor ardana-node-cert (SOC-10873) Changes in ardana-db: - Update to version 8.0+git.1583944923.03cca6c: * monitor MySQL TLS certificate (SOC-10873) Changes in ardana-monasca: - Update to version 8.0+git.1583944894.38f023a: * Add certificate file check alarm (SOC-10873) Changes in ardana-mq: - Update to version 8.0+git.1583944811.dc14403: * monitor RabbitMQ TLS certificate (SOC-10873) Changes in ardana-neutron: - Update to version 8.0+git.1584715262.e4ea620: * Add symlink for neutron-fwaas.json.j2 (bsc#1166290) Changes in ardana-octavia: - Update to version 8.0+git.1585171918.418f5cf: * Reconfigure monitor if needed (SOC-10873) - Update to version 8.0+git.1585168661.135c735: * fix Octavia client cert redeploy (SOC-10873) - Update to version 8.0+git.1585152502.f15907a: * monitor Octavia client certificate (SOC-10873) Changes in ardana-tempest: - Update to version 8.0+git.1585311051.6ab5488: * Enable port-security feature in tempest(SOC-11027) Changes in crowbar-core: - Update to version 5.0+git.1585575551.16781d00d: * upgrade: Point to config dir instead of config file (SOC-11171) * upgrade: Do not call neutron-evacuate-lbaasv2-agent with use_crm (SOC-11171) - Update to version 5.0+git.1585316726.670746c8c: * upgrade: Fix systemd unit listing (trivial) - Update to version 5.0+git.1585213241.46f12f9be: * upgrade: Remove the assignement of crowbar-upgrade role (SOC-11166) - Update to version 5.0+git.1585118470.eed9020de: * Update the default value of OS version (trivial) * Ignore CVE-2020-5267 in CI (bsc#1167240) * Ignore CVE-2020-10663 in CI (bsc#1167244) - Update to version 5.0+git.1583911121.d6b4b4b1a: * ses: Make SES UI safe for unknown options (trivial) * ses: Use cinder user for nova (SOC-11119) * ses: Added helper for populating cinder volumes (SOC-11117) * ses: Add ses cookbook (SOC-11114) * ses: Configuration upload (SOC-11115) - Update to version 5.0+git.1583309007.e3a8b81e9: * Ignore CVE-2020-8130 in CI (bsc#1164804) * Ignore CVE-2020-5247 (bsc#1165402) Changes in crowbar-ha: - Update to version 5.0+git.1585316176.344190f: * add ssl termination on haproxy (bsc#1149535) Changes in crowbar-openstack: - Update to version 5.0+git.1585304226.2164b7895: * nova: Fix migration numbers (trivial) - Update to version 5.0+git.1584692779.369c58aca: * nova: Drop redundant disk_cachemodes (trivial) * nova: Add option to disable ephemeral on ceph (SOC-11119) * keystone: Register SES RadosGW endpoints (SOC-5270) * heat: Increase heat_register syncmark timeout (SOC-11103) * heat: Simplify domain registration code (SOC-11103) * nova: Setup CEPH secrets later (SOC-11141) * nova: Enable ephemeral volumes on SES (SOC-11119) * glance: Set SES as default for new deployments (SOC-11118) * cinder: Correctly show old internal backends (SOC-11117) * nova: SES integration (SOC-11117) * nova: Hound fixes (trivial) * nova: Better error handling when Cephx auth is failing (noref) * nova: delete libvirt secret snippet immediately (noref) * nova: reduce nesting of ceph management code (noref) * nova: Remove obsolete rbd/ceph attributes (trivial) * cinder: SES integration (SOC-11117) * cinder: Disable use_crowbar default (SOC-11117) * glance: SES integration (SOC-11118) Changes in documentation-suse-openstack-cloud: - Update to version 8.20200319: * Adding ses-integration docs to cloud 8 (noref) * Fix bsc-1130532. Add feedback * fix bsc-1130532 - Update to version 8.20200116: * Fixing links from suse.com/doc to new URL (noref) - Update to version 8.20200224: * Designate: add instructions on using PowerDNS backend (SOC-11051) * Designate: recommend deploying DNS in a cluster in HA deployment (SOC-10636) * message to add non-admin node for public network (SOC-10658) * update designate deployment (SOC-8739) * add designate barclamp (SCRD-8739) * remove Designate name server instruction (bsc#1125357,SCRD-7649) - Update to version 8.20200130: * Add instructions for lbaas v2 loadbalancers (SOC-10980) (#1253) - Update to version 8.20191211: * Specify that manila-share should be installed on the control node (SOC-10938) (#1230) * Remove (commented) mention of phrases-decl.ent (trivial) - Update to version 8.20191206: * Clarify keyring chown instructions for Ceph (bsc#1111180) * Clarify VSA/Ceph support in HOS 8 , SOC-10981 (bsc#144694) - Update to version 8.20191205: * Update incorrect Manila install/setup instructions (SOC-10975) - Update to version 8.20191029: * Supplement/UAdmin: Group guides on documentation.suse.com (trivial) - Update to version 8.20191023: * fix instructions for TLS certitificate renewal (SOC-10846) - Update to version 8.20191002: * Added missing edit (SOC-8480) * Adding Carl's second round of edits (SOC-8480) * Removing accidentally re-added guilabels (SOC-8480) * Applying Carl's edits (SOC-8480) * Optimizing PNGs (SOC-8480) * Removing guilabel complaint (SOC-8480) * Adding xi:include to commit (SOC-8480) * Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480) * Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480) - Update to version 8.20190923: * remove zvm references, only in SOC6 (noref) - Update to version 8.20190920: * remove workaround, leave description (bsc#1151206) * add qos to neutron not supported (bsc#1151206) - Update to version 8.20190829: * add available clients, dedicated CLM (bsc#1148426) * add tempest to service components, dedicated CLM (bsc#1148426) - Update to version 8.20190823: * Create CC-BY license file (noref) * for MariaDB update, db cluster must be running, healthy (bsc#1132852) - Update to version 8.20190820: * Fix broken URLs (SOC-10109) - Update to version 8.20190820: * add requirement for dummy entries in servers.yml (bsc#1146206) - Update to version 8.20190816: * add workaround for partition image resize (bsc#1145498) - Update to version 8.20190813: * MANAGEMENT network group cannot be changed, is required (SOC-10106) * remove NSX references from Crowbar deployment (SOC-10081) Changes in memcached: - version update to 1.5.17 * bugfixes fix strncpy call in stats conns to avoid ASAN violation (bsc#1149110, CVE-2019-15026) extstore: fix indentation add error handling when calling dup function add unlock when item_cachedump malloc failed extstore: emulate pread(v) for macOS fix off-by-one in logger to allow CAS commands to be logged. use strdup for explicitly configured slab sizes move mem_requested from slabs.c to items.c (internal cleanup) * new features add server address to the "stats conns" output log client connection id with fetchers and mutations Add a handler for seccomp crashes - version update to 1.5.16 * bugfixes When nsuffix is 0 space for flags hasn't been allocated so don't memcpy them. - version update to 1.5.15 * bugfixes Speed up incr/decr by replacing snprintf. Use correct buffer size for internal URI encoding. change some links from http to https Fix small memory leak in testapp.c. free window_global in slab_automove_extstore.c remove inline_ascii_response option -Y [filename] for ascii authentication mode fix: idle-timeout wasn't compatible with binprot * features -Y [authfile] enables an authentication mode for ASCII protocol. - modified patches % memcached-autofoo.patch (refreshed) - version update to 1.5.14 * update -h output for -I (max item size) * fix segfault in "lru" command (bsc#1133817, CVE-2019-11596) * fix compile error on centos7 * extstore: error adjusting page_size after ext_path * extstore: fix segfault if page_count is too high. * close delete + incr item survival race bug * memcached-tool dump fix loss of exp value * Fix "qw" in "MemcachedTest.pm" so wait_ext_flush is exported properly * Experimental TLS support. * Basic implementation of TLS for memcached. * Improve Get And Touch documentation * fix INCR/DECR refcount leak for invalid items - modified patches % memcached-autofoo.patch (refreshed) - Version bump to 1.5.11: * extstore: balance IO thread queues - Drop memcached-fix_test.patch that is present now upstream - Add patch to fix aarch64, ppc64* and s390x tests: * memcached-fix_test.patch - Fix linter errors regarding COPYING - update to 1.5.10: * disruptive change in extstore: -o ext_page_count= is deprecated and no longer works. To specify size: -o ext_path=/d/m/e:500G extstore figures out the page count based on your desired page size. M|G|T|P supported. * extstore: Add basic JBOD support: ext_path can be specified multiple times for striping onto simimar devices * fix alignment issues on some ARM platforms for chunked items - Update to 1.5.9: * Bugfix release. * Important note: if using --enable-seccomp, privilege dropping is no longer on by default. The feature is experimental and many users are reporting hard to diagnose problems on varied platforms. * Seccomp is now marked EXPERIMENTAL, and must be explicitly enabled by adding -o drop_privileges. Once we're more confident with the usability of the feature, it will be enabled in -o modern, like any other new change. You should only use it if you are willing to carefully test it, especially if you're a vendor or distribution. * Also important is a crash fix in extstore when using the ASCII protocol, large items, and running low on memory. - update to 1.5.8: * Bugfixes for seccomp and extstore * Extstore platform portability has been greatly improved for ARM and 32bit systems - includes changes from 1.5.7: * Fix alignment issues for 64bit ARM processors * Fix seccomp portability * Fix refcount leak with extstore while using binary touch commands - turn on the testsuite again, it seems to pass server side, too - Home directory shouldn't be world readable bsc#1077718 - Mention that this stream isn't affected by bsc#1085209, CVE-2018-1000127 to make the checker bots happy. Changes in openstack-manila: - Update to version manila-5.1.1.dev5: * Fix manila-tempest-minimal-dsvm-lvm-centos-7 job * share\_networks: enable project\_only API only Changes in openstack-manila: - Rebased patches: + cve-2020-9543-stable-pike.patch dropped (merged upstream) - Update to version manila-5.1.1.dev5: * Fix manila-tempest-minimal-dsvm-lvm-centos-7 job * share\_networks: enable project\_only API only Changes in openstack-neutron: - Update to version neutron-11.0.9.dev63: * ovs agent: signal to plugin if tunnel refresh needed * Do not initialize snat-ns twice Changes in openstack-neutron: - Update to version neutron-11.0.9.dev63: * ovs agent: signal to plugin if tunnel refresh needed * Do not initialize snat-ns twice Changes in openstack-nova: - Update to version nova-16.1.9.dev61: * Avoid circular reference during serialization * Mask the token used to allow access to consoles * Improve metadata server performance with large security groups * Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs - Update to version nova-16.1.9.dev54: * pike-only: remove broken non-voting ceph jobs * nova-live-migration: Wait for n-cpu services to come up after configuring Ceph * rt: only map compute node if we created it Changes in openstack-nova: - Update to version nova-16.1.9.dev61: * Avoid circular reference during serialization * Mask the token used to allow access to consoles * Improve metadata server performance with large security groups * Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs - Update to version nova-16.1.9.dev54: * pike-only: remove broken non-voting ceph jobs * nova-live-migration: Wait for n-cpu services to come up after configuring Ceph * rt: only map compute node if we created it Changes in pdns: - Add missing "BuildRequires: libmysqlclient-devel" to allow the package to build correctly. - CVE-2019-3871-auth-4.1.6.patch: fixes insufficient validation in HTTP remote backend (bsc#1129734, CVE-2019-3871) - CVE-2018-10851-auth-4.1.4.patch: fixes DoS via crafted zone record (bnc#1114157, CVE-2018-10851) - CVE-2018-14626-auth-4.1.4.patch: fixes an issue allowing a remote user to craft a DNS query that will cause an answer without DNSSEC records to be inserted into the packet cache and be returned to clients asking for DNSSEC records, thus hiding the presence of DNSSEC signatures leading to a potential DoS (bsc#1114169, CVE-2018-14626) Changes in python-amqp: - Make it build for SLE12SP3: - remove pytest-sugar build dependency - used %doc macro instead of %license - Removed patches that are already included in 2.4.2 - 0002-Do_not_send_AAAA_DNS_request_when_domain_resolved_to_IPv4_address.patc h (SOC-9144) - 0001-Always-treat-SSLError-timeouts-as-socket-timeouts-24.patch (bsc#1115904) - Update to 2.4.2: - Added support for the Cygwin platform - Correct offset incrementation when parsing bitmaps. - Consequent bitmaps are now parsed correctly. - Better call of py.test - Add versions to dependencies - Remove python-sasl from build dependencies - Update to version 2.4.1 * To avoid breaking the API basic_consume() now returns the consumer tag instead of a tuple when nowait is True. * Fix crash in basic_publish when broker does not support connection.blocked capability. * read_frame() is now Python 3 compatible for large payloads. * Support float read_timeout/write_timeout. * Always treat SSLError timeouts as socket timeouts. * Treat EWOULDBLOCK as timeout. - from 2.4.0 * Fix inconsistent frame_handler return value. The function returned by frame_handler is meant to return True once the complete message is received and the callback is called, False otherwise. This fixes the return value for messages with a body split across multiple frames, and heartbeat frames. * Don't default content_encoding to utf-8 for bytes. This is not an acceptable default as the content may not be valid utf-8, and even if it is, the producer likely does not expect the message to be decoded by the consumer. * Fix encoding of messages with multibyte characters. Body length was previously calculated using string length, which may be less than the length of the encoded body when it contains multibyte sequences. This caused the body of the frame to be truncated. * Respect content_encoding when encoding messages. Previously the content_encoding was ignored and messages were always encoded as utf-8. This caused messages to be incorrectly decoded if content_encoding is properly respected when decoding. * Fix AMQP protocol header for AMQP 0-9-1. Previously it was set to a different value for unknown reasons. * Add support for Python 3.7. Change direct SSLSocket instantiation with wrap_socket. * Add support for field type "x" (byte array). * If there is an exception raised on Connection.connect or Connection.close, ensure that the underlying transport socket is closed. Adjust exception message on connection errors as well. * TCP_USER_TIMEOUT has to be excluded from KNOWN_TCP_OPTS in BSD platforms. * Handle negative acknowledgments. * Added integration tests. * Fix basic_consume() with no consumer_tag provided. * Improved empty AMQPError string representation. * Drain events before publish. This is needed to capture out of memory messages for clients that only publish. Otherwise on_blocked is never called. * Don't revive channel when connection is closing. When connection is closing don't raise error when Channel.Close method is received. Changes in zookeeper: - Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch This applies the patch for ZOOKEEPER-1392 to resolve CVE-2019-0201 Should not allow to read ACL when not authorized to read node (bsc#1135773) - Various cleanups in spec file - Fixed off-by-one in zkCleanTRX.sh and made output more useful (bsc#1048688, FATE#323204) - Fixed ExecStartPre statment in service file - added zkCleanTRX.sh to clean up 0 length transaction logs - Update to to zookeeper-3.4.10 (bsc#1040519) * Fixes CVE-2017-5637 - Remove Changes.txt (missing as of 3.4.10) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1066=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1066=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1066=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): crowbar-ha-5.0+git.1585316176.344190f-3.32.1 crowbar-openstack-5.0+git.1585304226.2164b7895-4.37.1 documentation-suse-openstack-cloud-deployment-8.20200319-1.23.1 documentation-suse-openstack-cloud-supplement-8.20200319-1.23.1 documentation-suse-openstack-cloud-upstream-admin-8.20200319-1.23.1 documentation-suse-openstack-cloud-upstream-user-8.20200319-1.23.1 openstack-manila-5.1.1~dev5-3.26.2 openstack-manila-api-5.1.1~dev5-3.26.2 openstack-manila-data-5.1.1~dev5-3.26.2 openstack-manila-doc-5.1.1~dev5-3.26.1 openstack-manila-scheduler-5.1.1~dev5-3.26.2 openstack-manila-share-5.1.1~dev5-3.26.2 openstack-neutron-11.0.9~dev63-3.30.2 openstack-neutron-dhcp-agent-11.0.9~dev63-3.30.2 openstack-neutron-doc-11.0.9~dev63-3.30.1 openstack-neutron-ha-tool-11.0.9~dev63-3.30.2 openstack-neutron-l3-agent-11.0.9~dev63-3.30.2 openstack-neutron-linuxbridge-agent-11.0.9~dev63-3.30.2 openstack-neutron-macvtap-agent-11.0.9~dev63-3.30.2 openstack-neutron-metadata-agent-11.0.9~dev63-3.30.2 openstack-neutron-metering-agent-11.0.9~dev63-3.30.2 openstack-neutron-openvswitch-agent-11.0.9~dev63-3.30.2 openstack-neutron-server-11.0.9~dev63-3.30.2 openstack-nova-16.1.9~dev61-3.35.2 openstack-nova-api-16.1.9~dev61-3.35.2 openstack-nova-cells-16.1.9~dev61-3.35.2 openstack-nova-compute-16.1.9~dev61-3.35.2 openstack-nova-conductor-16.1.9~dev61-3.35.2 openstack-nova-console-16.1.9~dev61-3.35.2 openstack-nova-consoleauth-16.1.9~dev61-3.35.2 openstack-nova-doc-16.1.9~dev61-3.35.1 openstack-nova-novncproxy-16.1.9~dev61-3.35.2 openstack-nova-placement-api-16.1.9~dev61-3.35.2 openstack-nova-scheduler-16.1.9~dev61-3.35.2 openstack-nova-serialproxy-16.1.9~dev61-3.35.2 openstack-nova-vncproxy-16.1.9~dev61-3.35.2 python-amqp-2.4.2-3.9.1 python-manila-5.1.1~dev5-3.26.2 python-neutron-11.0.9~dev63-3.30.2 python-nova-16.1.9~dev61-3.35.2 zookeeper-server-3.4.10-3.6.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): crowbar-core-5.0+git.1585575551.16781d00d-3.38.1 crowbar-core-branding-upstream-5.0+git.1585575551.16781d00d-3.38.1 memcached-1.5.17-3.3.1 memcached-debuginfo-1.5.17-3.3.1 memcached-debugsource-1.5.17-3.3.1 ruby2.1-rubygem-puma-2.16.0-3.6.1 ruby2.1-rubygem-puma-debuginfo-2.16.0-3.6.1 rubygem-puma-debugsource-2.16.0-3.6.1 - SUSE OpenStack Cloud 8 (noarch): ardana-ansible-8.0+git.1583432621.24fa60e-3.70.1 ardana-barbican-8.0+git.1585152761.8ef3d61-4.33.1 ardana-db-8.0+git.1583944923.03cca6c-3.31.1 ardana-monasca-8.0+git.1583944894.38f023a-3.24.1 ardana-mq-8.0+git.1583944811.dc14403-3.19.1 ardana-neutron-8.0+git.1584715262.e4ea620-3.39.1 ardana-octavia-8.0+git.1585171918.418f5cf-3.26.1 ardana-tempest-8.0+git.1585311051.6ab5488-3.33.1 documentation-suse-openstack-cloud-installation-8.20200319-1.23.1 documentation-suse-openstack-cloud-operations-8.20200319-1.23.1 documentation-suse-openstack-cloud-opsconsole-8.20200319-1.23.1 documentation-suse-openstack-cloud-planning-8.20200319-1.23.1 documentation-suse-openstack-cloud-security-8.20200319-1.23.1 documentation-suse-openstack-cloud-supplement-8.20200319-1.23.1 documentation-suse-openstack-cloud-upstream-admin-8.20200319-1.23.1 documentation-suse-openstack-cloud-upstream-user-8.20200319-1.23.1 documentation-suse-openstack-cloud-user-8.20200319-1.23.1 openstack-manila-5.1.1~dev5-3.26.2 openstack-manila-api-5.1.1~dev5-3.26.2 openstack-manila-data-5.1.1~dev5-3.26.2 openstack-manila-doc-5.1.1~dev5-3.26.1 openstack-manila-scheduler-5.1.1~dev5-3.26.2 openstack-manila-share-5.1.1~dev5-3.26.2 openstack-neutron-11.0.9~dev63-3.30.2 openstack-neutron-dhcp-agent-11.0.9~dev63-3.30.2 openstack-neutron-doc-11.0.9~dev63-3.30.1 openstack-neutron-ha-tool-11.0.9~dev63-3.30.2 openstack-neutron-l3-agent-11.0.9~dev63-3.30.2 openstack-neutron-linuxbridge-agent-11.0.9~dev63-3.30.2 openstack-neutron-macvtap-agent-11.0.9~dev63-3.30.2 openstack-neutron-metadata-agent-11.0.9~dev63-3.30.2 openstack-neutron-metering-agent-11.0.9~dev63-3.30.2 openstack-neutron-openvswitch-agent-11.0.9~dev63-3.30.2 openstack-neutron-server-11.0.9~dev63-3.30.2 openstack-nova-16.1.9~dev61-3.35.2 openstack-nova-api-16.1.9~dev61-3.35.2 openstack-nova-cells-16.1.9~dev61-3.35.2 openstack-nova-compute-16.1.9~dev61-3.35.2 openstack-nova-conductor-16.1.9~dev61-3.35.2 openstack-nova-console-16.1.9~dev61-3.35.2 openstack-nova-consoleauth-16.1.9~dev61-3.35.2 openstack-nova-doc-16.1.9~dev61-3.35.1 openstack-nova-novncproxy-16.1.9~dev61-3.35.2 openstack-nova-placement-api-16.1.9~dev61-3.35.2 openstack-nova-scheduler-16.1.9~dev61-3.35.2 openstack-nova-serialproxy-16.1.9~dev61-3.35.2 openstack-nova-vncproxy-16.1.9~dev61-3.35.2 python-amqp-2.4.2-3.9.1 python-manila-5.1.1~dev5-3.26.2 python-neutron-11.0.9~dev63-3.30.2 python-nova-16.1.9~dev61-3.35.2 venv-openstack-aodh-x86_64-5.1.1~dev7-12.24.1 venv-openstack-barbican-x86_64-5.0.2~dev3-12.25.1 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.22.1 venv-openstack-cinder-x86_64-11.2.3~dev23-14.25.1 venv-openstack-designate-x86_64-5.0.3~dev7-12.23.1 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.20.1 venv-openstack-glance-x86_64-15.0.3~dev3-12.23.1 venv-openstack-heat-x86_64-9.0.8~dev22-12.25.1 venv-openstack-ironic-x86_64-9.1.8~dev8-12.25.1 venv-openstack-keystone-x86_64-12.0.4~dev5-11.26.1 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.24.1 venv-openstack-manila-x86_64-5.1.1~dev5-12.29.1 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.20.1 venv-openstack-murano-x86_64-4.0.2~dev2-12.20.1 venv-openstack-neutron-x86_64-11.0.9~dev63-13.28.1 venv-openstack-nova-x86_64-16.1.9~dev61-11.26.1 venv-openstack-octavia-x86_64-1.0.6~dev3-12.25.1 venv-openstack-sahara-x86_64-7.0.5~dev4-11.24.1 venv-openstack-trove-x86_64-8.0.2~dev2-11.24.1 zookeeper-server-3.4.10-3.6.1 - SUSE OpenStack Cloud 8 (x86_64): memcached-1.5.17-3.3.1 memcached-debuginfo-1.5.17-3.3.1 memcached-debugsource-1.5.17-3.3.1 pdns-4.1.2-3.6.1 pdns-backend-mysql-4.1.2-3.6.1 pdns-backend-mysql-debuginfo-4.1.2-3.6.1 pdns-debuginfo-4.1.2-3.6.1 pdns-debugsource-4.1.2-3.6.1 - HPE Helion Openstack 8 (x86_64): memcached-1.5.17-3.3.1 memcached-debuginfo-1.5.17-3.3.1 memcached-debugsource-1.5.17-3.3.1 pdns-4.1.2-3.6.1 pdns-backend-mysql-4.1.2-3.6.1 pdns-backend-mysql-debuginfo-4.1.2-3.6.1 pdns-debuginfo-4.1.2-3.6.1 pdns-debugsource-4.1.2-3.6.1 - HPE Helion Openstack 8 (noarch): ardana-ansible-8.0+git.1583432621.24fa60e-3.70.1 ardana-barbican-8.0+git.1585152761.8ef3d61-4.33.1 ardana-db-8.0+git.1583944923.03cca6c-3.31.1 ardana-monasca-8.0+git.1583944894.38f023a-3.24.1 ardana-mq-8.0+git.1583944811.dc14403-3.19.1 ardana-neutron-8.0+git.1584715262.e4ea620-3.39.1 ardana-octavia-8.0+git.1585171918.418f5cf-3.26.1 ardana-tempest-8.0+git.1585311051.6ab5488-3.33.1 documentation-hpe-helion-openstack-installation-8.20200319-1.23.1 documentation-hpe-helion-openstack-operations-8.20200319-1.23.1 documentation-hpe-helion-openstack-opsconsole-8.20200319-1.23.1 documentation-hpe-helion-openstack-planning-8.20200319-1.23.1 documentation-hpe-helion-openstack-security-8.20200319-1.23.1 documentation-hpe-helion-openstack-user-8.20200319-1.23.1 openstack-manila-5.1.1~dev5-3.26.2 openstack-manila-api-5.1.1~dev5-3.26.2 openstack-manila-data-5.1.1~dev5-3.26.2 openstack-manila-doc-5.1.1~dev5-3.26.1 openstack-manila-scheduler-5.1.1~dev5-3.26.2 openstack-manila-share-5.1.1~dev5-3.26.2 openstack-neutron-11.0.9~dev63-3.30.2 openstack-neutron-dhcp-agent-11.0.9~dev63-3.30.2 openstack-neutron-doc-11.0.9~dev63-3.30.1 openstack-neutron-ha-tool-11.0.9~dev63-3.30.2 openstack-neutron-l3-agent-11.0.9~dev63-3.30.2 openstack-neutron-linuxbridge-agent-11.0.9~dev63-3.30.2 openstack-neutron-macvtap-agent-11.0.9~dev63-3.30.2 openstack-neutron-metadata-agent-11.0.9~dev63-3.30.2 openstack-neutron-metering-agent-11.0.9~dev63-3.30.2 openstack-neutron-openvswitch-agent-11.0.9~dev63-3.30.2 openstack-neutron-server-11.0.9~dev63-3.30.2 openstack-nova-16.1.9~dev61-3.35.2 openstack-nova-api-16.1.9~dev61-3.35.2 openstack-nova-cells-16.1.9~dev61-3.35.2 openstack-nova-compute-16.1.9~dev61-3.35.2 openstack-nova-conductor-16.1.9~dev61-3.35.2 openstack-nova-console-16.1.9~dev61-3.35.2 openstack-nova-consoleauth-16.1.9~dev61-3.35.2 openstack-nova-doc-16.1.9~dev61-3.35.1 openstack-nova-novncproxy-16.1.9~dev61-3.35.2 openstack-nova-placement-api-16.1.9~dev61-3.35.2 openstack-nova-scheduler-16.1.9~dev61-3.35.2 openstack-nova-serialproxy-16.1.9~dev61-3.35.2 openstack-nova-vncproxy-16.1.9~dev61-3.35.2 python-amqp-2.4.2-3.9.1 python-manila-5.1.1~dev5-3.26.2 python-neutron-11.0.9~dev63-3.30.2 python-nova-16.1.9~dev61-3.35.2 venv-openstack-aodh-x86_64-5.1.1~dev7-12.24.1 venv-openstack-barbican-x86_64-5.0.2~dev3-12.25.1 venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.22.1 venv-openstack-cinder-x86_64-11.2.3~dev23-14.25.1 venv-openstack-designate-x86_64-5.0.3~dev7-12.23.1 venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.20.1 venv-openstack-glance-x86_64-15.0.3~dev3-12.23.1 venv-openstack-heat-x86_64-9.0.8~dev22-12.25.1 venv-openstack-ironic-x86_64-9.1.8~dev8-12.25.1 venv-openstack-keystone-x86_64-12.0.4~dev5-11.26.1 venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.24.1 venv-openstack-manila-x86_64-5.1.1~dev5-12.29.1 venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.20.1 venv-openstack-murano-x86_64-4.0.2~dev2-12.20.1 venv-openstack-neutron-x86_64-11.0.9~dev63-13.28.1 venv-openstack-nova-x86_64-16.1.9~dev61-11.26.1 venv-openstack-octavia-x86_64-1.0.6~dev3-12.25.1 venv-openstack-sahara-x86_64-7.0.5~dev4-11.24.1 venv-openstack-trove-x86_64-8.0.2~dev2-11.24.1 zookeeper-server-3.4.10-3.6.1 References: https://www.suse.com/security/cve/CVE-2017-5637.html https://www.suse.com/security/cve/CVE-2018-10851.html https://www.suse.com/security/cve/CVE-2018-14626.html https://www.suse.com/security/cve/CVE-2019-0201.html https://www.suse.com/security/cve/CVE-2019-11596.html https://www.suse.com/security/cve/CVE-2019-15026.html https://www.suse.com/security/cve/CVE-2019-3871.html https://www.suse.com/security/cve/CVE-2020-5247.html https://www.suse.com/security/cve/CVE-2020-9543.html https://bugzilla.suse.com/1040519 https://bugzilla.suse.com/1048688 https://bugzilla.suse.com/1077718 https://bugzilla.suse.com/1111180 https://bugzilla.suse.com/1114157 https://bugzilla.suse.com/1114169 https://bugzilla.suse.com/1115904 https://bugzilla.suse.com/1125357 https://bugzilla.suse.com/1129734 https://bugzilla.suse.com/1132852 https://bugzilla.suse.com/1133817 https://bugzilla.suse.com/1135773 https://bugzilla.suse.com/1145498 https://bugzilla.suse.com/1146206 https://bugzilla.suse.com/1148426 https://bugzilla.suse.com/1149110 https://bugzilla.suse.com/1149535 https://bugzilla.suse.com/1151206 https://bugzilla.suse.com/1165402 https://bugzilla.suse.com/1165643 https://bugzilla.suse.com/1166290 https://bugzilla.suse.com/1167240 https://bugzilla.suse.com/144694 From sle-security-updates at lists.suse.com Wed Apr 22 10:18:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 22 Apr 2020 18:18:19 +0200 (CEST) Subject: SUSE-SU-2020:1065-1: moderate: Security update for ovmf Message-ID: <20200422161819.8815FFE29@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1065-1 Rating: moderate References: #1163927 Cross-References: CVE-2019-14559 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ovmf fixes the following issues: - CVE-2019-14559: Fixed a memory leak in ArpOnFrameRcvdDpc() (bsc#1163927). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1065=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1065=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.26.1 ovmf-tools-2017+git1510945757.b2662641d5-3.26.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.26.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.26.1 ovmf-tools-2017+git1510945757.b2662641d5-3.26.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.26.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.26.1 References: https://www.suse.com/security/cve/CVE-2019-14559.html https://bugzilla.suse.com/1163927 From sle-security-updates at lists.suse.com Wed Apr 22 16:17:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 00:17:56 +0200 (CEST) Subject: SUSE-SU-2020:1072-1: important: Security update for pacemaker Message-ID: <20200422221756.497A8FE29@maintenance.suse.de> SUSE Security Update: Security update for pacemaker ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1072-1 Rating: important References: #1131353 #1131356 Cross-References: CVE-2018-16877 CVE-2018-16878 Affected Products: SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for pacemaker fixes the following issues: - CVE-2018-16877: Fixed an issue with insufficient local IPC client-server authentication on the client's side (bsc#1131356). - CVE-2018-16878: Fixed a denial of service related to insufficient verification of uncontrolled processes (bsc#1131353). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-1072=1 Package List: - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): libpacemaker3-1.1.15-23.9.1 libpacemaker3-debuginfo-1.1.15-23.9.1 pacemaker-1.1.15-23.9.1 pacemaker-cli-1.1.15-23.9.1 pacemaker-cli-debuginfo-1.1.15-23.9.1 pacemaker-cts-1.1.15-23.9.1 pacemaker-cts-debuginfo-1.1.15-23.9.1 pacemaker-debuginfo-1.1.15-23.9.1 pacemaker-debugsource-1.1.15-23.9.1 pacemaker-remote-1.1.15-23.9.1 pacemaker-remote-debuginfo-1.1.15-23.9.1 References: https://www.suse.com/security/cve/CVE-2018-16877.html https://www.suse.com/security/cve/CVE-2018-16878.html https://bugzilla.suse.com/1131353 https://bugzilla.suse.com/1131356 From sle-security-updates at lists.suse.com Wed Apr 22 16:20:06 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 00:20:06 +0200 (CEST) Subject: SUSE-SU-2020:1077-1: important: Test update for SUSE:SLE-15-SP2:Update (security) Message-ID: <20200422222006.C02CCFFE8@maintenance.suse.de> SUSE Security Update: Test update for SUSE:SLE-15-SP2:Update (security) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1077-1 Rating: important References: #1169700 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This is a security test update for SUSE:SLE-15-SP2:Update Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1077=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1077=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): update-test-security-5.1-4.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): update-test-security-5.1-4.25.1 References: https://bugzilla.suse.com/1169700 From sle-security-updates at lists.suse.com Thu Apr 23 07:14:09 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 15:14:09 +0200 (CEST) Subject: SUSE-SU-2020:1085-1: important: Security update for the Linux Kernel Message-ID: <20200423131409.F18E1FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1085-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1104967 #1109911 #1114279 #1118338 #1120386 #1133021 #1136157 #1137325 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1157424 #1158552 #1158983 #1159037 #1159142 #1159198 #1159285 #1160659 #1161951 #1162929 #1162931 #1163403 #1163508 #1163897 #1164078 #1164284 #1164507 #1164893 #1165019 #1165111 #1165182 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165949 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1167005 #1167288 #1167290 #1167316 #1167421 #1167423 #1167629 #1168075 #1168202 #1168276 #1168295 #1168424 #1168443 #1168486 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169057 #1169390 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 91 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 RT kernel was updated to 3.12.31 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kABI: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md/raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md/raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md/raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - mm: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net/sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net/sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net/sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net/sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP4: zypper in -t patch SUSE-SLE-RT-12-SP4-2020-1085=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP4 (x86_64): cluster-md-kmp-rt-4.12.14-8.18.1 dlm-kmp-rt-4.12.14-8.18.1 gfs2-kmp-rt-4.12.14-8.18.1 kernel-rt-4.12.14-8.18.1 kernel-rt-base-4.12.14-8.18.1 kernel-rt-devel-4.12.14-8.18.1 kernel-rt_debug-devel-4.12.14-8.18.1 kernel-syms-rt-4.12.14-8.18.1 ocfs2-kmp-rt-4.12.14-8.18.1 - SUSE Linux Enterprise Real Time Extension 12-SP4 (noarch): kernel-devel-rt-4.12.14-8.18.1 kernel-source-rt-4.12.14-8.18.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169390 From sle-security-updates at lists.suse.com Thu Apr 23 07:28:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 15:28:45 +0200 (CEST) Subject: SUSE-SU-2020:1083-1: important: Security update for cups Message-ID: <20200423132845.0549CFE0F@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1083-1 Rating: important References: #1168422 Cross-References: CVE-2020-3898 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1083=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1083=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-1083=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1083=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-1083=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1083=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1083=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1083=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1083=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1083=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libcups2-32bit-2.2.7-3.17.1 libcups2-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP2 (x86_64): cups-debugsource-2.2.7-3.17.1 cups-devel-32bit-2.2.7-3.17.1 libcupscgi1-32bit-2.2.7-3.17.1 libcupscgi1-32bit-debuginfo-2.2.7-3.17.1 libcupsimage2-32bit-2.2.7-3.17.1 libcupsimage2-32bit-debuginfo-2.2.7-3.17.1 libcupsmime1-32bit-2.2.7-3.17.1 libcupsmime1-32bit-debuginfo-2.2.7-3.17.1 libcupsppdc1-32bit-2.2.7-3.17.1 libcupsppdc1-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): cups-debugsource-2.2.7-3.17.1 cups-devel-32bit-2.2.7-3.17.1 libcupscgi1-32bit-2.2.7-3.17.1 libcupscgi1-32bit-debuginfo-2.2.7-3.17.1 libcupsimage2-32bit-2.2.7-3.17.1 libcupsimage2-32bit-debuginfo-2.2.7-3.17.1 libcupsmime1-32bit-2.2.7-3.17.1 libcupsmime1-32bit-debuginfo-2.2.7-3.17.1 libcupsppdc1-32bit-2.2.7-3.17.1 libcupsppdc1-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libcups2-32bit-2.2.7-3.17.1 libcups2-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libcups2-32bit-2.2.7-3.17.1 libcups2-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libcups2-32bit-2.2.7-3.17.1 libcups2-32bit-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): cups-2.2.7-3.17.1 cups-client-2.2.7-3.17.1 cups-client-debuginfo-2.2.7-3.17.1 cups-config-2.2.7-3.17.1 cups-ddk-2.2.7-3.17.1 cups-ddk-debuginfo-2.2.7-3.17.1 cups-debuginfo-2.2.7-3.17.1 cups-debugsource-2.2.7-3.17.1 cups-devel-2.2.7-3.17.1 libcups2-2.2.7-3.17.1 libcups2-debuginfo-2.2.7-3.17.1 libcupscgi1-2.2.7-3.17.1 libcupscgi1-debuginfo-2.2.7-3.17.1 libcupsimage2-2.2.7-3.17.1 libcupsimage2-debuginfo-2.2.7-3.17.1 libcupsmime1-2.2.7-3.17.1 libcupsmime1-debuginfo-2.2.7-3.17.1 libcupsppdc1-2.2.7-3.17.1 libcupsppdc1-debuginfo-2.2.7-3.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libcups2-32bit-2.2.7-3.17.1 libcups2-32bit-debuginfo-2.2.7-3.17.1 References: https://www.suse.com/security/cve/CVE-2020-3898.html https://bugzilla.suse.com/1168422 From sle-security-updates at lists.suse.com Thu Apr 23 07:42:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 15:42:41 +0200 (CEST) Subject: SUSE-SU-2020:14341-1: important: Security update for cups Message-ID: <20200423134241.31593FE0F@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14341-1 Rating: important References: #1168422 Cross-References: CVE-2020-3898 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2020-3898: Fixed heap buffer overflow in libcups ppdFindOption() function (bsc#1168422). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-cups-14341=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-cups-14341=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-cups-14341=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-cups-14341=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): cups-1.3.9-8.46.56.11.1 cups-client-1.3.9-8.46.56.11.1 cups-libs-1.3.9-8.46.56.11.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): cups-libs-32bit-1.3.9-8.46.56.11.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): cups-1.3.9-8.46.56.11.1 cups-client-1.3.9-8.46.56.11.1 cups-libs-1.3.9-8.46.56.11.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.11.1 cups-debugsource-1.3.9-8.46.56.11.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): cups-debuginfo-1.3.9-8.46.56.11.1 cups-debugsource-1.3.9-8.46.56.11.1 References: https://www.suse.com/security/cve/CVE-2020-3898.html https://bugzilla.suse.com/1168422 From sle-security-updates at lists.suse.com Thu Apr 23 07:45:41 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 15:45:41 +0200 (CEST) Subject: SUSE-SU-2020:1045-1: important: Security update for cups Message-ID: <20200423134541.17DF8FE29@maintenance.suse.de> SUSE Security Update: Security update for cups ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1045-1 Rating: important References: #1168422 Cross-References: CVE-2020-3898 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cups fixes the following issues: - CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1045=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1045=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1045=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1045=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1045=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1045=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1045=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1045=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1045=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1045=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1045=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1045=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1045=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1045=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1045=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1045=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1045=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE OpenStack Cloud 8 (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE OpenStack Cloud 7 (s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.29.1 cups-ddk-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-devel-1.7.5-20.29.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): cups-ddk-1.7.5-20.29.1 cups-ddk-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-devel-1.7.5-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 - SUSE Enterprise Storage 5 (x86_64): cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 - HPE Helion Openstack 8 (x86_64): cups-1.7.5-20.29.1 cups-client-1.7.5-20.29.1 cups-client-debuginfo-1.7.5-20.29.1 cups-debuginfo-1.7.5-20.29.1 cups-debugsource-1.7.5-20.29.1 cups-libs-1.7.5-20.29.1 cups-libs-32bit-1.7.5-20.29.1 cups-libs-debuginfo-1.7.5-20.29.1 cups-libs-debuginfo-32bit-1.7.5-20.29.1 References: https://www.suse.com/security/cve/CVE-2020-3898.html https://bugzilla.suse.com/1168422 From sle-security-updates at lists.suse.com Thu Apr 23 07:46:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 15:46:35 +0200 (CEST) Subject: SUSE-SU-2020:1084-1: important: Security update for the Linux Kernel Message-ID: <20200423134635.531CBFE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1084-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065729 #1083647 #1085030 #1088810 #1103990 #1103992 #1104353 #1104745 #1104967 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1118338 #1119680 #1120386 #1123328 #1127611 #1133021 #1134090 #1134395 #1136157 #1136333 #1141895 #1142685 #1144333 #1145051 #1146539 #1148868 #1154385 #1156510 #1157424 #1158187 #1158552 #1158983 #1159142 #1159198 #1159285 #1160659 #1161561 #1161702 #1161951 #1162171 #1162929 #1162931 #1163508 #1163762 #1164078 #1164507 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165581 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166982 #1167005 #1167216 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168552 #1168829 #1168854 #1169013 #1169307 #1169308 Cross-References: CVE-2018-20836 CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 107 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2018-20836: Fixed a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, which potentially cloud have led to a use-after-free (bnc#1134395). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix crash due to "kernel BUG at ../fs/btrfs/relocation.c:4827!" - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - Correct fallouts from previous AER/DPC fixes (bsc#1161561) - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete because it is reverted in upstream. (bsc#1111974) - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - EDAC: skx_common: downgrade message importance on missing PCI device (bsc#1165581). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2020-1084=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.8.1 dlm-kmp-rt-4.12.14-10.8.1 gfs2-kmp-rt-4.12.14-10.8.1 kernel-rt-4.12.14-10.8.1 kernel-rt-base-4.12.14-10.8.1 kernel-rt-devel-4.12.14-10.8.1 kernel-rt_debug-4.12.14-10.8.1 kernel-rt_debug-devel-4.12.14-10.8.1 kernel-syms-rt-4.12.14-10.8.1 ocfs2-kmp-rt-4.12.14-10.8.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.8.1 kernel-source-rt-4.12.14-10.8.1 References: https://www.suse.com/security/cve/CVE-2018-20836.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1134395 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1136333 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165581 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 From sle-security-updates at lists.suse.com Thu Apr 23 13:13:35 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:13:35 +0200 (CEST) Subject: SUSE-SU-2020:1087-1: important: Security update for the Linux Kernel Message-ID: <20200423191335.64C41FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1087-1 Rating: important References: #1044231 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1071995 #1083647 #1085030 #1103990 #1103992 #1104353 #1104745 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1113956 #1114279 #1114685 #1118338 #1119680 #1120386 #1127611 #1133021 #1134090 #1136157 #1136333 #1137325 #1141895 #1142685 #1144333 #1145051 #1145929 #1146539 #1148868 #1156510 #1157424 #1158187 #1158983 #1159037 #1159198 #1159199 #1159285 #1160659 #1161561 #1161951 #1162171 #1162929 #1162931 #1163403 #1163897 #1163971 #1164078 #1164284 #1164507 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-2732 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 139 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2020-2732: Fixed a flaw in the KVM hypervisor instruction emulation for L2 guests. Under some circumstances, an L2 guest may have tricked the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi fix for (bsc#1168202). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - mm: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net: sched: correct flower port blocking (git-fixes). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.6.0.3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.6.0.4 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1087=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64): kernel-azure-4.12.14-8.30.1 kernel-azure-base-4.12.14-8.30.1 kernel-azure-base-debuginfo-4.12.14-8.30.1 kernel-azure-debuginfo-4.12.14-8.30.1 kernel-azure-devel-4.12.14-8.30.1 kernel-syms-azure-4.12.14-8.30.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): kernel-devel-azure-4.12.14-8.30.1 kernel-source-azure-4.12.14-8.30.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1136333 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Thu Apr 23 13:31:57 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:31:57 +0200 (CEST) Subject: SUSE-SU-2020:1090-1: important: Security update for resource-agents Message-ID: <20200423193157.19F81FE29@maintenance.suse.de> SUSE Security Update: Security update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1090-1 Rating: important References: #1021689 #1146687 #1146690 #1146691 #1146692 #1146766 #1146776 #1146784 #1146785 #1146787 Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for resource-agents fixes the following issues: - Fixed multiple vulnerabilities related to unsafe tempfile usage. (bsc#1146690, bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785, bsc#1146787) - Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-1090=1 Package List: - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ldirectord-4.3.0184.6ee15eb2-3.37.1 resource-agents-4.3.0184.6ee15eb2-3.37.1 resource-agents-debuginfo-4.3.0184.6ee15eb2-3.37.1 resource-agents-debugsource-4.3.0184.6ee15eb2-3.37.1 - SUSE Linux Enterprise High Availability 15 (noarch): monitoring-plugins-metadata-4.3.0184.6ee15eb2-3.37.1 References: https://bugzilla.suse.com/1021689 https://bugzilla.suse.com/1146687 https://bugzilla.suse.com/1146690 https://bugzilla.suse.com/1146691 https://bugzilla.suse.com/1146692 https://bugzilla.suse.com/1146766 https://bugzilla.suse.com/1146776 https://bugzilla.suse.com/1146784 https://bugzilla.suse.com/1146785 https://bugzilla.suse.com/1146787 From sle-security-updates at lists.suse.com Thu Apr 23 13:34:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:34:30 +0200 (CEST) Subject: SUSE-SU-2020:1089-1: important: Security update for resource-agents Message-ID: <20200423193430.5FB02FE29@maintenance.suse.de> SUSE Security Update: Security update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1089-1 Rating: important References: #1021689 #1146687 #1146690 #1146691 #1146692 #1146766 #1146776 #1146784 #1146785 #1146787 Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for resource-agents fixes the following issues: - Fixed multiple vulnerabilities related to unsafe tempfile usage. (bsc#1146690 bsc#1146691 bsc#1146692 bsc#1146766 bsc#1146776 bsc#1146784 bsc#1146785 bsc#1146787) - Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1089=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): ldirectord-4.3.0184.6ee15eb2-4.22.1 resource-agents-4.3.0184.6ee15eb2-4.22.1 resource-agents-debuginfo-4.3.0184.6ee15eb2-4.22.1 resource-agents-debugsource-4.3.0184.6ee15eb2-4.22.1 - SUSE Linux Enterprise High Availability 15-SP1 (noarch): monitoring-plugins-metadata-4.3.0184.6ee15eb2-4.22.1 References: https://bugzilla.suse.com/1021689 https://bugzilla.suse.com/1146687 https://bugzilla.suse.com/1146690 https://bugzilla.suse.com/1146691 https://bugzilla.suse.com/1146692 https://bugzilla.suse.com/1146766 https://bugzilla.suse.com/1146776 https://bugzilla.suse.com/1146784 https://bugzilla.suse.com/1146785 https://bugzilla.suse.com/1146787 From sle-security-updates at lists.suse.com Thu Apr 23 13:36:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:36:05 +0200 (CEST) Subject: SUSE-SU-2020:1092-1: important: Security update for resource-agents Message-ID: <20200423193605.F30C7FE29@maintenance.suse.de> SUSE Security Update: Security update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1092-1 Rating: important References: #1021689 #1146687 #1146690 #1146691 #1146776 #1146784 #1146785 #1146787 #1146789 #1161898 Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for resource-agents fixes the following issues: - Fixed multiple vulnerabilities related to unsafe tempfile usage. (bsc#1146690 bsc#1146691 bsc#1146776 bsc#1146784 bsc#1146785 bsc#1146787 bsc#1146789) - Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-1092=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): ldirectord-4.0.1+git.1495055229.643177f1-2.45.1 resource-agents-4.0.1+git.1495055229.643177f1-2.45.1 resource-agents-debuginfo-4.0.1+git.1495055229.643177f1-2.45.1 resource-agents-debugsource-4.0.1+git.1495055229.643177f1-2.45.1 - SUSE Linux Enterprise High Availability 12-SP3 (noarch): monitoring-plugins-metadata-4.0.1+git.1495055229.643177f1-2.45.1 References: https://bugzilla.suse.com/1021689 https://bugzilla.suse.com/1146687 https://bugzilla.suse.com/1146690 https://bugzilla.suse.com/1146691 https://bugzilla.suse.com/1146776 https://bugzilla.suse.com/1146784 https://bugzilla.suse.com/1146785 https://bugzilla.suse.com/1146787 https://bugzilla.suse.com/1146789 https://bugzilla.suse.com/1161898 From sle-security-updates at lists.suse.com Thu Apr 23 13:37:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:37:45 +0200 (CEST) Subject: SUSE-SU-2020:1091-1: important: Security update for resource-agents Message-ID: <20200423193745.30FB2FE29@maintenance.suse.de> SUSE Security Update: Security update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1091-1 Rating: important References: #1021689 #1146687 #1146690 #1146691 #1146692 #1146766 #1146776 #1146784 #1146785 #1146787 #1146789 Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for resource-agents fixes the following issues: - Fixed multiple vulnerabilities related to unsafe tempfile usage. (bsc#1146690, bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784, bsc#1146785, bsc#1146787, bsc#1146789) - Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1091=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-1091=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.42.1 resource-agents-4.3.018.a7fb5035-3.42.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.42.1 resource-agents-debugsource-4.3.018.a7fb5035-3.42.1 - SUSE Linux Enterprise High Availability 12-SP5 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.42.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): ldirectord-4.3.018.a7fb5035-3.42.1 resource-agents-4.3.018.a7fb5035-3.42.1 resource-agents-debuginfo-4.3.018.a7fb5035-3.42.1 resource-agents-debugsource-4.3.018.a7fb5035-3.42.1 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): monitoring-plugins-metadata-4.3.018.a7fb5035-3.42.1 References: https://bugzilla.suse.com/1021689 https://bugzilla.suse.com/1146687 https://bugzilla.suse.com/1146690 https://bugzilla.suse.com/1146691 https://bugzilla.suse.com/1146692 https://bugzilla.suse.com/1146766 https://bugzilla.suse.com/1146776 https://bugzilla.suse.com/1146784 https://bugzilla.suse.com/1146785 https://bugzilla.suse.com/1146787 https://bugzilla.suse.com/1146789 From sle-security-updates at lists.suse.com Thu Apr 23 13:39:30 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 23 Apr 2020 21:39:30 +0200 (CEST) Subject: SUSE-SU-2020:1088-1: Security update for file-roller Message-ID: <20200423193930.14F44FE29@maintenance.suse.de> SUSE Security Update: Security update for file-roller ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1088-1 Rating: low References: #1151585 Cross-References: CVE-2019-16680 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for file-roller fixes the following issues: - CVE-2019-16680: Fixed a path traversal vulnerability which could have allowed an overwriting of a file during extraction (bsc#1151585). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1088=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1088=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): file-roller-3.20.3-15.3.25 file-roller-debuginfo-3.20.3-15.3.25 file-roller-debugsource-3.20.3-15.3.25 nautilus-file-roller-3.20.3-15.3.25 nautilus-file-roller-debuginfo-3.20.3-15.3.25 - SUSE Linux Enterprise Server 12-SP5 (noarch): file-roller-lang-3.20.3-15.3.25 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): file-roller-3.20.3-15.3.25 file-roller-debuginfo-3.20.3-15.3.25 file-roller-debugsource-3.20.3-15.3.25 nautilus-file-roller-3.20.3-15.3.25 nautilus-file-roller-debuginfo-3.20.3-15.3.25 - SUSE Linux Enterprise Server 12-SP4 (noarch): file-roller-lang-3.20.3-15.3.25 References: https://www.suse.com/security/cve/CVE-2019-16680.html https://bugzilla.suse.com/1151585 From sle-security-updates at lists.suse.com Fri Apr 24 13:15:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 24 Apr 2020 21:15:13 +0200 (CEST) Subject: SUSE-SU-2020:1111-1: important: Security update for apache2 Message-ID: <20200424191513.B0F33FE29@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1111-1 Rating: important References: #1168404 #1168407 #1169066 Cross-References: CVE-2020-1927 CVE-2020-1934 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404). - CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407). - CVE-2020-1938: mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1111=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1111=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): apache2-2.4.16-20.29.1 apache2-debuginfo-2.4.16-20.29.1 apache2-debugsource-2.4.16-20.29.1 apache2-example-pages-2.4.16-20.29.1 apache2-prefork-2.4.16-20.29.1 apache2-prefork-debuginfo-2.4.16-20.29.1 apache2-utils-2.4.16-20.29.1 apache2-utils-debuginfo-2.4.16-20.29.1 apache2-worker-2.4.16-20.29.1 apache2-worker-debuginfo-2.4.16-20.29.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): apache2-doc-2.4.16-20.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): apache2-2.4.16-20.29.1 apache2-debuginfo-2.4.16-20.29.1 apache2-debugsource-2.4.16-20.29.1 apache2-example-pages-2.4.16-20.29.1 apache2-prefork-2.4.16-20.29.1 apache2-prefork-debuginfo-2.4.16-20.29.1 apache2-utils-2.4.16-20.29.1 apache2-utils-debuginfo-2.4.16-20.29.1 apache2-worker-2.4.16-20.29.1 apache2-worker-debuginfo-2.4.16-20.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): apache2-doc-2.4.16-20.29.1 References: https://www.suse.com/security/cve/CVE-2020-1927.html https://www.suse.com/security/cve/CVE-2020-1934.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1168404 https://bugzilla.suse.com/1168407 https://bugzilla.suse.com/1169066 From sle-security-updates at lists.suse.com Fri Apr 24 13:18:04 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 24 Apr 2020 21:18:04 +0200 (CEST) Subject: SUSE-SU-2020:1109-1: important: Security update for webkit2gtk3 Message-ID: <20200424191804.337B5FE29@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1109-1 Rating: important References: #1165528 #1169658 Cross-References: CVE-2020-10018 CVE-2020-11793 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for webkit2gtk3 to version 2.28.1 fixes the following issues: Security issues fixed: - CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528). - CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658). Non-security issues fixed: - Add API to enable Process Swap on (Cross-site) Navigation. - Add user messages API for the communication with the web extension. - Add support for same-site cookies. - Service workers are enabled by default. - Add support for Pointer Lock API. - Add flatpak sandbox support. - Make ondemand hardware acceleration policy never leave accelerated compositing mode. - Always use a light theme for rendering form controls. - Add about:gpu to show information about the graphics stack. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1109=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1109=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1109=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1109=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1109=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1109=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1109=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-2.28.1-3.49.2 libwebkit2gtk-4_0-37-debuginfo-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-devel-2.28.1-3.49.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): libwebkit2gtk3-lang-2.28.1-3.49.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libjavascriptcoregtk-4_0-18-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-2.28.1-3.49.2 libwebkit2gtk-4_0-37-debuginfo-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-devel-2.28.1-3.49.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): libwebkit2gtk3-lang-2.28.1-3.49.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): webkit-jsc-4-2.28.1-3.49.2 webkit-jsc-4-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-minibrowser-2.28.1-3.49.2 webkit2gtk3-minibrowser-debuginfo-2.28.1-3.49.2 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libjavascriptcoregtk-4_0-18-32bit-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-32bit-2.28.1-3.49.2 libwebkit2gtk-4_0-37-32bit-debuginfo-2.28.1-3.49.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.28.1-3.49.2 typelib-1_0-WebKit2-4_0-2.28.1-3.49.2 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-devel-2.28.1-3.49.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-2.28.1-3.49.2 libwebkit2gtk-4_0-37-debuginfo-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libwebkit2gtk3-lang-2.28.1-3.49.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-2.28.1-3.49.2 libwebkit2gtk-4_0-37-debuginfo-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-devel-2.28.1-3.49.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libwebkit2gtk3-lang-2.28.1-3.49.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.1-3.49.2 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-3.49.2 libwebkit2gtk-4_0-37-2.28.1-3.49.2 libwebkit2gtk-4_0-37-debuginfo-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-2.28.1-3.49.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-3.49.2 webkit2gtk3-debugsource-2.28.1-3.49.2 webkit2gtk3-devel-2.28.1-3.49.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libwebkit2gtk3-lang-2.28.1-3.49.2 References: https://www.suse.com/security/cve/CVE-2020-10018.html https://www.suse.com/security/cve/CVE-2020-11793.html https://bugzilla.suse.com/1165528 https://bugzilla.suse.com/1169658 From sle-security-updates at lists.suse.com Fri Apr 24 13:18:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 24 Apr 2020 21:18:52 +0200 (CEST) Subject: SUSE-SU-2020:14348-1: important: Security update for resource-agents Message-ID: <20200424191852.76DA9FE29@maintenance.suse.de> SUSE Security Update: Security update for resource-agents ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14348-1 Rating: important References: #1021689 #1146687 #1146690 #1146784 #1146785 #1146787 Affected Products: SUSE Linux Enterprise High Availability Extension 11-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for resource-agents fixes the following issues: - Fixed multiple vulnerabilities related to unsafe tempfile usage. (bsc#1146690 bsc#1146784 bsc#1146785 bsc#1146787) - Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability Extension 11-SP4: zypper in -t patch slehasp4-resource-agents-14348=1 Package List: - SUSE Linux Enterprise High Availability Extension 11-SP4 (i586 ppc64 s390x x86_64): ldirectord-3.9.5-50.19.1 nagios-plugins-metadata-3.9.5-50.19.1 resource-agents-3.9.5-50.19.1 References: https://bugzilla.suse.com/1021689 https://bugzilla.suse.com/1146687 https://bugzilla.suse.com/1146690 https://bugzilla.suse.com/1146784 https://bugzilla.suse.com/1146785 https://bugzilla.suse.com/1146787 From sle-security-updates at lists.suse.com Mon Apr 27 07:13:17 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Apr 2020 15:13:17 +0200 (CEST) Subject: SUSE-SU-2020:1118-1: important: Security update for the Linux Kernel Message-ID: <20200427131317.BFCA3FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1118-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1088810 #1103990 #1103992 #1104353 #1104745 #1104967 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1118338 #1119680 #1120386 #1123328 #1127611 #1133021 #1134090 #1134395 #1136157 #1136333 #1137325 #1141895 #1142685 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1156510 #1157424 #1158187 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161561 #1161702 #1161951 #1162171 #1162929 #1162931 #1163403 #1163508 #1163762 #1163897 #1164078 #1164284 #1164507 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165581 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2018-20836 CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 139 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2018-20836: Fixed an issue where a race condition in smp_task_timedout() and smp_task_done() could lead to a use-after-free (bnc#1134395). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix crash due to "kernel BUG at ../fs/btrfs/relocation.c:4827!" - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - EDAC: skx_common: downgrade message importance on missing PCI device (bsc#1165581). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - Enable the following two patches in series.conf, and refresh the KABI patch due to previous md commit (bsc#1119680), - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi fix for (bsc#1168202). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.6.0.3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.6.0.4 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1118=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.13.1 kernel-source-azure-4.12.14-16.13.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.13.1 kernel-azure-base-4.12.14-16.13.1 kernel-azure-base-debuginfo-4.12.14-16.13.1 kernel-azure-debuginfo-4.12.14-16.13.1 kernel-azure-debugsource-4.12.14-16.13.1 kernel-azure-devel-4.12.14-16.13.1 kernel-syms-azure-4.12.14-16.13.1 References: https://www.suse.com/security/cve/CVE-2018-20836.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1134395 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1136333 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165581 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Mon Apr 27 07:33:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Apr 2020 15:33:15 +0200 (CEST) Subject: SUSE-SU-2020:1117-1: important: Security update for pam_radius Message-ID: <20200427133315.DA378FE0F@maintenance.suse.de> SUSE Security Update: Security update for pam_radius ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1117-1 Rating: important References: #1141670 #1163933 Cross-References: CVE-2015-9542 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for pam_radius fixes the following issues: - CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933). - On s390x didn't decrypt passwords correctly (bsc#1141670). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1117=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1117=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1117=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1117=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1117=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1117=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1117=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1117=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1117=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1117=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1117=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1117=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1117=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1117=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1117=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE OpenStack Cloud 8 (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE OpenStack Cloud 7 (s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): pam_radius-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 - SUSE Enterprise Storage 5 (x86_64): pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 - HPE Helion Openstack 8 (x86_64): pam_radius-1.3.16-239.4.1 pam_radius-32bit-1.3.16-239.4.1 pam_radius-debuginfo-1.3.16-239.4.1 pam_radius-debuginfo-32bit-1.3.16-239.4.1 pam_radius-debugsource-1.3.16-239.4.1 References: https://www.suse.com/security/cve/CVE-2015-9542.html https://bugzilla.suse.com/1141670 https://bugzilla.suse.com/1163933 From sle-security-updates at lists.suse.com Mon Apr 27 07:34:08 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 27 Apr 2020 15:34:08 +0200 (CEST) Subject: SUSE-SU-2020:1119-1: important: Security update for the Linux Kernel Message-ID: <20200427133408.C9A8AFE0F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1119-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1071995 #1083647 #1085030 #1104967 #1109911 #1111666 #1114279 #1118338 #1120386 #1133021 #1136157 #1137325 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1157424 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161951 #1162929 #1162931 #1163403 #1163508 #1163897 #1164078 #1164284 #1164507 #1164893 #1165019 #1165111 #1165182 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165949 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1167005 #1167288 #1167290 #1167316 #1167421 #1167423 #1167629 #1168075 #1168202 #1168276 #1168295 #1168424 #1168443 #1168486 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169057 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 96 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi fix for (bsc#1168202). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - remoteproc: Initialize rproc_class before use (bsc#1051510). - Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" (git-fixes). - Revert "locking/pvqspinlock: Do not wait if vCPU is preempted" (bsc#1050549). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1119=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-azure-4.12.14-6.40.1 kernel-source-azure-4.12.14-6.40.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-azure-4.12.14-6.40.1 kernel-azure-base-4.12.14-6.40.1 kernel-azure-base-debuginfo-4.12.14-6.40.1 kernel-azure-debuginfo-4.12.14-6.40.1 kernel-azure-debugsource-4.12.14-6.40.1 kernel-azure-devel-4.12.14-6.40.1 kernel-syms-azure-4.12.14-6.40.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Tue Apr 28 04:16:40 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 12:16:40 +0200 (CEST) Subject: SUSE-SU-2020:1126-1: important: Security update for apache2 Message-ID: <20200428101640.366E2FE29@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1126-1 Rating: important References: #1168404 #1168407 #1169066 Cross-References: CVE-2020-1927 CVE-2020-1934 CVE-2020-1938 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404). - CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407). - CVE-2020-1938: mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1126=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1126=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1126=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1126=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1126=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1126=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): apache2-2.4.33-3.30.1 apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-devel-2.4.33-3.30.1 apache2-prefork-2.4.33-3.30.1 apache2-prefork-debuginfo-2.4.33-3.30.1 apache2-utils-2.4.33-3.30.1 apache2-utils-debuginfo-2.4.33-3.30.1 apache2-worker-2.4.33-3.30.1 apache2-worker-debuginfo-2.4.33-3.30.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): apache2-doc-2.4.33-3.30.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): apache2-2.4.33-3.30.1 apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-devel-2.4.33-3.30.1 apache2-prefork-2.4.33-3.30.1 apache2-prefork-debuginfo-2.4.33-3.30.1 apache2-utils-2.4.33-3.30.1 apache2-utils-debuginfo-2.4.33-3.30.1 apache2-worker-2.4.33-3.30.1 apache2-worker-debuginfo-2.4.33-3.30.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): apache2-doc-2.4.33-3.30.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-2.4.33-3.30.1 apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-devel-2.4.33-3.30.1 apache2-prefork-2.4.33-3.30.1 apache2-prefork-debuginfo-2.4.33-3.30.1 apache2-utils-2.4.33-3.30.1 apache2-utils-debuginfo-2.4.33-3.30.1 apache2-worker-2.4.33-3.30.1 apache2-worker-debuginfo-2.4.33-3.30.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): apache2-doc-2.4.33-3.30.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-event-2.4.33-3.30.1 apache2-event-debuginfo-2.4.33-3.30.1 apache2-example-pages-2.4.33-3.30.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): apache2-2.4.33-3.30.1 apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-devel-2.4.33-3.30.1 apache2-prefork-2.4.33-3.30.1 apache2-prefork-debuginfo-2.4.33-3.30.1 apache2-utils-2.4.33-3.30.1 apache2-utils-debuginfo-2.4.33-3.30.1 apache2-worker-2.4.33-3.30.1 apache2-worker-debuginfo-2.4.33-3.30.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): apache2-doc-2.4.33-3.30.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): apache2-2.4.33-3.30.1 apache2-debuginfo-2.4.33-3.30.1 apache2-debugsource-2.4.33-3.30.1 apache2-devel-2.4.33-3.30.1 apache2-prefork-2.4.33-3.30.1 apache2-prefork-debuginfo-2.4.33-3.30.1 apache2-utils-2.4.33-3.30.1 apache2-utils-debuginfo-2.4.33-3.30.1 apache2-worker-2.4.33-3.30.1 apache2-worker-debuginfo-2.4.33-3.30.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): apache2-doc-2.4.33-3.30.1 References: https://www.suse.com/security/cve/CVE-2020-1927.html https://www.suse.com/security/cve/CVE-2020-1934.html https://www.suse.com/security/cve/CVE-2020-1938.html https://bugzilla.suse.com/1168404 https://bugzilla.suse.com/1168407 https://bugzilla.suse.com/1169066 From sle-security-updates at lists.suse.com Tue Apr 28 04:18:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 12:18:23 +0200 (CEST) Subject: SUSE-SU-2020:1125-1: moderate: Security update for ovmf Message-ID: <20200428101823.1C813FE29@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1125-1 Rating: moderate References: #1163927 Cross-References: CVE-2019-14559 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ovmf fixes the following issues: - CVE-2019-14559: Fixed a memory leak in ArpOnFrameRcvdDpc() (bsc#1163927). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1125=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.32.3 ovmf-tools-2017+git1510945757.b2662641d5-5.32.3 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.32.3 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.32.3 References: https://www.suse.com/security/cve/CVE-2019-14559.html https://bugzilla.suse.com/1163927 From sle-security-updates at lists.suse.com Tue Apr 28 04:19:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 12:19:52 +0200 (CEST) Subject: SUSE-SU-2020:1124-1: important: Security update for xen Message-ID: <20200428101952.E6893FE29@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1124-1 Rating: important References: #1027519 #1134506 #1155200 #1157490 #1160932 #1165206 #1167007 #1167152 #1168140 #1168142 #1168143 #1169392 Cross-References: CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 7 fixes is now available. Description: This update for xen fixes the following issues: Security issues fixed: - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143). - arm: a CPU may speculate past the ERET instruction (bsc#1160932). Non-security issues fixed: - Xenstored Crashed during VM install (bsc#1167152) - DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506) - Update API compatibility versions, fixes issues for libvirt. (bsc#1167007, bsc#1157490) - aacraid blocks xen commands (bsc#1155200) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1124=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1124=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1124=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): xen-4.12.2_04-3.15.1 xen-debugsource-4.12.2_04-3.15.1 xen-devel-4.12.2_04-3.15.1 xen-tools-4.12.2_04-3.15.1 xen-tools-debuginfo-4.12.2_04-3.15.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 x86_64): xen-debugsource-4.12.2_04-3.15.1 xen-doc-html-4.12.2_04-3.15.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64): xen-4.12.2_04-3.15.1 xen-devel-4.12.2_04-3.15.1 xen-libs-4.12.2_04-3.15.1 xen-libs-debuginfo-4.12.2_04-3.15.1 xen-tools-4.12.2_04-3.15.1 xen-tools-debuginfo-4.12.2_04-3.15.1 xen-tools-domU-4.12.2_04-3.15.1 xen-tools-domU-debuginfo-4.12.2_04-3.15.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): xen-libs-32bit-4.12.2_04-3.15.1 xen-libs-32bit-debuginfo-4.12.2_04-3.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): xen-debugsource-4.12.2_04-3.15.1 xen-libs-4.12.2_04-3.15.1 xen-libs-debuginfo-4.12.2_04-3.15.1 xen-tools-domU-4.12.2_04-3.15.1 xen-tools-domU-debuginfo-4.12.2_04-3.15.1 References: https://www.suse.com/security/cve/CVE-2020-11739.html https://www.suse.com/security/cve/CVE-2020-11740.html https://www.suse.com/security/cve/CVE-2020-11741.html https://www.suse.com/security/cve/CVE-2020-11742.html https://www.suse.com/security/cve/CVE-2020-11743.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1134506 https://bugzilla.suse.com/1155200 https://bugzilla.suse.com/1157490 https://bugzilla.suse.com/1160932 https://bugzilla.suse.com/1165206 https://bugzilla.suse.com/1167007 https://bugzilla.suse.com/1167152 https://bugzilla.suse.com/1168140 https://bugzilla.suse.com/1168142 https://bugzilla.suse.com/1168143 https://bugzilla.suse.com/1169392 From sle-security-updates at lists.suse.com Tue Apr 28 04:22:48 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 12:22:48 +0200 (CEST) Subject: SUSE-SU-2020:1123-1: important: Security update for the Linux Kernel Message-ID: <20200428102248.61598FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1123-1 Rating: important References: #1044231 #1051510 #1051858 #1056686 #1060463 #1065729 #1083647 #1085030 #1103990 #1103992 #1104353 #1104745 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1113956 #1114279 #1114685 #1119680 #1120386 #1127611 #1133021 #1134090 #1136157 #1141895 #1144333 #1145051 #1146539 #1157424 #1158187 #1158983 #1159198 #1159285 #1160659 #1161561 #1161951 #1162171 #1162929 #1162931 #1164078 #1164507 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166982 #1167005 #1167216 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168552 #1168829 #1168854 #1169013 #1169307 #1169308 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 89 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - fbdev/g364fb: Fix build failure (bsc#1051510). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md/raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md/raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md/raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP1: zypper in -t patch SUSE-SLE-Module-RT-15-SP1-2020-1123=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1123=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP1 (x86_64): cluster-md-kmp-rt-4.12.14-14.23.1 cluster-md-kmp-rt-debuginfo-4.12.14-14.23.1 dlm-kmp-rt-4.12.14-14.23.1 dlm-kmp-rt-debuginfo-4.12.14-14.23.1 gfs2-kmp-rt-4.12.14-14.23.1 gfs2-kmp-rt-debuginfo-4.12.14-14.23.1 kernel-rt-4.12.14-14.23.1 kernel-rt-base-4.12.14-14.23.1 kernel-rt-base-debuginfo-4.12.14-14.23.1 kernel-rt-debuginfo-4.12.14-14.23.1 kernel-rt-debugsource-4.12.14-14.23.1 kernel-rt-devel-4.12.14-14.23.1 kernel-rt-devel-debuginfo-4.12.14-14.23.1 kernel-rt_debug-debuginfo-4.12.14-14.23.1 kernel-rt_debug-debugsource-4.12.14-14.23.1 kernel-rt_debug-devel-4.12.14-14.23.1 kernel-rt_debug-devel-debuginfo-4.12.14-14.23.1 kernel-syms-rt-4.12.14-14.23.1 ocfs2-kmp-rt-4.12.14-14.23.1 ocfs2-kmp-rt-debuginfo-4.12.14-14.23.1 - SUSE Linux Enterprise Module for Realtime 15-SP1 (noarch): kernel-devel-rt-4.12.14-14.23.1 kernel-source-rt-4.12.14-14.23.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): cluster-md-kmp-rt_debug-4.12.14-14.23.1 cluster-md-kmp-rt_debug-debuginfo-4.12.14-14.23.1 dlm-kmp-rt_debug-4.12.14-14.23.1 dlm-kmp-rt_debug-debuginfo-4.12.14-14.23.1 gfs2-kmp-rt_debug-4.12.14-14.23.1 gfs2-kmp-rt_debug-debuginfo-4.12.14-14.23.1 kernel-rt-debuginfo-4.12.14-14.23.1 kernel-rt-debugsource-4.12.14-14.23.1 kernel-rt-extra-4.12.14-14.23.1 kernel-rt-extra-debuginfo-4.12.14-14.23.1 kernel-rt-livepatch-devel-4.12.14-14.23.1 kernel-rt_debug-4.12.14-14.23.1 kernel-rt_debug-base-4.12.14-14.23.1 kernel-rt_debug-base-debuginfo-4.12.14-14.23.1 kernel-rt_debug-debuginfo-4.12.14-14.23.1 kernel-rt_debug-debugsource-4.12.14-14.23.1 kernel-rt_debug-extra-4.12.14-14.23.1 kernel-rt_debug-extra-debuginfo-4.12.14-14.23.1 kernel-rt_debug-livepatch-devel-4.12.14-14.23.1 kselftests-kmp-rt-4.12.14-14.23.1 kselftests-kmp-rt-debuginfo-4.12.14-14.23.1 kselftests-kmp-rt_debug-4.12.14-14.23.1 kselftests-kmp-rt_debug-debuginfo-4.12.14-14.23.1 ocfs2-kmp-rt_debug-4.12.14-14.23.1 ocfs2-kmp-rt_debug-debuginfo-4.12.14-14.23.1 reiserfs-kmp-rt-4.12.14-14.23.1 reiserfs-kmp-rt-debuginfo-4.12.14-14.23.1 reiserfs-kmp-rt_debug-4.12.14-14.23.1 reiserfs-kmp-rt_debug-debuginfo-4.12.14-14.23.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 From sle-security-updates at lists.suse.com Tue Apr 28 04:35:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 12:35:45 +0200 (CEST) Subject: SUSE-SU-2020:1121-1: moderate: Security update for git Message-ID: <20200428103545.D18F7FE0F@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1121-1 Rating: moderate References: #1063412 #1095218 #1095219 #1110949 #1112230 #1114225 #1132350 #1149792 #1156651 #1158785 #1158787 #1158788 #1158789 #1158790 #1158791 #1158792 #1158793 #1158795 #1167890 #1168930 #1169605 #1169786 #1169936 Cross-References: CVE-2017-15298 CVE-2018-11233 CVE-2018-11235 CVE-2018-17456 CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-19604 CVE-2020-11008 CVE-2020-5260 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has 8 fixes is now available. Description: This update for git fixes the following issues: Security issues fixed: * CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) - Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). * CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker's site bsc#1168930 git 2.26.0 (bsc#1167890, jsc#SLE-11608): * "git rebase" now uses a different backend that is based on the 'merge' machinery by default. The 'rebase.backend' configuration variable reverts to old behaviour when set to 'apply' * Improved handling of sparse checkouts * Improvements to many commands and internal features git 2.25.2: * bug fixes to various subcommands in specific operations git 2.25.1: * "git commit" now honors advise.statusHints * various updates, bug fixes and documentation updates git 2.25.0 * The branch description ("git branch --edit-description") has been used to fill the body of the cover letters by the format-patch command; this has been enhanced so that the subject can also be filled. * A few commands learned to take the pathspec from the standard input or a named file, instead of taking it as the command line arguments, with the "--pathspec-from-file" option. * Test updates to prepare for SHA-2 transition continues. * Redo "git name-rev" to avoid recursive calls. * When all files from some subdirectory were renamed to the root directory, the directory rename heuristics would fail to detect that as a rename/merge of the subdirectory to the root directory, which has been corrected. * HTTP transport had possible allocator/deallocator mismatch, which has been corrected. git 2.24.1: * CVE-2019-1348: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785) * CVE-2019-1349: on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787) * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788) * CVE-2019-1351: on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789) * CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790) * CVE-2019-1353: when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791) * CVE-2019-1354: on Windows refuses to write tracked files with filenames that contain backslashes (bsc#1158792) * CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793) * CVE-2019-19604: a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795) git 2.24.0 * The command line parser learned "--end-of-options" notation. * A mechanism to affect the default setting for a (related) group of configuration variables is introduced. * "git fetch" learned "--set-upstream" option to help those who first clone from their private fork they intend to push to, add the true upstream via "git remote add" and then "git fetch" from it. * fixes and improvements to UI, workflow and features, bash completion fixes git 2.23.0: * The "--base" option of "format-patch" computed the patch-ids for prerequisite patches in an unstable way, which has been updated to compute in a way that is compatible with "git patch-id --stable". * The "git log" command by default behaves as if the --mailmap option was given. * fixes and improvements to UI, workflow and features git 2.22.1 * A relative pathname given to "git init --template= " ought to be relative to the directory "git init" gets invoked in, but it instead was made relative to the repository, which has been corrected. * "git worktree add" used to fail when another worktree connected to the same repository was corrupt, which has been corrected. * "git am -i --resolved" segfaulted after trying to see a commit as if it were a tree, which has been corrected. * "git merge --squash" is designed to update the working tree and the index without creating the commit, and this cannot be countermanded by adding the "--commit" option; the command now refuses to work when both options are given. * Update to Unicode 12.1 width table. * "git request-pull" learned to warn when the ref we ask them to pull from in the local repository and in the published repository are different. * "git fetch" into a lazy clone forgot to fetch base objects that are necessary to complete delta in a thin packfile, which has been corrected. * The URL decoding code has been updated to avoid going past the end of the string while parsing %-- sequence. * "git clean" silently skipped a path when it cannot lstat() it; now it gives a warning. * "git rm" to resolve a conflicted path leaked an internal message "needs merge" before actually removing the path, which was confusing. This has been corrected. * Many more bugfixes and code cleanups. - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld. - partial fix for git instaweb giving 500 error (bsc#1112230) git 2.22.0 * The filter specification "--filter=sparse:path=" used to create a lazy/partial clone has been removed. Using a blob that is part of the project as sparse specification is still supported with the "--filter=sparse:oid=" option * "git checkout --no-overlay" can be used to trigger a new mode of checking out paths out of the tree-ish, that allows paths that match the pathspec that are in the current index and working tree and are not in the tree-ish. * Four new configuration variables {author,committer}.{name,email} have been introduced to override user.{name,email} in more specific cases. * "git branch" learned a new subcommand "--show-current". * The command line completion (in contrib/) has been taught to complete more subcommand parameters. * The completion helper code now pays attention to repository-local configuration (when available), which allows --list-cmds to honour a repository specific setting of completion.commands, for example. * The list of conflicted paths shown in the editor while concluding a conflicted merge was shown above the scissors line when the clean-up mode is set to "scissors", even though it was commented out just like the list of updated paths and other information to help the user explain the merge better. * "git rebase" that was reimplemented in C did not set ORIG_HEAD correctly, which has been corrected. * "git worktree add" used to do a "find an available name with stat and then mkdir", which is race-prone. This has been fixed by using mkdir and reacting to EEXIST in a loop. - Move to DocBook 5.x. Asciidoctor 2.x no longer supports the legacy DocBook 4.5 format. - update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350) git 2.21.0 * Historically, the "-m" (mainline) option can only be used for "git cherry-pick" and "git revert" when working with a merge commit. This version of Git no longer warns or errors out when working with a single-parent commit, as long as the argument to the "-m" option is 1 (i.e. it has only one parent, and the request is to pick or revert relative to that first parent). Scripts that relied on the behaviour may get broken with this change. * Small fixes and features for fast-export and fast-import. * The "http.version" configuration variable can be used with recent enough versions of cURL library to force the version of HTTP used to talk when fetching and pushing. * "git push $there $src:$dst" rejects when $dst is not a fully qualified refname and it is not clear what the end user meant. * Update "git multimail" from the upstream. * A new date format "--date=human" that morphs its output depending on how far the time is from the current time has been introduced. "--date=auto:human" can be used to use this new format (or any existing format) when the output is going to the pager or to the terminal, and otherwise the default format. - Fix worktree creation race (bsc#1114225). - add shadow build dependency to the -daemon subpackage. git 2.20.1: * portability fixes * "git help -a" did not work well when an overly long alias was defined * no longer squelched an error message when the run_command API failed to run a missing command git 2.20.0 * "git help -a" now gives verbose output (same as "git help -av"). Those who want the old output may say "git help --no-verbose -a".. * "git send-email" learned to grab address-looking string on any trailer whose name ends with "-by". * "git format-patch" learned new "--interdiff" and "--range-diff" options to explain the difference between this version and the previous attempt in the cover letter (or after the three-dashes as a comment). * Developer builds now use -Wunused-function compilation option. * Fix a bug in which the same path could be registered under multiple worktree entries if the path was missing (for instance, was removed manually). Also, as a convenience, expand the number of cases in which --force is applicable. * The overly large Documentation/config.txt file have been split into million little pieces. This potentially allows each individual piece to be included into the manual page of the command it affects more easily. * Malformed or crafted data in packstream can make our code attempt to read or write past the allocated buffer and abort, instead of reporting an error, which has been fixed. * Fix for a long-standing bug that leaves the index file corrupt when it shrinks during a partial commit. * "git merge" and "git pull" that merges into an unborn branch used to completely ignore "--verify-signatures", which has been corrected. * ...and much more features and fixes git 2.19.2: * various bug fixes for multiple subcommands and operations git 2.19.1: * CVE-2018-17456: Specially crafted .gitmodules files may have allowed arbitrary code execution when the repository is cloned with --recurse-submodules (bsc#1110949) git 2.19.0: * "git diff" compares the index and the working tree. For paths added with intent-to-add bit, the command shows the full contents of them as added, but the paths themselves were not marked as new files. They are now shown as new by default. * "git apply" learned the "--intent-to-add" option so that an otherwise working-tree-only application of a patch will add new paths to the index marked with the "intent-to-add" bit. * "git grep" learned the "--column" option that gives not just the line number but the column number of the hit. * The "-l" option in "git branch -l" is an unfortunate short-hand for "--create-reflog", but many users, both old and new, somehow expect it to be something else, perhaps "--list". This step warns when "-l" is used as a short-hand for "--create-reflog" and warns about the future repurposing of the it when it is used. * The userdiff pattern for .php has been updated. * The content-transfer-encoding of the message "git send-email" sends out by default was 8bit, which can cause trouble when there is an overlong line to bust RFC 5322/2822 limit. A new option 'auto' to automatically switch to quoted-printable when there is such a line in the payload has been introduced and is made the default. * "git checkout" and "git worktree add" learned to honor checkout.defaultRemote when auto-vivifying a local branch out of a remote tracking branch in a repository with multiple remotes that have tracking branches that share the same names. (merge 8d7b558bae ab/checkout-default-remote later to maint). * "git grep" learned the "--only-matching" option. * "git rebase --rebase-merges" mode now handles octopus merges as well. * Add a server-side knob to skip commits in exponential/fibbonacci stride in an attempt to cover wider swath of history with a smaller number of iterations, potentially accepting a larger packfile transfer, instead of going back one commit a time during common ancestor discovery during the "git fetch" transaction. (merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint). * A new configuration variable core.usereplacerefs has been added, primarily to help server installations that want to ignore the replace mechanism altogether. * Teach "git tag -s" etc. a few configuration variables (gpg.format that can be set to "openpgp" or "x509", and gpg..program that is used to specify what program to use to deal with the format) to allow x.509 certs with CMS via "gpgsm" to be used instead of openpgp via "gnupg". * Many more strings are prepared for l10n. * "git p4 submit" learns to ask its own pre-submit hook if it should continue with submitting. * The test performed at the receiving end of "git push" to prevent bad objects from entering repository can be customized via receive.fsck.* configuration variables; we now have gained a counterpart to do the same on the "git fetch" side, with fetch.fsck.* configuration variables. * "git pull --rebase=interactive" learned "i" as a short-hand for "interactive". * "git instaweb" has been adjusted to run better with newer Apache on RedHat based distros. * "git range-diff" is a reimplementation of "git tbdiff" that lets us compare individual patches in two iterations of a topic. * The sideband code learned to optionally paint selected keywords at the beginning of incoming lines on the receiving end. * "git branch --list" learned to take the default sort order from the 'branch.sort' configuration variable, just like "git tag --list" pays attention to 'tag.sort'. * "git worktree" command learned "--quiet" option to make it less verbose. git 2.18.0: * improvements to rename detection logic * When built with more recent cURL, GIT_SSL_VERSION can now specify "tlsv1.3" as its value. * "git mergetools" learned talking to guiffy. * various other workflow improvements and fixes * performance improvements and other developer visible fixes git 2.17.1 * Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235, bsc#1095219) * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233, bsc#1095218) * Support on the server side to reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers by preventing malicious contents from spreading. git 2.17.0: * "diff" family of commands learned "--find-object=" option to limit the findings to changes that involve the named object. * "git format-patch" learned to give 72-cols to diffstat, which is consistent with other line length limits the subcommand uses for its output meant for e-mails. * The log from "git daemon" can be redirected with a new option; one relevant use case is to send the log to standard error (instead of syslog) when running it from inetd. * "git rebase" learned to take "--allow-empty-message" option. * "git am" has learned the "--quit" option, in addition to the existing "--abort" option; having the pair mirrors a few other commands like "rebase" and "cherry-pick". * "git worktree add" learned to run the post-checkout hook, just like "git clone" runs it upon the initial checkout. * "git tag" learned an explicit "--edit" option that allows the message given via "-m" and "-F" to be further edited. * "git fetch --prune-tags" may be used as a handy short-hand for getting rid of stale tags that are locally held. * The new "--show-current-patch" option gives an end-user facing way to get the diff being applied when "git rebase" (and "git am") stops with a conflict. * "git add -p" used to offer "/" (look for a matching hunk) as a choice, even there was only one hunk, which has been corrected. Also the single-key help is now given only for keys that are enabled (e.g. help for '/' won't be shown when there is only one hunk). * Since Git 1.7.9, "git merge" defaulted to --no-ff (i.e. even when the side branch being merged is a descendant of the current commit, create a merge commit instead of fast-forwarding) when merging a tag object. This was appropriate default for integrators who pull signed tags from their downstream contributors, but caused an unnecessary merges when used by downstream contributors who habitually "catch up" their topic branches with tagged releases from the upstream. Update "git merge" to default to --no-ff only when merging a tag object that does *not* sit at its usual place in refs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate the problem. * "git status" can spend a lot of cycles to compute the relation between the current branch and its upstream, which can now be disabled with "--no-ahead-behind" option. * "git diff" and friends learned funcname patterns for Go language source files. * "git send-email" learned "--reply-to=
" option. * Funcname pattern used for C# now recognizes "async" keyword. * In a way similar to how "git tag" learned to honor the pager setting only in the list mode, "git config" learned to ignore the pager setting when it is used for setting values (i.e. when the purpose of the operation is not to "show"). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1121=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1121=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1121=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-credential-gnome-keyring-2.26.1-3.25.2 git-credential-gnome-keyring-debuginfo-2.26.1-3.25.2 git-credential-libsecret-2.26.1-3.25.2 git-credential-libsecret-debuginfo-2.26.1-3.25.2 git-debuginfo-2.26.1-3.25.2 git-debugsource-2.26.1-3.25.2 git-p4-2.26.1-3.25.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): git-2.26.1-3.25.2 git-arch-2.26.1-3.25.2 git-cvs-2.26.1-3.25.2 git-daemon-2.26.1-3.25.2 git-daemon-debuginfo-2.26.1-3.25.2 git-debuginfo-2.26.1-3.25.2 git-debugsource-2.26.1-3.25.2 git-email-2.26.1-3.25.2 git-gui-2.26.1-3.25.2 git-svn-2.26.1-3.25.2 git-svn-debuginfo-2.26.1-3.25.2 git-web-2.26.1-3.25.2 gitk-2.26.1-3.25.2 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): git-doc-2.26.1-3.25.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): git-core-2.26.1-3.25.2 git-core-debuginfo-2.26.1-3.25.2 git-debuginfo-2.26.1-3.25.2 git-debugsource-2.26.1-3.25.2 References: https://www.suse.com/security/cve/CVE-2017-15298.html https://www.suse.com/security/cve/CVE-2018-11233.html https://www.suse.com/security/cve/CVE-2018-11235.html https://www.suse.com/security/cve/CVE-2018-17456.html https://www.suse.com/security/cve/CVE-2019-1348.html https://www.suse.com/security/cve/CVE-2019-1349.html https://www.suse.com/security/cve/CVE-2019-1350.html https://www.suse.com/security/cve/CVE-2019-1351.html https://www.suse.com/security/cve/CVE-2019-1352.html https://www.suse.com/security/cve/CVE-2019-1353.html https://www.suse.com/security/cve/CVE-2019-1354.html https://www.suse.com/security/cve/CVE-2019-1387.html https://www.suse.com/security/cve/CVE-2019-19604.html https://www.suse.com/security/cve/CVE-2020-11008.html https://www.suse.com/security/cve/CVE-2020-5260.html https://bugzilla.suse.com/1063412 https://bugzilla.suse.com/1095218 https://bugzilla.suse.com/1095219 https://bugzilla.suse.com/1110949 https://bugzilla.suse.com/1112230 https://bugzilla.suse.com/1114225 https://bugzilla.suse.com/1132350 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1156651 https://bugzilla.suse.com/1158785 https://bugzilla.suse.com/1158787 https://bugzilla.suse.com/1158788 https://bugzilla.suse.com/1158789 https://bugzilla.suse.com/1158790 https://bugzilla.suse.com/1158791 https://bugzilla.suse.com/1158792 https://bugzilla.suse.com/1158793 https://bugzilla.suse.com/1158795 https://bugzilla.suse.com/1167890 https://bugzilla.suse.com/1168930 https://bugzilla.suse.com/1169605 https://bugzilla.suse.com/1169786 https://bugzilla.suse.com/1169936 From sle-security-updates at lists.suse.com Tue Apr 28 13:13:47 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 21:13:47 +0200 (CEST) Subject: SUSE-SU-2020:1133-1: important: Security update for samba Message-ID: <20200428191347.ABA58FFEC@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1133-1 Rating: important References: #1167070 #1169473 #1169851 Cross-References: CVE-2020-10704 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for samba fixes the following issues: Security issue fixed: - CVE-2020-10704: Fixed a stack overflow in the AD DC (C)LDAP server (bsc#1169851). Non-security issues fixed: - Fixed spnego fallback from kerberos to ntlmssp in smbd server (bsc#1169473). - Fixed warning messages for non root users using smbclient (bsc#1167070). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1133=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1133=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1133=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1133=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1133=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): libsamba-policy0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ad-dc-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ad-dc-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debugsource-4.9.5+git.317.6d82fb3918b-3.35.1 samba-dsdb-modules-4.9.5+git.317.6d82fb3918b-3.35.1 samba-dsdb-modules-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-python-4.9.5+git.317.6d82fb3918b-3.35.1 samba-python-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ctdb-pcp-pmda-4.9.5+git.317.6d82fb3918b-3.35.1 ctdb-pcp-pmda-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 ctdb-tests-4.9.5+git.317.6d82fb3918b-3.35.1 ctdb-tests-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy-python-devel-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debugsource-4.9.5+git.317.6d82fb3918b-3.35.1 samba-test-4.9.5+git.317.6d82fb3918b-3.35.1 samba-test-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 x86_64): samba-ceph-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ceph-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): samba-doc-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): libdcerpc-samr0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-samr0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-python3-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-python3-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbclient0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbclient0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ad-dc-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ad-dc-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-client-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-client-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python3-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python3-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libdcerpc-binding0-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-binding0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-samr-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-samr0-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-samr0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc0-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-krb5pac-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-krb5pac0-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-krb5pac0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-nbt-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-nbt0-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-nbt0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-standard-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-standard0-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-standard0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr0-4.9.5+git.317.6d82fb3918b-3.35.1 libndr0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libnetapi-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libnetapi0-4.9.5+git.317.6d82fb3918b-3.35.1 libnetapi0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-credentials-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-credentials0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-credentials0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-errors-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-errors0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-errors0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-hostconfig-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-hostconfig0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-hostconfig0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-passdb-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-passdb0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-passdb0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy-python3-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-python3-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-policy0-python3-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-util-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-util0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-util0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamdb-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsamdb0-4.9.5+git.317.6d82fb3918b-3.35.1 libsamdb0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbclient-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbclient0-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbclient0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbconf-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbconf0-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbconf0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbldap-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbldap2-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbldap2-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libtevent-util-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libtevent-util0-4.9.5+git.317.6d82fb3918b-3.35.1 libtevent-util0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libwbclient-devel-4.9.5+git.317.6d82fb3918b-3.35.1 libwbclient0-4.9.5+git.317.6d82fb3918b-3.35.1 libwbclient0-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-4.9.5+git.317.6d82fb3918b-3.35.1 samba-client-4.9.5+git.317.6d82fb3918b-3.35.1 samba-client-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-core-devel-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debugsource-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python3-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-python3-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-python3-4.9.5+git.317.6d82fb3918b-3.35.1 samba-python3-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-winbind-4.9.5+git.317.6d82fb3918b-3.35.1 samba-winbind-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libdcerpc-binding0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc-binding0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libdcerpc0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-krb5pac0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-krb5pac0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-nbt0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-nbt0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-standard0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libndr-standard0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libndr0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libndr0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libnetapi0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libnetapi0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-credentials0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-credentials0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-errors0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-errors0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-hostconfig0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-hostconfig0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-passdb0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-passdb0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-util0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamba-util0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsamdb0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsamdb0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbconf0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbconf0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbldap2-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libsmbldap2-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libtevent-util0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libtevent-util0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 libwbclient0-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 libwbclient0-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-libs-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-winbind-32bit-4.9.5+git.317.6d82fb3918b-3.35.1 samba-winbind-32bit-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): ctdb-4.9.5+git.317.6d82fb3918b-3.35.1 ctdb-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debugsource-4.9.5+git.317.6d82fb3918b-3.35.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): samba-ceph-4.9.5+git.317.6d82fb3918b-3.35.1 samba-ceph-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debuginfo-4.9.5+git.317.6d82fb3918b-3.35.1 samba-debugsource-4.9.5+git.317.6d82fb3918b-3.35.1 References: https://www.suse.com/security/cve/CVE-2020-10704.html https://bugzilla.suse.com/1167070 https://bugzilla.suse.com/1169473 https://bugzilla.suse.com/1169851 From sle-security-updates at lists.suse.com Tue Apr 28 13:14:52 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 28 Apr 2020 21:14:52 +0200 (CEST) Subject: SUSE-SU-2020:1132-1: important: Security update for samba Message-ID: <20200428191452.D35EBFFE8@maintenance.suse.de> SUSE Security Update: Security update for samba ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1132-1 Rating: important References: #1169851 Cross-References: CVE-2020-10704 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for samba fixes the following issues: - CVE-2020-10704: Fixed a stack overflow in the AD DC (C)LDAP server (bsc#1169851). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1132=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1132=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1132=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1132=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-1132=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libdcerpc-binding0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-core-devel-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debugsource-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libdcerpc-binding0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libdcerpc-binding0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-core-devel-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debugsource-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-core-devel-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debugsource-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libdcerpc-binding0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-samr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-policy0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient-devel-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-core-devel-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debugsource-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libdcerpc-binding0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc-binding0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libdcerpc0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-krb5pac0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-nbt0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr-standard0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libndr0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libnetapi0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-credentials0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-errors0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-hostconfig0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-passdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamba-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsamdb0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbconf0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libsmbldap2-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libtevent-util0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 libwbclient0-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-client-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-libs-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-4.7.11+git.231.7f324c4d89e-4.40.1 samba-winbind-32bit-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): ctdb-4.7.11+git.231.7f324c4d89e-4.40.1 ctdb-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debuginfo-4.7.11+git.231.7f324c4d89e-4.40.1 samba-debugsource-4.7.11+git.231.7f324c4d89e-4.40.1 References: https://www.suse.com/security/cve/CVE-2020-10704.html https://bugzilla.suse.com/1169851 From sle-security-updates at lists.suse.com Wed Apr 29 04:13:56 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 12:13:56 +0200 (CEST) Subject: SUSE-SU-2020:1134-1: important: Security update for squid Message-ID: <20200429101356.95663FE29@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1134-1 Rating: important References: #1162689 #1162691 #1167373 #1169659 #1170313 Cross-References: CVE-2019-12519 CVE-2019-12521 CVE-2019-12528 CVE-2019-18860 CVE-2020-11945 CVE-2020-8517 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for squid to version 4.11 fixes the following issues: - CVE-2020-11945: Fixed a potential remote code execution vulnerability when using HTTP Digest Authentication (bsc#1170313). - CVE-2019-12519, CVE-2019-12521: Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (bsc#1169659). - CVE-2020-8517: Fixed a possible denial of service caused by incorrect buffer management ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691). - CVE-2019-12528: Fixed possible information disclosure when translating FTP server listings into HTTP responses (bsc#1162689). - CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1134=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): squid-4.11-4.9.1 squid-debuginfo-4.11-4.9.1 squid-debugsource-4.11-4.9.1 References: https://www.suse.com/security/cve/CVE-2019-12519.html https://www.suse.com/security/cve/CVE-2019-12521.html https://www.suse.com/security/cve/CVE-2019-12528.html https://www.suse.com/security/cve/CVE-2019-18860.html https://www.suse.com/security/cve/CVE-2020-11945.html https://www.suse.com/security/cve/CVE-2020-8517.html https://bugzilla.suse.com/1162689 https://bugzilla.suse.com/1162691 https://bugzilla.suse.com/1167373 https://bugzilla.suse.com/1169659 https://bugzilla.suse.com/1170313 From sle-security-updates at lists.suse.com Wed Apr 29 04:16:58 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 12:16:58 +0200 (CEST) Subject: SUSE-SU-2020:1135-1: important: Security update for webkit2gtk3 Message-ID: <20200429101658.5F22CFE29@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1135-1 Rating: important References: #1155321 #1156318 #1159329 #1161719 #1163809 #1165528 #1169658 Cross-References: CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 CVE-2020-10018 CVE-2020-11793 CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 30 vulnerabilities is now available. Description: This update for webkit2gtk3 to version 2.28.1 fixes the following issues: Security issues fixed: - CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528). - CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658). - CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719). - CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719). - CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719). - CVE-2020-3862: Fixed a memory handling issue (bsc#1163809). - CVE-2020-3867: Fixed an XSS issue (bsc#1163809). - CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809). - CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809). Non-security issues fixed: - Add API to enable Process Swap on (Cross-site) Navigation. - Add user messages API for the communication with the web extension. - Add support for same-site cookies. - Service workers are enabled by default. - Add support for Pointer Lock API. - Add flatpak sandbox support. - Make ondemand hardware acceleration policy never leave accelerated compositing mode. - Always use a light theme for rendering form controls. - Add about:gpu to show information about the graphics stack. - Fixed issues while trying to play a video on NextCloud. - Fixed vertical alignment of text containing arabic diacritics. - Fixed build with icu 65.1. - Fixed page loading errors with websites using HSTS. - Fixed web process crash when displaying a KaTeX formula. - Fixed several crashes and rendering issues. - Switched to a single web process for Evolution and geary (bsc#1159329). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1135=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1135=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1135=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1135=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1135=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1135=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1135=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1135=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1135=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1135=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1135=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1135=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1135=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1135=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1135=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1135=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE OpenStack Cloud 8 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE OpenStack Cloud 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE OpenStack Cloud 7 (s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE OpenStack Cloud 7 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP5 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP4 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2WebExtension-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 webkit2gtk3-devel-2.28.1-2.50.3 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - SUSE Enterprise Storage 5 (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 - SUSE Enterprise Storage 5 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - HPE Helion Openstack 8 (noarch): libwebkit2gtk3-lang-2.28.1-2.50.3 - HPE Helion Openstack 8 (x86_64): libjavascriptcoregtk-4_0-18-2.28.1-2.50.3 libjavascriptcoregtk-4_0-18-debuginfo-2.28.1-2.50.3 libwebkit2gtk-4_0-37-2.28.1-2.50.3 libwebkit2gtk-4_0-37-debuginfo-2.28.1-2.50.3 typelib-1_0-JavaScriptCore-4_0-2.28.1-2.50.3 typelib-1_0-WebKit2-4_0-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-2.28.1-2.50.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.28.1-2.50.3 webkit2gtk3-debugsource-2.28.1-2.50.3 References: https://www.suse.com/security/cve/CVE-2019-8625.html https://www.suse.com/security/cve/CVE-2019-8710.html https://www.suse.com/security/cve/CVE-2019-8720.html https://www.suse.com/security/cve/CVE-2019-8743.html https://www.suse.com/security/cve/CVE-2019-8764.html https://www.suse.com/security/cve/CVE-2019-8766.html https://www.suse.com/security/cve/CVE-2019-8769.html https://www.suse.com/security/cve/CVE-2019-8771.html https://www.suse.com/security/cve/CVE-2019-8782.html https://www.suse.com/security/cve/CVE-2019-8783.html https://www.suse.com/security/cve/CVE-2019-8808.html https://www.suse.com/security/cve/CVE-2019-8811.html https://www.suse.com/security/cve/CVE-2019-8812.html https://www.suse.com/security/cve/CVE-2019-8813.html https://www.suse.com/security/cve/CVE-2019-8814.html https://www.suse.com/security/cve/CVE-2019-8815.html https://www.suse.com/security/cve/CVE-2019-8816.html https://www.suse.com/security/cve/CVE-2019-8819.html https://www.suse.com/security/cve/CVE-2019-8820.html https://www.suse.com/security/cve/CVE-2019-8823.html https://www.suse.com/security/cve/CVE-2019-8835.html https://www.suse.com/security/cve/CVE-2019-8844.html https://www.suse.com/security/cve/CVE-2019-8846.html https://www.suse.com/security/cve/CVE-2020-10018.html https://www.suse.com/security/cve/CVE-2020-11793.html https://www.suse.com/security/cve/CVE-2020-3862.html https://www.suse.com/security/cve/CVE-2020-3864.html https://www.suse.com/security/cve/CVE-2020-3865.html https://www.suse.com/security/cve/CVE-2020-3867.html https://www.suse.com/security/cve/CVE-2020-3868.html https://bugzilla.suse.com/1155321 https://bugzilla.suse.com/1156318 https://bugzilla.suse.com/1159329 https://bugzilla.suse.com/1161719 https://bugzilla.suse.com/1163809 https://bugzilla.suse.com/1165528 https://bugzilla.suse.com/1169658 From sle-security-updates at lists.suse.com Wed Apr 29 10:13:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 18:13:46 +0200 (CEST) Subject: SUSE-SU-2020:1141-1: important: Security update for the Linux Kernel Message-ID: <20200429161346.737AAFE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1141-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1104967 #1109911 #1114279 #1118338 #1120386 #1133021 #1136157 #1137325 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1157424 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161951 #1162929 #1162931 #1163403 #1163508 #1163897 #1164078 #1164284 #1164507 #1164893 #1165019 #1165111 #1165182 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165949 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1167005 #1167288 #1167290 #1167316 #1167421 #1167423 #1167629 #1168075 #1168202 #1168276 #1168295 #1168424 #1168443 #1168486 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169057 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 94 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1141=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.51.1 kernel-default-kgraft-devel-4.12.14-95.51.1 kgraft-patch-4_12_14-95_51-default-1-6.3.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 10:28:02 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 18:28:02 +0200 (CEST) Subject: SUSE-SU-2020:1138-1: important: Security update for xen Message-ID: <20200429162802.F2736FE0F@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1138-1 Rating: important References: #1027519 #1155200 #1160932 #1161181 #1167152 #1168140 #1168142 #1168143 #1169392 Cross-References: CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 CVE-2020-7211 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has three fixes is now available. Description: This update for xen fixes the following issues: Security issues fixed: - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143). - CVE-2020-7211: Fixed potential directory traversal using relative paths via tftp server on Windows host (bsc#1161181). - arm: a CPU may speculate past the ERET instruction (bsc#1160932). Non-security issues fixed: - Xenstored Crashed during VM install (bsc#1167152) - DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506) - Update API compatibility versions, fixes issues for libvirt. (bsc#1167007, bsc#1157490) - aacraid blocks xen commands (bsc#1155200) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1138=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1138=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 x86_64): xen-debugsource-4.11.3_04-2.23.1 xen-devel-4.11.3_04-2.23.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): xen-4.11.3_04-2.23.1 xen-debugsource-4.11.3_04-2.23.1 xen-doc-html-4.11.3_04-2.23.1 xen-libs-32bit-4.11.3_04-2.23.1 xen-libs-4.11.3_04-2.23.1 xen-libs-debuginfo-32bit-4.11.3_04-2.23.1 xen-libs-debuginfo-4.11.3_04-2.23.1 xen-tools-4.11.3_04-2.23.1 xen-tools-debuginfo-4.11.3_04-2.23.1 xen-tools-domU-4.11.3_04-2.23.1 xen-tools-domU-debuginfo-4.11.3_04-2.23.1 References: https://www.suse.com/security/cve/CVE-2020-11739.html https://www.suse.com/security/cve/CVE-2020-11740.html https://www.suse.com/security/cve/CVE-2020-11741.html https://www.suse.com/security/cve/CVE-2020-11742.html https://www.suse.com/security/cve/CVE-2020-11743.html https://www.suse.com/security/cve/CVE-2020-7211.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1155200 https://bugzilla.suse.com/1160932 https://bugzilla.suse.com/1161181 https://bugzilla.suse.com/1167152 https://bugzilla.suse.com/1168140 https://bugzilla.suse.com/1168142 https://bugzilla.suse.com/1168143 https://bugzilla.suse.com/1169392 From sle-security-updates at lists.suse.com Wed Apr 29 10:30:26 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 18:30:26 +0200 (CEST) Subject: SUSE-SU-2020:1141-1: important: Security update for the Linux Kernel Message-ID: <20200429163026.EC759FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1141-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1104967 #1109911 #1114279 #1118338 #1120386 #1133021 #1136157 #1137325 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1157424 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161951 #1162929 #1162931 #1163403 #1163508 #1163897 #1164078 #1164284 #1164507 #1164893 #1165019 #1165111 #1165182 #1165404 #1165488 #1165527 #1165741 #1165813 #1165873 #1165949 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1167005 #1167288 #1167290 #1167316 #1167421 #1167423 #1167629 #1168075 #1168202 #1168276 #1168295 #1168424 #1168443 #1168486 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169057 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 94 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fix memory leak in large read decrypt offload (bsc#1144333). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1141=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1141=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1141=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1141=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-1141=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): kernel-default-debuginfo-4.12.14-95.51.1 kernel-default-debugsource-4.12.14-95.51.1 kernel-default-extra-4.12.14-95.51.1 kernel-default-extra-debuginfo-4.12.14-95.51.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-95.51.1 kernel-obs-build-debugsource-4.12.14-95.51.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): kernel-docs-4.12.14-95.51.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.51.1 kernel-default-base-4.12.14-95.51.1 kernel-default-base-debuginfo-4.12.14-95.51.1 kernel-default-debuginfo-4.12.14-95.51.1 kernel-default-debugsource-4.12.14-95.51.1 kernel-default-devel-4.12.14-95.51.1 kernel-syms-4.12.14-95.51.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-4.12.14-95.51.1 kernel-macros-4.12.14-95.51.1 kernel-source-4.12.14-95.51.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.51.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): kernel-default-man-4.12.14-95.51.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.51.1 kernel-default-kgraft-devel-4.12.14-95.51.1 kgraft-patch-4_12_14-95_51-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.51.1 cluster-md-kmp-default-debuginfo-4.12.14-95.51.1 dlm-kmp-default-4.12.14-95.51.1 dlm-kmp-default-debuginfo-4.12.14-95.51.1 gfs2-kmp-default-4.12.14-95.51.1 gfs2-kmp-default-debuginfo-4.12.14-95.51.1 kernel-default-debuginfo-4.12.14-95.51.1 kernel-default-debugsource-4.12.14-95.51.1 ocfs2-kmp-default-4.12.14-95.51.1 ocfs2-kmp-default-debuginfo-4.12.14-95.51.1 References: https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 10:43:23 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 18:43:23 +0200 (CEST) Subject: SUSE-SU-2020:1142-1: important: Security update for the Linux Kernel Message-ID: <20200429164323.0A188FE0F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1142-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1088810 #1103990 #1103992 #1104353 #1104745 #1104967 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1118338 #1119680 #1120386 #1123328 #1127611 #1133021 #1134090 #1134395 #1136157 #1136333 #1137325 #1141895 #1142685 #1144162 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1156510 #1157424 #1158187 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161561 #1161702 #1161951 #1162171 #1162929 #1162931 #1163403 #1163508 #1163762 #1163897 #1163971 #1164051 #1164078 #1164115 #1164284 #1164388 #1164471 #1164507 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165581 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2018-20836 CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-2732 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 157 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-2732: Fixed an issue where under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929 1164078). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162929 1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2018-20836: Fixed an issue where a race condition in smp_task_timedout() and smp_task_done() cloud lead to a use-after-free (bnc#1134395). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix crash due to "kernel BUG at ../fs/btrfs/relocation.c:4827!" - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - cdrom: respect device capabilities during opening action (boo#1164632). - ceph: canonicalize server path in place (bsc#1168443). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - Correct fallouts from previous AER/DPC fixes (bsc#1161561) - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - EDAC: skx_common: downgrade message importance on missing PCI device (bsc#1165581). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net: sched: correct flower port blocking (git-fixes). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1142=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.20.1 kernel-default-debugsource-4.12.14-122.20.1 kernel-default-kgraft-4.12.14-122.20.1 kernel-default-kgraft-devel-4.12.14-122.20.1 kgraft-patch-4_12_14-122_20-default-1-8.3.1 References: https://www.suse.com/security/cve/CVE-2018-20836.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1134395 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1136333 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165581 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 11:04:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 19:04:22 +0200 (CEST) Subject: SUSE-SU-2020:1139-1: important: Security update for xen Message-ID: <20200429170422.6465EFFEB@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1139-1 Rating: important References: #1027519 #1134506 #1155200 #1157490 #1160932 #1161181 #1162040 #1165206 #1167007 #1167152 #1168140 #1168142 #1168143 #1169392 Cross-References: CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 CVE-2020-7211 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 8 fixes is now available. Description: This update for xen to version 4.12.2 fixes the following issues: Security issues fixed: - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143). - CVE-2020-7211: Fixed potential directory traversal using relative paths via tftp server on Windows host (bsc#1161181). - arm: a CPU may speculate past the ERET instruction (bsc#1160932). Non-security issues fixed: - Xenstored Crashed during VM install (bsc#1167152) - DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506) - Update API compatibility versions, fixes issues for libvirt. (bsc#1167007, bsc#1157490) - aacraid blocks xen commands (bsc#1155200) - Problems Booting Fedora31 VM on sles15 sp1 Xen Dom0 (bsc#1162040). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1139=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1139=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 x86_64): xen-debugsource-4.12.2_04-3.11.1 xen-devel-4.12.2_04-3.11.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): xen-4.12.2_04-3.11.1 xen-debugsource-4.12.2_04-3.11.1 xen-doc-html-4.12.2_04-3.11.1 xen-libs-32bit-4.12.2_04-3.11.1 xen-libs-4.12.2_04-3.11.1 xen-libs-debuginfo-32bit-4.12.2_04-3.11.1 xen-libs-debuginfo-4.12.2_04-3.11.1 xen-tools-4.12.2_04-3.11.1 xen-tools-debuginfo-4.12.2_04-3.11.1 xen-tools-domU-4.12.2_04-3.11.1 xen-tools-domU-debuginfo-4.12.2_04-3.11.1 References: https://www.suse.com/security/cve/CVE-2020-11739.html https://www.suse.com/security/cve/CVE-2020-11740.html https://www.suse.com/security/cve/CVE-2020-11741.html https://www.suse.com/security/cve/CVE-2020-11742.html https://www.suse.com/security/cve/CVE-2020-11743.html https://www.suse.com/security/cve/CVE-2020-7211.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1134506 https://bugzilla.suse.com/1155200 https://bugzilla.suse.com/1157490 https://bugzilla.suse.com/1160932 https://bugzilla.suse.com/1161181 https://bugzilla.suse.com/1162040 https://bugzilla.suse.com/1165206 https://bugzilla.suse.com/1167007 https://bugzilla.suse.com/1167152 https://bugzilla.suse.com/1168140 https://bugzilla.suse.com/1168142 https://bugzilla.suse.com/1168143 https://bugzilla.suse.com/1169392 From sle-security-updates at lists.suse.com Wed Apr 29 11:06:43 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 19:06:43 +0200 (CEST) Subject: SUSE-SU-2020:1144-1: moderate: Security update for munge Message-ID: <20200429170643.85883FFEB@maintenance.suse.de> SUSE Security Update: Security update for munge ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1144-1 Rating: moderate References: #1155075 #1160075 Cross-References: CVE-2019-3691 Affected Products: SUSE Linux Enterprise Module for HPC 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for munge to 0.5.14 fixes the following issues: Security issue fixed: - CVE-2019-3691: Fixed a local privilege escalation during update (bsc#1155075) Non-security issue fixed: - Add Provides for 'munge-libs' to package libmunge (bsc#1160075). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 12: zypper in -t patch SUSE-SLE-Module-HPC-12-2020-1144=1 Package List: - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64): libmunge2-0.5.14-3.6.1 libmunge2-debuginfo-0.5.14-3.6.1 munge-0.5.14-3.6.1 munge-debuginfo-0.5.14-3.6.1 munge-debugsource-0.5.14-3.6.1 munge-devel-0.5.14-3.6.1 References: https://www.suse.com/security/cve/CVE-2019-3691.html https://bugzilla.suse.com/1155075 https://bugzilla.suse.com/1160075 From sle-security-updates at lists.suse.com Wed Apr 29 11:07:45 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 19:07:45 +0200 (CEST) Subject: SUSE-SU-2020:1142-1: important: Security update for the Linux Kernel Message-ID: <20200429170745.4D30AFFEB@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1142-1 Rating: important References: #1044231 #1050549 #1051510 #1051858 #1056686 #1060463 #1065600 #1065729 #1083647 #1085030 #1088810 #1103990 #1103992 #1104353 #1104745 #1104967 #1109837 #1109911 #1111666 #1111974 #1112178 #1112374 #1112504 #1113956 #1114279 #1114685 #1118338 #1119680 #1120386 #1123328 #1127611 #1133021 #1134090 #1134395 #1136157 #1136333 #1137325 #1141895 #1142685 #1144162 #1144333 #1145051 #1145929 #1146539 #1148868 #1154385 #1156510 #1157424 #1158187 #1158552 #1158983 #1159037 #1159142 #1159198 #1159199 #1159285 #1160659 #1161561 #1161702 #1161951 #1162171 #1162929 #1162931 #1163403 #1163508 #1163762 #1163897 #1163971 #1164051 #1164078 #1164115 #1164284 #1164388 #1164471 #1164507 #1164598 #1164632 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 #1164777 #1164780 #1164893 #1165019 #1165111 #1165182 #1165185 #1165211 #1165404 #1165488 #1165527 #1165581 #1165741 #1165813 #1165823 #1165873 #1165929 #1165949 #1165950 #1165980 #1165984 #1165985 #1166003 #1166101 #1166102 #1166103 #1166104 #1166632 #1166658 #1166730 #1166731 #1166732 #1166733 #1166734 #1166735 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2018-20836 CVE-2019-19768 CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-2732 CVE-2020-8647 CVE-2020-8649 CVE-2020-8834 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 13 vulnerabilities and has 157 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-2732: Fixed an issue where under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929 1164078). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162929 1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285). - CVE-2018-20836: Fixed an issue where a race condition in smp_task_timedout() and smp_task_done() cloud lead to a use-after-free (bnc#1134395). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666). - ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666). - ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666). - ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666). - ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666). - ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666). - ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666). - ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-audio: unlock on error in probe (bsc#1111666). - ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956) - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510). - ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510). - ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510). - ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - atm: zatm: Fix empty body Clang warnings (bsc#1051510). - atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003). - b43legacy: Fix -Wcast-function-type (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762). - bcache: add code comments for state->pool in __btree_sort() (bsc#1163762). - bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762). - bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762). - bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762). - bcache: add more accurate error messages in read_super() (bsc#1163762). - bcache: add readahead cache policy options via sysfs interface (bsc#1163762). - bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762). - bcache: check return value of prio_read() (bsc#1163762). - bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762). - bcache: do not export symbols (bsc#1163762). - bcache: explicity type cast in bset_bkey_last() (bsc#1163762). - bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762). - bcache: Fix an error code in bch_dump_read() (bsc#1163762). - bcache: fix deadlock in bcache_allocator (bsc#1163762). - bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762). - bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762). - bcache: fix static checker warning in bcache_device_free() (bsc#1163762). - bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504). - bcache: print written and keys in trace_bcache_btree_write (bsc#1163762). - bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762). - bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762). - bcache: remove macro nr_to_fifo_front() (bsc#1163762). - bcache: remove member accessed from struct btree (bsc#1163762). - bcache: remove the extra cflags for request.o (bsc#1163762). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (bsc#1163762, bsc#1112504). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ). - bnxt_en: Fix TC queue mapping (networking-stable-20_02_05). - bnxt_en: Improve device shutdown method (bsc#1104745 ). - bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385). - bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385). - bpf: make unknown opcode handling more robust (bsc#1154385). - bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837). - bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385). - bpf, x64: remove ld_abs/ld_ind (bsc#1154385). - bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508). - btrfs: fix crash due to "kernel BUG at ../fs/btrfs/relocation.c:4827!" - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - cdrom: respect device capabilities during opening action (boo#1164632). - ceph: canonicalize server path in place (bsc#1168443). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: add a debug macro that prints \\server\share for errors (bsc#1144333). - cifs: add missing mount option to /proc/mounts (bsc#1144333). - cifs: add new debugging macro cifs_server_dbg (bsc#1144333). - cifs: add passthrough for smb2 setinfo (bsc#1144333). - cifs: add SMB2_open() arg to return POSIX data (bsc#1144333). - cifs: add smb2 POSIX info level (bsc#1144333). - cifs: add SMB3 change notification support (bsc#1144333). - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333). - cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333). - cifs: Add tracepoints for errors on flush or fsync (bsc#1144333). - cifs: Adjust indentation in smb2_open_file (bsc#1144333). - cifs: allow chmod to set mode bits using special sid (bsc#1144333). - cifs: Avoid doing network I/O while holding cache lock (bsc#1144333). - cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333). - cifs: Clean up DFS referral cache (bsc#1144333). - cifs: create a helper function to parse the query-directory response buffer (bsc#1144333). - cifs: do d_move in rename (bsc#1144333). - cifs: Do not display RDMA transport on reconnect (bsc#1144333). - cifs: do not ignore the SYNC flags in getattr (bsc#1144333). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333). - cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333). - cifs: enable change notification for SMB2.1 dialect (bsc#1144333). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333). - cifs: fix a comment for the timeouts when sending echos (bsc#1144333). - cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333). - cifs: fix dereference on ses before it is null checked (bsc#1144333). - cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333). - cifs: Fix mode output in debugging statements (bsc#1144333). - cifs: Fix mount options set in automount (bsc#1144333). - cifs: fix NULL dereference in match_prepath (bsc#1144333). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333). - cifs: fix potential mismatch of UNC paths (bsc#1144333). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333). - cifs: Fix return value in __update_cache_entry (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: fix soft mounts hanging in the reconnect code (bsc#1144333). - cifs: Fix task struct use-after-free on reconnect (bsc#1144333). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333). - cifs: get mode bits from special sid on stat (bsc#1144333). - cifs: Get rid of kstrdup_const()'d paths (bsc#1144333). - cifs: handle prefix paths in reconnect (bsc#1144333). - cifs: ignore cached share root handle closing errors (bsc#1166780). - cifs: Introduce helpers for finding TCP connection (bsc#1144333). - cifs: log warning message (once) if out of disk space (bsc#1144333). - cifs: make sure we do not overflow the max EA buffer size (bsc#1144333). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333). - cifs: modefromsid: make room for 4 ACE (bsc#1144333). - cifs: modefromsid: write mode ACE first (bsc#1144333). - cifs: Optimize readdir on reparse points (bsc#1144333). - cifs: plumb smb2 POSIX dir enumeration (bsc#1144333). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333). - cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333). - cifs: print warning once if mounting with vers=1.0 (bsc#1144333). - cifs: refactor cifs_get_inode_info() (bsc#1144333). - cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333). - cifs: remove redundant assignment to variable rc (bsc#1144333). - cifs: remove set but not used variables (bsc#1144333). - cifs: remove set but not used variable 'server' (bsc#1144333). - cifs: remove unused variable (bsc#1144333). - cifs: remove unused variable 'sid_user' (bsc#1144333). - cifs: rename a variable in SendReceive() (bsc#1144333). - cifs: rename posix create rsp (bsc#1144333). - cifs: replace various strncpy with strscpy and similar (bsc#1144333). - cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333). - cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333). - cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333). - cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333). - cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333). - cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333). - cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333). - cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333). - cifs: use compounding for open and first query-dir for readdir() (bsc#1144333). - cifs: Use #define in cifs_dbg (bsc#1144333). - cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333). - cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - closures: fix a race on wakeup from closure_sync (bsc#1163762). - cls_rsvp: fix rsvp_policy (networking-stable-20_02_05). - configfs: Fix bool initialization/comparison (bsc#1051510). - core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837). - Correct fallouts from previous AER/DPC fixes (bsc#1161561) - cpufreq: powernv: Fix unsafe notifiers (bsc#1065729). - cpufreq: powernv: Fix use-after-free (bsc#1065729). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: pcrypt - Fix user-after-free on module unload (git-fixes). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). - debugfs: simplify __debugfs_remove_file() (bsc#1159198). - Delete patches which cause regression (bsc#1165527 ltc#184149). - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - device: Use overflow helpers for devm_kmalloc() (bsc#1166003). - devlink: report 0 after hitting end in region read (bsc#1109837). - dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142). - driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510). - driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510). - driver core: Print device when resources present in really_probe() (bsc#1051510). - drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003). - drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003). - drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amd/dm/mst: Ignore payload update failures (bsc#1112178) - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279) - drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279) - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/etnaviv: fix dumping of iommuv2 (bsc#1114279) - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510). - drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes). - drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes). - drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279) - drm/i915: Program MBUS with rmw during initialization (git-fixes). - drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279) - drm/i915/userptr: fix size calculation (bsc#1114279) - drm/i915/userptr: Try to acquire the page lock around (bsc#1114279) - drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279) - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/mediatek: Add gamma property according to hardware capability (bsc#1114279) - drm/mediatek: disable all the planes in atomic_disable (bsc#1114279) - drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510). - drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279) - drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510). - drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510). - drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes). - drm: rcar-du: Recognize "renesas,vsps" in addition to "vsps" (bsc#1114279) - drm: remove the newline for CRC source name (bsc#1051510). - drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/sun4i: Fix DE2 VI layer format support (git-fixes). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187). - EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279). - EDAC: skx_common: downgrade message importance on missing PCI device (bsc#1165581). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632). - ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix mount failure with quota configured as module (bsc#1164471). - ext4: Fix mount failure with quota configured as module (bsc#1164471). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003). - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes). - firmware: imx: scu: Ensure sequential TX (git-fixes). - firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes). - fix memory leak in large read decrypt offload (bsc#1144333). - Fix the locking in dcache_readdir() and friends (bsc#1123328). - fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333). - fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333). - fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333). - fs: cifs: mute -Wunused-const-variable message (bsc#1144333). - fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333). - fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333). - fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27). - gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510). - HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes). - hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20). - hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598). - hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598). - hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598). - hv_netvsc: Fix unwanted rx_table reset (bsc#1164598). - hv_netvsc: pass netvsc_device to rndis halt - hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: Close window for pq and request coliding (bsc#1060463 ). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: edt-ft5x06 - work around first register access error (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510). - Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510). - Input: synaptics - switch T470s to RMI4 by default (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102). - iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895). - iommu/dma: Fix MSI reservation allocation (bsc#1166730). - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115). - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731). - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732). - iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103). - iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733). - iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734). - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes). - ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - iwlegacy: Fix -Wcast-function-type (bsc#1051510). - iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632). - iwlwifi: mvm: Fix thermal zone registration (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895). - kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488). - kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488). - kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895). - KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021). - KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021). - KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950). - libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929). - libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add missing include for raid6test (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6: add option to skip algo benchmarking (bsc#1166003). - lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003). - md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003). - md: add a missing endianness conversion in check_sb_changes (bsc#1166003). - md: add bitmap_abort label in md_run (bsc#1166003). - md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003). - md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003). - md: avoid invalid memory access for array sb->dev_roles (bsc#1166003). - md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003). - md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003). - md-bitmap: small cleanups (bsc#1166003). - md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003). - md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003). - md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003). - md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003). - md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003). - md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003). - md-cluster/raid10: support add disk under grow mode (bsc#1166003). - md-cluster: remove suspend_info (bsc#1166003). - md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003). - md: convert to kvmalloc (bsc#1166003). - md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003). - md: do not set In_sync if array is frozen (bsc#1166003). - md: fix an error code format and remove unsed bio_sector (bsc#1166003). - md: fix a typo s/creat/create (bsc#1166003). - md: fix for divide error in status_resync (bsc#1166003). - md: fix spelling typo and add necessary space (bsc#1166003). - md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003). - md: introduce new personality funciton start() (bsc#1166003). - md-linear: use struct_size() in kzalloc() (bsc#1166003). - md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003). - md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003). - md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003). - md: no longer compare spare disk superblock events in super_load (bsc#1166003). - md/r5cache: remove redundant pointer bio (bsc#1166003). - md/raid0: Fix an error message in raid0_make_request() (bsc#1166003). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003). - md/raid10: end bio when the device faulty (bsc#1166003). - md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003). - md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003). - md/raid10: read balance chooses idlest disk for SSD (bsc#1166003). - md: raid10: Use struct_size() in kmalloc() (bsc#1166003). - md/raid1: avoid soft lockup under high load (bsc#1166003). - md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003). - md/raid1: end bio when the device faulty (bsc#1166003). - md/raid1: fail run raid1 array when active disk less than one (bsc#1166003). - md/raid1: Fix a warning message in remove_wb() (bsc#1166003). - md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003). - md/raid1: get rid of extra blank line and space (bsc#1166003). - md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003). - md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003). - md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003). - md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003). - md: remove a bogus comment (bsc#1166003). - md: remove redundant code that is no longer reachable (bsc#1166003). - md: remove set but not used variable 'bi_rdev' (bsc#1166003). - md: rename wb stuffs (bsc#1166003). - md: return -ENODEV if rdev has no mddev assigned (bsc#1166003). - md: use correct type in super_1_load (bsc#1166003). - md: use correct type in super_1_sync (bsc#1166003). - md: use correct types in md_bitmap_print_sb (bsc#1166003). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374). - mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mm: Use overflow helpers in kvmalloc() (bsc#1166003). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162). - net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549). - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27). - net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11). - net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net: Fix Tx hash bound checking (bsc#1109837). - net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353). - net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20). - net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05). - net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27). - net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27). - net, ip_tunnel: fix namespaces move (networking-stable-20_01_27). - net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09). - net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09). - net/mlx5: Fix lowest FDB pool size (bsc#1103990). - net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ). - net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990). - net/mlx5: Update the list of the PCI supported devices (bsc#1127611). - net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858). - net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27). - net: sched: correct flower port blocking (git-fixes). - net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30). - net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05). - net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09). - net_sched: fix datalen for ematch (networking-stable-20_01_27). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11). - net/smc: add fallback check to connect() (git-fixes). - net/smc: add fallback check to connect() (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - net/smc: fix refcount non-blocking connect() -part 2 (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05). - net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11). - net-sysfs: Fix reference count leak (networking-stable-20_01_27). - net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09). - net/tls: fix async operation (bsc#1109837). - net/tls: free the record on encryption error (bsc#1109837). - net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837). - net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27). - net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11). - net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - NFC: pn544: Fix a typo in a debug message (bsc#1051510). - NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme: Fix parsing of ANA log page (bsc#1166658). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510). - nvme: Translate more status codes to blk_status_t (bsc#1156510). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - orinoco: avoid assertion in case of NULL pointer (bsc#1051510). - padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes). - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561). - PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561). - PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561). - PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561). - PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561). - PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/AER: Take reference on error devices (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI/ERR: Use slot reset if available (bsc#1161561). - PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes). - pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510). - pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510). - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11). - platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834). - powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498). - powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498). - powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - ptr_ring: add include of linux/mm.h (bsc#1109837). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid10: refactor common wait code from regular read/write request (bsc#1166003). - raid1: factor out a common routine to handle the completion of sync write (bsc#1166003). - raid1: simplify raid1_error function (bsc#1166003). - raid1: use an int as the return value of raise_barrier() (bsc#1166003). - raid5: block failing device if raid will be failed (bsc#1166003). - raid5-cache: Need to do start() part job after adding journal device (bsc#1166003). - raid5: copy write hint from origin bio to stripe (bsc#1166003). - raid5: do not increment read_errors on EILSEQ return (bsc#1166003). - raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003). - raid5 improve too many read errors msg by adding limits (bsc#1166003). - raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003). - raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003). - raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003). - raid5: set write hint for PPL (bsc#1166003). - raid5: use bio_end_sector in r5_next_bio (bsc#1166003). - raid6/test: fix a compilation error (bsc#1166003). - raid6/test: fix a compilation warning (bsc#1166003). - RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992). - RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685). - RDMA/uverbs: Verify MR access flags (bsc#1103992). - remoteproc: Initialize rproc_class before use (bsc#1051510). - rtlwifi: Fix MAX MPDU of VHT capability (git-fixes). - rtlwifi: Remove redundant semicolon in wifi.h (git-fixes). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510). - rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/pci: Fix unexpected write combine on resource (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/uv: Fix handling of length extensions (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: fnic: do not queue commands during fwreset (bsc#1146539). - scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551). - scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551). - scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551). - scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove "failed" from logged errors (bsc#1161951 ltc#183551). - scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551). - scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551). - scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551). - scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551). - scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551). - scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551). - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424). - scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424). - scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424). - scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424). - scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424). - scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424). - scsi: qla2xxx: add more FW debug information (bsc#1157424). - scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424). - scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424). - scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424). - scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424). - scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424). - scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424). - scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424). - scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424). - scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424). - scsi: qla2xxx: Display message for FCE enabled (bsc#1157424). - scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424). - scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424). - scsi: qla2xxx: fix FW resource count values (bsc#1157424). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424). - scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424). - scsi: qla2xxx: Fix RDP respond data format (bsc#1157424). - scsi: qla2xxx: Fix RDP response size (bsc#1157424). - scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424). - scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424). - scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424). - scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424). - scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424). - scsi: qla2xxx: Improved secure flash support messages (bsc#1157424). - scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424). - scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424). - scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424). - scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424). - scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424). - scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424). - scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424). - scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424). - scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424). - scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424). - scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424). - scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424). - scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424). - scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424). - scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424). - scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424). - scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424). - scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424). - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - smb3: add debug messages for closing unmatched open (bsc#1144333). - smb3: Add defines for new information level, FileIdInformation (bsc#1144333). - smb3: add dynamic tracepoints for flush and close (bsc#1144333). - smb3: add missing flag definitions (bsc#1144333). - smb3: Add missing reparse tags (bsc#1144333). - smb3: add missing worker function for SMB3 change notify (bsc#1144333). - smb3: add mount option to allow forced caching of read only share (bsc#1144333). - smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333). - smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333). - smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333). - smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333). - smb3: allow disabling requesting leases (bsc#1144333). - smb3: allow parallelizing decryption of reads (bsc#1144333). - smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333). - SMB3: Backup intent flag missing from some more ops (bsc#1144333). - smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333). - smb3: display max smb3 requests in flight at any one time (bsc#1144333). - smb3: dump in_send and num_waiters stats counters by default (bsc#1144333). - smb3: enable offload of decryption of large reads via mount option (bsc#1144333). - smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333). - smb3: fix mode passed in on create for modetosid mount option (bsc#1144333). - smb3: fix performance regression with setting mtime (bsc#1144333). - smb3: fix potential null dereference in decrypt offload (bsc#1144333). - smb3: fix problem with null cifs super block with previous patch (bsc#1144333). - smb3: Fix regression in time handling (bsc#1144333). - smb3: improve check for when we send the security descriptor context on create (bsc#1144333). - smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333). - smb3: missing ACL related flags (bsc#1144333). - smb3: only offload decryption of read responses if multiple requests (bsc#1144333). - smb3: pass mode bits into create calls (bsc#1144333). - smb3: print warning once if posix context returned on open (bsc#1144333). - smb3: query attributes on file close (bsc#1144333). - smb3: remove noisy debug message and minor cleanup (bsc#1144333). - smb3: remove unused flag passed into close functions (bsc#1144333). - sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8188eu: Fix potential security hole (bsc#1051510). - staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510). - staging: rtl8723bs: Fix potential security hole (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702). - stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702). - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27). - tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05). - tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05). - tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20). - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes). - tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231). - tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes). - tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: add endpoint-blacklist quirk (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507) - vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279) - virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11). - vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11). - vxlan: fix tos value before xmit (networking-stable-20_01_11). - x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279). - x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895). - x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895). - x86/mce/amd: Fix kobject lifetime (bsc#1114279). - x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xen: Enable interrupts when calling _cond_resched() (bsc#1065600). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). - xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510). - xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1142=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1142=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1142=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1142=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1142=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.20.1 kernel-default-debugsource-4.12.14-122.20.1 kernel-default-extra-4.12.14-122.20.1 kernel-default-extra-debuginfo-4.12.14-122.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.20.1 kernel-obs-build-debugsource-4.12.14-122.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.20.1 kernel-default-base-4.12.14-122.20.1 kernel-default-base-debuginfo-4.12.14-122.20.1 kernel-default-debuginfo-4.12.14-122.20.1 kernel-default-debugsource-4.12.14-122.20.1 kernel-default-devel-4.12.14-122.20.1 kernel-syms-4.12.14-122.20.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.20.1 kernel-macros-4.12.14-122.20.1 kernel-source-4.12.14-122.20.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.20.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.20.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.20.1 kernel-default-debugsource-4.12.14-122.20.1 kernel-default-kgraft-4.12.14-122.20.1 kernel-default-kgraft-devel-4.12.14-122.20.1 kgraft-patch-4_12_14-122_20-default-1-8.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.20.1 cluster-md-kmp-default-debuginfo-4.12.14-122.20.1 dlm-kmp-default-4.12.14-122.20.1 dlm-kmp-default-debuginfo-4.12.14-122.20.1 gfs2-kmp-default-4.12.14-122.20.1 gfs2-kmp-default-debuginfo-4.12.14-122.20.1 kernel-default-debuginfo-4.12.14-122.20.1 kernel-default-debugsource-4.12.14-122.20.1 ocfs2-kmp-default-4.12.14-122.20.1 ocfs2-kmp-default-debuginfo-4.12.14-122.20.1 References: https://www.suse.com/security/cve/CVE-2018-20836.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1044231 https://bugzilla.suse.com/1050549 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1056686 https://bugzilla.suse.com/1060463 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1088810 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1104967 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1111974 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1112504 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1114685 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1119680 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1123328 https://bugzilla.suse.com/1127611 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1134090 https://bugzilla.suse.com/1134395 https://bugzilla.suse.com/1136157 https://bugzilla.suse.com/1136333 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1141895 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144162 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1146539 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1154385 https://bugzilla.suse.com/1156510 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158187 https://bugzilla.suse.com/1158552 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159142 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1160659 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161702 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163508 https://bugzilla.suse.com/1163762 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164115 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164388 https://bugzilla.suse.com/1164471 https://bugzilla.suse.com/1164507 https://bugzilla.suse.com/1164598 https://bugzilla.suse.com/1164632 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165404 https://bugzilla.suse.com/1165488 https://bugzilla.suse.com/1165527 https://bugzilla.suse.com/1165581 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165813 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165929 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1165950 https://bugzilla.suse.com/1165980 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166003 https://bugzilla.suse.com/1166101 https://bugzilla.suse.com/1166102 https://bugzilla.suse.com/1166103 https://bugzilla.suse.com/1166104 https://bugzilla.suse.com/1166632 https://bugzilla.suse.com/1166658 https://bugzilla.suse.com/1166730 https://bugzilla.suse.com/1166731 https://bugzilla.suse.com/1166732 https://bugzilla.suse.com/1166733 https://bugzilla.suse.com/1166734 https://bugzilla.suse.com/1166735 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 11:28:33 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 19:28:33 +0200 (CEST) Subject: SUSE-SU-2020:1146-1: important: Security update for the Linux Kernel Message-ID: <20200429172833.68C43FFE8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1146-1 Rating: important References: #1051510 #1065600 #1065729 #1071995 #1083647 #1085030 #1109911 #1111666 #1113956 #1114279 #1118338 #1120386 #1137325 #1142685 #1145051 #1145929 #1148868 #1157424 #1158983 #1159037 #1159198 #1159199 #1161561 #1161951 #1162171 #1163403 #1163897 #1164284 #1164777 #1164780 #1164893 #1165019 #1165182 #1165185 #1165211 #1165823 #1165949 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8834 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 77 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: ignore cached share root handle closing errors (bsc#1166780). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - mm: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1146=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1146=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-default-extra-4.12.14-197.40.1 kernel-default-extra-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-obs-qa-4.12.14-197.40.1 kernel-vanilla-4.12.14-197.40.1 kernel-vanilla-base-4.12.14-197.40.1 kernel-vanilla-base-debuginfo-4.12.14-197.40.1 kernel-vanilla-debuginfo-4.12.14-197.40.1 kernel-vanilla-debugsource-4.12.14-197.40.1 kernel-vanilla-devel-4.12.14-197.40.1 kernel-vanilla-devel-debuginfo-4.12.14-197.40.1 kernel-vanilla-livepatch-devel-4.12.14-197.40.1 kselftests-kmp-default-4.12.14-197.40.1 kselftests-kmp-default-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.40.1 kernel-debug-base-4.12.14-197.40.1 kernel-debug-base-debuginfo-4.12.14-197.40.1 kernel-debug-debuginfo-4.12.14-197.40.1 kernel-debug-debugsource-4.12.14-197.40.1 kernel-debug-devel-4.12.14-197.40.1 kernel-debug-devel-debuginfo-4.12.14-197.40.1 kernel-debug-livepatch-devel-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.40.1 kernel-source-vanilla-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.40.1 kernel-kvmsmall-base-4.12.14-197.40.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-debugsource-4.12.14-197.40.1 kernel-kvmsmall-devel-4.12.14-197.40.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.40.1 kernel-zfcpdump-debugsource-4.12.14-197.40.1 kernel-zfcpdump-man-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 reiserfs-kmp-default-4.12.14-197.40.1 reiserfs-kmp-default-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.40.1 kernel-obs-build-debugsource-4.12.14-197.40.1 kernel-syms-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.40.1 kernel-source-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.40.1 kernel-default-base-4.12.14-197.40.1 kernel-default-base-debuginfo-4.12.14-197.40.1 kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-default-devel-4.12.14-197.40.1 kernel-default-devel-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.40.1 kernel-macros-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.40.1 kernel-zfcpdump-debuginfo-4.12.14-197.40.1 kernel-zfcpdump-debugsource-4.12.14-197.40.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.40.1 cluster-md-kmp-default-debuginfo-4.12.14-197.40.1 dlm-kmp-default-4.12.14-197.40.1 dlm-kmp-default-debuginfo-4.12.14-197.40.1 gfs2-kmp-default-4.12.14-197.40.1 gfs2-kmp-default-debuginfo-4.12.14-197.40.1 kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 ocfs2-kmp-default-4.12.14-197.40.1 ocfs2-kmp-default-debuginfo-4.12.14-197.40.1 References: https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8834.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 11:39:05 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 29 Apr 2020 19:39:05 +0200 (CEST) Subject: SUSE-SU-2020:1146-1: important: Security update for the Linux Kernel Message-ID: <20200429173905.8FB89FFE8@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1146-1 Rating: important References: #1051510 #1065600 #1065729 #1071995 #1083647 #1085030 #1109911 #1111666 #1113956 #1114279 #1118338 #1120386 #1137325 #1142685 #1145051 #1145929 #1148868 #1157424 #1158983 #1159037 #1159198 #1159199 #1161561 #1161951 #1162171 #1163403 #1163897 #1164284 #1164777 #1164780 #1164893 #1165019 #1165182 #1165185 #1165211 #1165823 #1165949 #1166780 #1166860 #1166861 #1166862 #1166864 #1166866 #1166867 #1166868 #1166870 #1166940 #1166982 #1167005 #1167216 #1167288 #1167290 #1167316 #1167421 #1167423 #1167627 #1167629 #1168075 #1168202 #1168273 #1168276 #1168295 #1168367 #1168424 #1168443 #1168486 #1168552 #1168760 #1168762 #1168763 #1168764 #1168765 #1168829 #1168854 #1168881 #1168884 #1168952 #1169013 #1169057 #1169307 #1169308 #1169390 #1169514 #1169625 Cross-References: CVE-2019-19770 CVE-2019-3701 CVE-2019-9458 CVE-2020-10942 CVE-2020-11494 CVE-2020-11669 CVE-2020-8834 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 77 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276). - CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424). - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629). - CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). The following non-security bugs were fixed: - ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510). - ACPI: watchdog: Fix gas->access_width usage (bsc#1051510). - ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013). - ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510). - ALSA: core: Add snd_device_get_state() helper (bsc#1051510). - ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: emu10k1: Fix endianness annotations (bsc#1051510). - ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510). - ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: hda: default enable CA0132 DSP support (bsc#1051510). - ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510). - ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510). - ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes). - ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510). - ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes). - ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes). - ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510). - ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510). - ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510). - ALSA: hda: Use scnprintf() for string truncation (bsc#1051510). - ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510). - ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510). - ALSA: info: remove redundant assignment to variable c (bsc#1051510). - ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510). - ALSA: line6: Fix endless MIDI read loop (git-fixes). - ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510). - ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510). - ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes). - ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510). - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes). - ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510). - ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510). - ALSA: seq: oss: Fix running status after receiving sysex (git-fixes). - ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes). - ALSA: usb-audio: Add delayed_register option (bsc#1051510). - ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510). - ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510). - ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510). - ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510). - ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510). - ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510). - ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510). - ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510). - ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510). - ALSA: via82xx: Fix endianness annotations (bsc#1051510). - apei/ghes: Do not delay GHES polling (bsc#1166982). - ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510). - ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510). - ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510). - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510). - ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510). - ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510). - batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510). - batman-adv: Do not schedule OGM for disabled interface (bsc#1051510). - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510). - binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013). - binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013). - blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316). - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760). - block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762). - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510). - bnxt_en: Support all variants of the 5750X chip family (bsc#1167216). - bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647). - bpf: Explicitly memset the bpf_attr structure (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1111666). - btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949). - btrfs: add a flush step for delayed iputs (bsc#1165949). - btrfs: add assertions for releasing trans handle reservations (bsc#1165949). - btrfs: add btrfs_delete_ref_head helper (bsc#1165949). - btrfs: add enospc debug messages for ticket failure (bsc#1165949). - btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949). - btrfs: add new flushing states for the delayed refs rsv (bsc#1165949). - btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949). - btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273). - btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949). - btrfs: always reserve our entire size for the global reserve (bsc#1165949). - btrfs: assert on non-empty delayed iputs (bsc##1165949). - btrfs: be more explicit about allowed flush states (bsc#1165949). - btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949). - btrfs: catch cow on deleting snapshots (bsc#1165949). - btrfs: change the minimum global reserve size (bsc#1165949). - btrfs: check if there are free block groups for commit (bsc#1165949). - btrfs: clean up error handling in btrfs_truncate() (bsc#1165949). - btrfs: cleanup extent_op handling (bsc#1165949). - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949). - btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949). - btrfs: clear space cache inode generation always (bsc#1165949). - btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949). - btrfs: Do mandatory tree block check before submitting bio (bsc#1168273). - btrfs: do not account global reserve in can_overcommit (bsc#1165949). - btrfs: do not allow reservations if we have pending tickets (bsc#1165949). - btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949). - btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949). - btrfs: do not enospc all tickets on flush failure (bsc#1165949). - btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273). - btrfs: do not run delayed_iputs in commit (bsc##1165949). - btrfs: do not run delayed refs in the end transaction logic (bsc#1165949). - btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949). - btrfs: do not use global reserve for chunk allocation (bsc#1165949). - btrfs: drop get_extent from extent_page_data (bsc#1168273). - btrfs: drop min_size from evict_refill_and_join (bsc##1165949). - btrfs: drop unused space_info parameter from create_space_info (bsc#1165949). - btrfs: dump block_rsv details when dumping space info (bsc#1165949). - btrfs: export block group accounting helpers (bsc#1165949). - btrfs: export block_rsv_use_bytes (bsc#1165949). - btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949). - btrfs: export __btrfs_block_rsv_release (bsc#1165949). - btrfs: export space_info_add_*_bytes (bsc#1165949). - btrfs: export the block group caching helpers (bsc#1165949). - btrfs: export the caching control helpers (bsc#1165949). - btrfs: export the excluded extents helpers (bsc#1165949). - btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273). - btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273). - btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273). - btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273). - btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273). - btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273). - btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949). - btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949). - btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949). - btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949). - btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273). - btrfs: factor out the ticket flush handling (bsc#1165949). - btrfs: fix insert_reserved error handling (bsc##1165949). - btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949). - btrfs: fix missing delayed iputs on unmount (bsc#1165949). - btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949). - btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949). - btrfs: fix truncate throttling (bsc#1165949). - btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273). - btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949). - btrfs: Improve global reserve stealing logic (bsc#1165949). - btrfs: introduce an evict flushing state (bsc#1165949). - btrfs: introduce delayed_refs_rsv (bsc#1165949). - btrfs: loop in inode_rsv_refill (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949). - btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949). - btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949). - btrfs: make plug in writing meta blocks really work (bsc#1168273). - btrfs: merge two flush_write_bio helpers (bsc#1168273). - btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949). - btrfs: migrate inc/dec_block_group_ro code (bsc#1165949). - btrfs: migrate nocow and reservation helpers (bsc#1165949). - btrfs: migrate the alloc_profile helpers (bsc#1165949). - btrfs: migrate the block group caching code (bsc#1165949). - btrfs: migrate the block group cleanup code (bsc#1165949). - btrfs: migrate the block group lookup code (bsc#1165949). - btrfs: migrate the block group read/creation code (bsc#1165949). - btrfs: migrate the block group ref counting stuff (bsc#1165949). - btrfs: migrate the block group removal code (bsc#1165949). - btrfs: migrate the block group space accounting helpers (bsc#1165949). - btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949). - btrfs: migrate the chunk allocation code (bsc#1165949). - btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949). - btrfs: migrate the delayed refs rsv code (bsc#1165949). - btrfs: migrate the dirty bg writeout code (bsc#1165949). - btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949). - btrfs: move and export can_overcommit (bsc#1165949). - btrfs: move basic block_group definitions to their own header (bsc#1165949). - btrfs: move btrfs_add_free_space out of a header file (bsc#1165949). - btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949). - btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949). - btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949). - btrfs: move dump_space_info to space-info.c (bsc#1165949). - btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949). - btrfs: move space_info to space-info.h (bsc#1165949). - btrfs: move the space_info handling code to space-info.c (bsc#1165949). - btrfs: move the space info update macro to space-info.h (bsc#1165949). - btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949). - btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949). - btrfs: only check priority tickets for priority flushing (bsc#1165949). - btrfs: only free reserved extent if we didn't insert it (bsc##1165949). - btrfs: only reserve metadata_size for inodes (bsc#1165949). - btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949). - btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949). - btrfs: pass root to various extent ref mod functions (bsc#1165949). - btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823). - btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823). - btrfs: refactor block group replication factor calculation to a helper (bsc#1165949). - btrfs: refactor priority_reclaim_metadata_space (bsc#1165949). - btrfs: refactor the ticket wakeup code (bsc#1165949). - btrfs: release metadata before running delayed refs (bsc##1165949). - btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273). - btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949). - btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949). - btrfs: remove orig_bytes from reserve_ticket (bsc#1165949). - btrfs: Remove redundant argument of flush_space (bsc#1165949). - btrfs: Remove redundant mirror_num arg (bsc#1168273). - btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273). - btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949). - btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949). - btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949). - btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949). - btrfs: reserve delalloc metadata differently (bsc#1165949). - btrfs: reserve extra space during evict (bsc#1165949). - btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949). - btrfs: reset max_extent_size properly (bsc##1165949). - btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949). - btrfs: rework wake_all_tickets (bsc#1165949). - btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949). - btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949). - btrfs: run delayed iput at unlink time (bsc#1165949). - btrfs: run delayed iputs before committing (bsc#1165949). - btrfs: set max_extent_size properly (bsc##1165949). - btrfs: sink extent_write_full_page tree argument (bsc#1168273). - btrfs: sink extent_write_locked_range tree parameter (bsc#1168273). - btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273). - btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273). - btrfs: sink get_extent parameter to extent_readpages (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273). - btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273). - btrfs: sink get_extent parameter to extent_writepages (bsc#1168273). - btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273). - btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273). - btrfs: stop partially refilling tickets when releasing space (bsc#1165949). - btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949). - btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273). - btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949). - btrfs: temporarily export fragment_free_space (bsc#1165949). - btrfs: temporarily export inc_block_group_ro (bsc#1165949). - btrfs: track DIO bytes in flight (bsc#1165949). - btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273). - btrfs: unexport can_overcommit (bsc#1165949). - btrfs: unexport the temporary exported functions (bsc#1165949). - btrfs: unify error handling for ticket flushing (bsc#1165949). - btrfs: unify extent_page_data type passed as void (bsc#1168273). - btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949). - btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949). - btrfs: wait on caching when putting the bg cache (bsc#1165949). - btrfs: wait on ordered extents on abort cleanup (bsc#1165949). - btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949). - ceph: canonicalize server path in place (bsc#1168443). - ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307). - ceph: remove the extra slashes in the server path (bsc#1168443). - cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510). - cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510). - cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290). - cifs: ignore cached share root handle closing errors (bsc#1166780). - clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666). - clk: imx: Align imx sc clock msg structs to 4 (git-fixes). - clk: qcom: rcg: Return failure for RCG update (bsc#1051510). - configfs: Fix bool initialization/comparison (bsc#1051510). - cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510). - cpuidle: Do not unset the driver if it is there already (bsc#1051510). - crypto: arm64/sha-ce - implement export/import (bsc#1051510). - Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666). - Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666). - crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510). - crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403). - dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510). - drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956) - drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 (bsc#1111666). - drm/amd/display: Fix wrongly passed static prefix (bsc#1111666). - drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510). - drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666). - drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510). - drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510). - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510). - drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510). - drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666). - drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666). - drm/lease: fix WARNING in idr_destroy (bsc#1113956) - drm/msm: Set dma maximum segment size for mdss (bsc#1051510). - drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510). - drm/msm: Use the correct dma_sync calls harder (bsc#1051510). - drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510). - drm/sun4i: dsi: Use NULL to signify "no panel" (bsc#1111666). - drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666). - drm/vc4: Fix HDMI mode validation (git-fixes). - dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510). - efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367). - efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367). - efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893). - efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367). - ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862). - ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019). - ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288). - ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860). - ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861). - ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765). - ext4: fix incorrect inodes per group in error message (bsc#1168764). - ext4: fix potential race between online resizing and write operations (bsc#1166864). - ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867). - ext4: fix potential race between s_group_info online resizing and access (bsc#1166866). - ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870). - ext4: fix support for inode sizes > 1024 bytes (bsc#1164284). - ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940). - ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868). - ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897). - fat: fix uninit-memory access for partial initialized inode (bsc#1051510). - fat: work around race with userspace's read via blockdev while mounting (bsc#1051510). - fbdev/g364fb: Fix build failure (bsc#1051510). - fbdev: potential information leak in do_fb_ioctl() (bsc#1114279) - fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279) - firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666). - firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666). - ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes). - HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510). - i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510). - i2c: jz4780: silence log flood on txabrt (bsc#1051510). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510). - iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510). - iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510). - Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510). - Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510). - intel_th: Fix user-visible error codes (bsc#1051510). - intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510). - iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057). - ipmi: fix hung processes in __get_guid() (bsc#1111666). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325). - irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510). - irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510). - kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for pcie_port_bus_type change (bsc#1161561). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308). - libfs: fix infoleak in simple_attr_read() (bsc#1168881). - lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211). - lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211). - mac80211: consider more elements in parsing CRC (bsc#1051510). - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510). - mac80211: free peer keys before vif down in mesh (bsc#1051510). - mac80211: mesh: fix RCU warning (bsc#1051510). - mac80211: only warn once on chanctx_conf being NULL (bsc#1051510). - mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510). - macsec: add missing attribute validation for port (bsc#1051510). - macsec: fix refcnt leak in module exit routine (bsc#1051510). - media: dib0700: fix rc endpoint lookup (bsc#1051510). - media: flexcop-usb: fix endpoint sanity check (git-fixes). - media: go7007: Fix URB type for interrupt handling (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510). - media: ov6650: Fix some format attributes not under control (bsc#1051510). - media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510). - media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: tda10071: fix unsigned sign extension overflow (bsc#1051510). - media: usbtv: fix control-message timeouts (bsc#1051510). - media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510). - media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510). - media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510). - mfd: dln2: Fix sanity checking for endpoints (bsc#1051510). - misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510). - mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510). - mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884). - mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600). - mm: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403). - mwifiex: set needed_headroom, not hard_header_len (bsc#1051510). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199). - net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510). - net: nfc: fix bounds checking bugs on "pipe" (bsc#1051510). - net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19). - net_sched: keep alloc_hash updated after hash allocation (git-fixes). - net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19). - net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19). - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFS: send state management on a single connection (bsc#1167005). - nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983). - nvme: fix controller removal race with scan work (bsc#1158983). - nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983). - nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983). - nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983). - nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983). - nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983). - nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983). - nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983). - nvme-multipath: round-robin I/O policy (bsc#1158983). - objtool: Add is_static_jump() helper (bsc#1169514). - objtool: Add relocation check for alternative sections (bsc#1169514). - OMAP: DSS2: remove non-zero check on variable r (bsc#1114279) - partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763). - PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561). - PCI/AER: Log which device prevents error recovery (bsc#1161561). - PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561). - PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510). - PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510). - PCI/ERR: Always report current recovery status for udev (bsc#1161561). - PCI/ERR: Handle fatal error recovery (bsc#1161561). - PCI/ERR: Remove duplicated include from err.c (bsc#1161561). - PCI/ERR: Simplify broadcast callouts (bsc#1161561). - PCI: pciehp: Fix MSI interrupt race (bsc#1159037). - PCI: portdrv: Initialize service drivers directly (bsc#1161561). - PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561). - PCI: Simplify disconnected marking (bsc#1161561). - PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510). - PCI: Unify device inaccessible (bsc#1161561). - perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279). - perf: qcom_l2: fix column exclusion check (git-fixes). - pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510). - platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510). - PM: core: Fix handling of devices deleted during system-wide resume (git-fixes). - powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868). - powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868). - powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734). - powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729). - powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729). - powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868). - powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509). - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509). - powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868). - powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030). - powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030). - pwm: bcm2835: Dynamically allocate base (bsc#1051510). - pwm: meson: Fix confusing indentation (bsc#1051510). - pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510). - pwm: rcar: Fix late Runtime PM enablement (bsc#1051510). - pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510). - pxa168fb: fix release function mismatch in probe failure (bsc#1051510). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510). - rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scsi: core: avoid repetitive logging of device offline messages (bsc#1145929). - scsi: core: kABI fix offline_already (bsc#1145929). - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). Refresh sorted patches. - scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistake "Notication" -> "Notification" (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211). - scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - serdev: ttyport: restore client ops on deregistration (bsc#1051510). - staging: ccree: use signal safe completion wait (git-fixes). - staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510). - staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510). - staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510). - staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202). - swiotlb: do not panic on mapping failures (bsc#1162171). - swiotlb: remove the overflow buffer (bsc#1162171). - thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510). - tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729). - tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510). - tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510). - tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510). - USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510). - USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes). - USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes). - USB: Disable LPM on WD19's Realtek Hub (git-fixes). - USB: dwc2: Fix in ISOC request length checking (git-fixes). - USB: Fix novation SourceControl XL after suspend (git-fixes). - USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes). - USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510). - USB: host: xhci-plat: add a shutdown (git-fixes). - USB: hub: Do not record a connect-change event during reset-resume (git-fixes). - USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes). - USB: misc: iowarrior: add support for the 100 device (git-fixes). - USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes). - USB: musb: Disable pullup at init (git-fixes). - USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510). - USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes). - USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes). - USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510). - USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes). - USB: serial: pl2303: add device-id for HP LD381 (git-fixes). - USB: storage: Add quirk for Samsung Fit flash (git-fixes). - USB: uas: fix a plug & unplug racing (git-fixes). - USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes). - virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627). - virtio_ring: fix unmap of indirect descriptors (bsc#1162171). - x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279). - x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486). - xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes). - xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1146=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1146=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1146=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-default-extra-4.12.14-197.40.1 kernel-default-extra-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-obs-qa-4.12.14-197.40.1 kernel-vanilla-4.12.14-197.40.1 kernel-vanilla-base-4.12.14-197.40.1 kernel-vanilla-base-debuginfo-4.12.14-197.40.1 kernel-vanilla-debuginfo-4.12.14-197.40.1 kernel-vanilla-debugsource-4.12.14-197.40.1 kernel-vanilla-devel-4.12.14-197.40.1 kernel-vanilla-devel-debuginfo-4.12.14-197.40.1 kernel-vanilla-livepatch-devel-4.12.14-197.40.1 kselftests-kmp-default-4.12.14-197.40.1 kselftests-kmp-default-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (ppc64le x86_64): kernel-debug-4.12.14-197.40.1 kernel-debug-base-4.12.14-197.40.1 kernel-debug-base-debuginfo-4.12.14-197.40.1 kernel-debug-debuginfo-4.12.14-197.40.1 kernel-debug-debugsource-4.12.14-197.40.1 kernel-debug-devel-4.12.14-197.40.1 kernel-debug-devel-debuginfo-4.12.14-197.40.1 kernel-debug-livepatch-devel-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 s390x): kernel-default-livepatch-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): kernel-docs-html-4.12.14-197.40.1 kernel-source-vanilla-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64): kernel-kvmsmall-4.12.14-197.40.1 kernel-kvmsmall-base-4.12.14-197.40.1 kernel-kvmsmall-base-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-debugsource-4.12.14-197.40.1 kernel-kvmsmall-devel-4.12.14-197.40.1 kernel-kvmsmall-devel-debuginfo-4.12.14-197.40.1 kernel-kvmsmall-livepatch-devel-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x): kernel-zfcpdump-debuginfo-4.12.14-197.40.1 kernel-zfcpdump-debugsource-4.12.14-197.40.1 kernel-zfcpdump-man-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-default-livepatch-4.12.14-197.40.1 kernel-default-livepatch-devel-4.12.14-197.40.1 kernel-livepatch-4_12_14-197_40-default-1-3.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 reiserfs-kmp-default-4.12.14-197.40.1 reiserfs-kmp-default-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.40.1 kernel-obs-build-debugsource-4.12.14-197.40.1 kernel-syms-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.40.1 kernel-source-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.40.1 kernel-default-base-4.12.14-197.40.1 kernel-default-base-debuginfo-4.12.14-197.40.1 kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 kernel-default-devel-4.12.14-197.40.1 kernel-default-devel-debuginfo-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.40.1 kernel-macros-4.12.14-197.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.40.1 kernel-zfcpdump-debuginfo-4.12.14-197.40.1 kernel-zfcpdump-debugsource-4.12.14-197.40.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.40.1 cluster-md-kmp-default-debuginfo-4.12.14-197.40.1 dlm-kmp-default-4.12.14-197.40.1 dlm-kmp-default-debuginfo-4.12.14-197.40.1 gfs2-kmp-default-4.12.14-197.40.1 gfs2-kmp-default-debuginfo-4.12.14-197.40.1 kernel-default-debuginfo-4.12.14-197.40.1 kernel-default-debugsource-4.12.14-197.40.1 ocfs2-kmp-default-4.12.14-197.40.1 ocfs2-kmp-default-debuginfo-4.12.14-197.40.1 References: https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-8834.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1137325 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1145051 https://bugzilla.suse.com/1145929 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1157424 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1159037 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159199 https://bugzilla.suse.com/1161561 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162171 https://bugzilla.suse.com/1163403 https://bugzilla.suse.com/1163897 https://bugzilla.suse.com/1164284 https://bugzilla.suse.com/1164777 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164893 https://bugzilla.suse.com/1165019 https://bugzilla.suse.com/1165182 https://bugzilla.suse.com/1165185 https://bugzilla.suse.com/1165211 https://bugzilla.suse.com/1165823 https://bugzilla.suse.com/1165949 https://bugzilla.suse.com/1166780 https://bugzilla.suse.com/1166860 https://bugzilla.suse.com/1166861 https://bugzilla.suse.com/1166862 https://bugzilla.suse.com/1166864 https://bugzilla.suse.com/1166866 https://bugzilla.suse.com/1166867 https://bugzilla.suse.com/1166868 https://bugzilla.suse.com/1166870 https://bugzilla.suse.com/1166940 https://bugzilla.suse.com/1166982 https://bugzilla.suse.com/1167005 https://bugzilla.suse.com/1167216 https://bugzilla.suse.com/1167288 https://bugzilla.suse.com/1167290 https://bugzilla.suse.com/1167316 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167627 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1168273 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168367 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168443 https://bugzilla.suse.com/1168486 https://bugzilla.suse.com/1168552 https://bugzilla.suse.com/1168760 https://bugzilla.suse.com/1168762 https://bugzilla.suse.com/1168763 https://bugzilla.suse.com/1168764 https://bugzilla.suse.com/1168765 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1168881 https://bugzilla.suse.com/1168884 https://bugzilla.suse.com/1168952 https://bugzilla.suse.com/1169013 https://bugzilla.suse.com/1169057 https://bugzilla.suse.com/1169307 https://bugzilla.suse.com/1169308 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 From sle-security-updates at lists.suse.com Wed Apr 29 19:14:19 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:14:19 +0200 (CEST) Subject: SUSE-SU-2020:1151-1: critical: Security update for salt Message-ID: <20200430011419.33F58FE0F@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1151-1 Rating: critical References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python2-salt-2019.2.0-5.67.1 python3-salt-2019.2.0-5.67.1 salt-2019.2.0-5.67.1 salt-api-2019.2.0-5.67.1 salt-cloud-2019.2.0-5.67.1 salt-doc-2019.2.0-5.67.1 salt-master-2019.2.0-5.67.1 salt-minion-2019.2.0-5.67.1 salt-proxy-2019.2.0-5.67.1 salt-ssh-2019.2.0-5.67.1 salt-standalone-formulas-configuration-2019.2.0-5.67.1 salt-syndic-2019.2.0-5.67.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): salt-bash-completion-2019.2.0-5.67.1 salt-fish-completion-2019.2.0-5.67.1 salt-zsh-completion-2019.2.0-5.67.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python2-salt-2019.2.0-5.67.1 python3-salt-2019.2.0-5.67.1 salt-2019.2.0-5.67.1 salt-api-2019.2.0-5.67.1 salt-cloud-2019.2.0-5.67.1 salt-doc-2019.2.0-5.67.1 salt-master-2019.2.0-5.67.1 salt-minion-2019.2.0-5.67.1 salt-proxy-2019.2.0-5.67.1 salt-ssh-2019.2.0-5.67.1 salt-standalone-formulas-configuration-2019.2.0-5.67.1 salt-syndic-2019.2.0-5.67.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): salt-bash-completion-2019.2.0-5.67.1 salt-fish-completion-2019.2.0-5.67.1 salt-zsh-completion-2019.2.0-5.67.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python2-salt-2019.2.0-5.67.1 python3-salt-2019.2.0-5.67.1 salt-2019.2.0-5.67.1 salt-api-2019.2.0-5.67.1 salt-cloud-2019.2.0-5.67.1 salt-doc-2019.2.0-5.67.1 salt-master-2019.2.0-5.67.1 salt-minion-2019.2.0-5.67.1 salt-proxy-2019.2.0-5.67.1 salt-ssh-2019.2.0-5.67.1 salt-standalone-formulas-configuration-2019.2.0-5.67.1 salt-syndic-2019.2.0-5.67.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): salt-bash-completion-2019.2.0-5.67.1 salt-fish-completion-2019.2.0-5.67.1 salt-zsh-completion-2019.2.0-5.67.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python2-salt-2019.2.0-5.67.1 python3-salt-2019.2.0-5.67.1 salt-2019.2.0-5.67.1 salt-api-2019.2.0-5.67.1 salt-cloud-2019.2.0-5.67.1 salt-doc-2019.2.0-5.67.1 salt-master-2019.2.0-5.67.1 salt-minion-2019.2.0-5.67.1 salt-proxy-2019.2.0-5.67.1 salt-ssh-2019.2.0-5.67.1 salt-standalone-formulas-configuration-2019.2.0-5.67.1 salt-syndic-2019.2.0-5.67.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): salt-bash-completion-2019.2.0-5.67.1 salt-fish-completion-2019.2.0-5.67.1 salt-zsh-completion-2019.2.0-5.67.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Wed Apr 29 19:15:01 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:15:01 +0200 (CEST) Subject: SUSE-SU-2020:14350-1: critical: Security update for salt Message-ID: <20200430011501.65C82FE0F@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14350-1 Rating: critical References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS: zypper in -t patch suse-ubu184ct-salt-202004-14350=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS (all): salt-common-2019.2.0+ds-1.1+38.1 salt-minion-2019.2.0+ds-1.1+38.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Wed Apr 29 19:15:46 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:15:46 +0200 (CEST) Subject: SUSE-SU-2020:1147-1: critical: Security update for salt Message-ID: <20200430011546.D04A5FE0F@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1147-1 Rating: critical References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Tools 12 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Point of Sale 12-SP2 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-1147=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1147=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1147=1 - SUSE Linux Enterprise Point of Sale 12-SP2: zypper in -t patch SUSE-SLE-POS-12-SP2-2020-1147=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1147=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.0-46.91.1 python3-salt-2019.2.0-46.91.1 salt-2019.2.0-46.91.1 salt-doc-2019.2.0-46.91.1 salt-minion-2019.2.0-46.91.1 - SUSE Manager Server 3.2 (ppc64le s390x x86_64): python2-salt-2019.2.0-46.91.1 python3-salt-2019.2.0-46.91.1 salt-2019.2.0-46.91.1 salt-api-2019.2.0-46.91.1 salt-cloud-2019.2.0-46.91.1 salt-doc-2019.2.0-46.91.1 salt-master-2019.2.0-46.91.1 salt-minion-2019.2.0-46.91.1 salt-proxy-2019.2.0-46.91.1 salt-ssh-2019.2.0-46.91.1 salt-standalone-formulas-configuration-2019.2.0-46.91.1 salt-syndic-2019.2.0-46.91.1 - SUSE Manager Server 3.2 (noarch): salt-bash-completion-2019.2.0-46.91.1 salt-zsh-completion-2019.2.0-46.91.1 - SUSE Manager Proxy 3.2 (x86_64): python2-salt-2019.2.0-46.91.1 python3-salt-2019.2.0-46.91.1 salt-2019.2.0-46.91.1 salt-minion-2019.2.0-46.91.1 - SUSE Linux Enterprise Point of Sale 12-SP2 (x86_64): python2-salt-2019.2.0-46.91.1 salt-2019.2.0-46.91.1 salt-minion-2019.2.0-46.91.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-2019.2.0-46.91.1 salt-2019.2.0-46.91.1 salt-api-2019.2.0-46.91.1 salt-cloud-2019.2.0-46.91.1 salt-doc-2019.2.0-46.91.1 salt-master-2019.2.0-46.91.1 salt-minion-2019.2.0-46.91.1 salt-proxy-2019.2.0-46.91.1 salt-ssh-2019.2.0-46.91.1 salt-standalone-formulas-configuration-2019.2.0-46.91.1 salt-syndic-2019.2.0-46.91.1 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-2019.2.0-46.91.1 salt-zsh-completion-2019.2.0-46.91.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Wed Apr 29 19:16:31 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:16:31 +0200 (CEST) Subject: SUSE-SU-2020:14351-1: critical: Security update for salt Message-ID: <20200430011631.5EF2EFE0F@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14351-1 Rating: critical References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS: zypper in -t patch suse-ubu164ct-salt-202004-14351=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS (all): salt-common-2019.2.0+ds-1.1+37.1 salt-minion-2019.2.0+ds-1.1+37.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Wed Apr 29 19:17:15 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:17:15 +0200 (CEST) Subject: SUSE-SU-2020:1150-1: critical: Security update for salt Message-ID: <20200430011715.B64DDFE0F@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1150-1 Rating: critical References: #1170595 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for salt fixes the following issues: - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1150=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): salt-api-2019.2.0-6.27.1 salt-cloud-2019.2.0-6.27.1 salt-master-2019.2.0-6.27.1 salt-proxy-2019.2.0-6.27.1 salt-ssh-2019.2.0-6.27.1 salt-standalone-formulas-configuration-2019.2.0-6.27.1 salt-syndic-2019.2.0-6.27.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): salt-fish-completion-2019.2.0-6.27.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python2-salt-2019.2.0-6.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): python3-salt-2019.2.0-6.27.1 salt-2019.2.0-6.27.1 salt-doc-2019.2.0-6.27.1 salt-minion-2019.2.0-6.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): salt-bash-completion-2019.2.0-6.27.1 salt-zsh-completion-2019.2.0-6.27.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1170595 From sle-security-updates at lists.suse.com Wed Apr 29 19:19:10 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 03:19:10 +0200 (CEST) Subject: SUSE-SU-2020:14353-1: important: Security update for openldap2 Message-ID: <20200430011910.C4CDDFE0F@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14353-1 Rating: important References: #1143194 #1143273 Cross-References: CVE-2019-13057 CVE-2019-13565 Affected Products: SUSE Linux Enterprise Server 11-SECURITY ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openldap2 fixes the following issues: - CVE-2019-13565: Fixed an authentication bypass caused by incorrect authorization of another connection, granting excess connection rights (bsc#1143194). - CVE-2019-13057: Fixed an issue with improper authorization with delegated database admin privileges (bsc#1143273). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openldap2-14353=1 Package List: - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libldap-openssl1-2_4-2-2.4.26-0.74.6.1 openldap2-client-openssl1-2.4.26-0.74.6.1 openldap2-openssl1-2.4.26-0.74.6.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libldap-openssl1-2_4-2-32bit-2.4.26-0.74.6.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libldap-openssl1-2_4-2-x86-2.4.26-0.74.6.1 References: https://www.suse.com/security/cve/CVE-2019-13057.html https://www.suse.com/security/cve/CVE-2019-13565.html https://bugzilla.suse.com/1143194 https://bugzilla.suse.com/1143273 From sle-security-updates at lists.suse.com Thu Apr 30 07:16:22 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 15:16:22 +0200 (CEST) Subject: SUSE-SU-2020:1158-1: important: Security update for ceph Message-ID: <20200430131622.7B693FE29@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1158-1 Rating: important References: #1170170 Cross-References: CVE-2020-12059 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ceph fixes the following issues: - CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1158=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1158=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1158=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1158=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1158=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1158=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1158=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1158=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1158=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1158=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1158=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE OpenStack Cloud 8 (x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 librados-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 librados-devel-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 librados-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 librados-devel-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd-devel-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ceph-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-base-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-base-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-fuse-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-fuse-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mds-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mds-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mgr-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mgr-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mon-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-mon-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-osd-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-osd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-radosgw-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-radosgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-ceph-compat-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-ceph-argparse-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python3-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-fuse-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-fuse-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-mirror-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-mirror-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-nbd-12.2.12+git.1587570958.35d78d0243-2.45.1 rbd-nbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 - HPE Helion Openstack 8 (x86_64): ceph-common-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-common-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 ceph-debugsource-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-12.2.12+git.1587570958.35d78d0243-2.45.1 libcephfs2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-12.2.12+git.1587570958.35d78d0243-2.45.1 librados2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-12.2.12+git.1587570958.35d78d0243-2.45.1 libradosstriper1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-12.2.12+git.1587570958.35d78d0243-2.45.1 librbd1-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-12.2.12+git.1587570958.35d78d0243-2.45.1 librgw2-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-12.2.12+git.1587570958.35d78d0243-2.45.1 python-cephfs-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rados-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rbd-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-12.2.12+git.1587570958.35d78d0243-2.45.1 python-rgw-debuginfo-12.2.12+git.1587570958.35d78d0243-2.45.1 References: https://www.suse.com/security/cve/CVE-2020-12059.html https://bugzilla.suse.com/1170170 From sle-security-updates at lists.suse.com Thu Apr 30 07:17:13 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 15:17:13 +0200 (CEST) Subject: SUSE-SU-2020:1156-1: important: Security update for squid Message-ID: <20200430131713.A8D6CFE29@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1156-1 Rating: important References: #1162689 #1162691 #1167373 #1169659 #1170313 Cross-References: CVE-2019-12519 CVE-2019-12521 CVE-2019-12528 CVE-2019-18860 CVE-2020-11945 CVE-2020-8517 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for squid to version 4.11 fixes the following issues: - CVE-2020-11945: Fixed a potential remote code execution vulnerability when using HTTP Digest Authentication (bsc#1170313). - CVE-2019-12519, CVE-2019-12521: Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses (bsc#1169659). - CVE-2020-8517: Fixed a possible denial of service caused by incorrect buffer management ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691). - CVE-2019-12528: Fixed possible information disclosure when translating FTP server listings into HTTP responses (bsc#1162689). - CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1156=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1156=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-1156=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1156=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1156=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1156=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): squid-4.11-5.17.2 squid-debuginfo-4.11-5.17.2 squid-debugsource-4.11-5.17.2 References: https://www.suse.com/security/cve/CVE-2019-12519.html https://www.suse.com/security/cve/CVE-2019-12521.html https://www.suse.com/security/cve/CVE-2019-12528.html https://www.suse.com/security/cve/CVE-2019-18860.html https://www.suse.com/security/cve/CVE-2020-11945.html https://www.suse.com/security/cve/CVE-2020-8517.html https://bugzilla.suse.com/1162689 https://bugzilla.suse.com/1162691 https://bugzilla.suse.com/1167373 https://bugzilla.suse.com/1169659 https://bugzilla.suse.com/1170313 From sle-security-updates at lists.suse.com Thu Apr 30 13:14:51 2020 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 30 Apr 2020 21:14:51 +0200 (CEST) Subject: SUSE-SU-2020:14354-1: important: Security update for the Linux Kernel Message-ID: <20200430191451.61608FE29@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14354-1 Rating: important References: #1012382 #1091041 #1105327 #1131107 #1136471 #1136922 #1146519 #1146544 #1146612 #1148871 #1149448 #1152631 #1156652 #1157038 #1157070 #1157143 #1157155 #1157157 #1157303 #1157344 #1157678 #1157804 #1157923 #1158381 #1158410 #1158413 #1158427 #1158445 #1158823 #1158824 #1158834 #1158900 #1158904 #1159285 #1159841 #1159908 #1159911 #1161358 #1162928 #1162929 #1162931 #1164078 #1165111 #1165985 #1167629 #1168075 #1168829 #1168854 Cross-References: CVE-2019-12456 CVE-2019-14896 CVE-2019-14897 CVE-2019-15213 CVE-2019-15916 CVE-2019-18660 CVE-2019-18675 CVE-2019-19066 CVE-2019-19073 CVE-2019-19074 CVE-2019-19227 CVE-2019-19523 CVE-2019-19524 CVE-2019-19527 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532 CVE-2019-19537 CVE-2019-19768 CVE-2019-19965 CVE-2019-19966 CVE-2019-20096 CVE-2020-10942 CVE-2020-11608 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 28 vulnerabilities and has 20 fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bsc#1167629). - CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bsc#1165111). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285). - CVE-2020-11608: Fixed a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bsc#1168829). - CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service or possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157). - CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker is able to cause a denial of service or possibly execute arbitrary code, when a STA works in IBSS mode and connects to another STA (bsc#1157155). - CVE-2019-18675: Fixed an Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bsc#1157804). - CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bsc#1159911). - CVE-2019-19066: A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service by triggering bfa_port_get_stats() failures (bsc#1157303). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bsc#1159908). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bsc#1159841). - CVE-2019-19532: Fixed multiple out-of-bounds write bugs that can be caused by a malicious USB device (bsc#1158824). - CVE-2019-19523: Fixed a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (bsc#115882). - CVE-2019-19537: Fixed a race condition that can be caused by a malicious USB device in the USB character device driver layer (bsc#1158904). - CVE-2019-19527, CVE-2019-19530, CVE-2019-19524: Fixed multiple use-after-free bug that could be caused by a malicious USB device (bsc#1158381, bsc#1158834, bsc#1158900). - CVE-2019-15213: Fixed a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bsc#1146544). - CVE-2019-19531: Fixed a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bsc#1158445). - CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs (bsc#1157038). - CVE-2019-19227: Fixed a potential NULL pointer dereference in the AppleTalk subsystem (bsc#1157678). - CVE-2019-19074: Fixed a memory leak in the ath9k_wmi_cmd(), which allowed attackers to cause a denial of service (bsc#1157143). - CVE-2019-19073: Fixed multiple memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c, which allowed attackers to cause a denial of service (bsc#1157070). - CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which could cause denial of service (bsc#1149448). - CVE-2019-12456: Fixed a denial of service in _ctl_ioctl_main, which could be triggered by a local user (bsc#1136922). The following non-security bugs were fixed: - Input: add safety guards to input_set_keycode() (bsc#1168075). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - block: Fix oops scsi_disk_get() (bsc#1105327). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - kaiser: Fix for 32bit KAISER implementations (bsc#1157344). - klist: fix starting point removed bug in klist iterators (bsc#1156652). - kobject: Export kobject_get_unless_zero() (bsc#1105327). - kobject: fix kset_find_obj() race with concurrent last kobject_put() (bsc#1105327). - kref: minor cleanup (bsc#1105327). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612). - powerpc/64: Make meltdown reporting Book3S 64 specific (bsc#1091041). - powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798). - powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041). - powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107). - rpm/kernel-binary.spec.in: Replace Novell with SUSE - sched: Fix race between task_group and sched_task_group (bsc#1136471). - sched: Remove lockdep check in sched_move_task() (bsc#1136471). - scsi: lpfc: Fix driver crash in target reset handler (bsc#1148871). - writeback: fix race that cause writeback hung (bsc#1161358). - x86: fix speculation bug reporting (bsc#1012382). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-kernel-source-14354=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-source-14354=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-source-14354=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): kernel-default-3.0.101-108.111.1 kernel-default-base-3.0.101-108.111.1 kernel-default-devel-3.0.101-108.111.1 kernel-source-3.0.101-108.111.1 kernel-syms-3.0.101-108.111.1 kernel-trace-3.0.101-108.111.1 kernel-trace-base-3.0.101-108.111.1 kernel-trace-devel-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): kernel-ec2-3.0.101-108.111.1 kernel-ec2-base-3.0.101-108.111.1 kernel-ec2-devel-3.0.101-108.111.1 kernel-xen-3.0.101-108.111.1 kernel-xen-base-3.0.101-108.111.1 kernel-xen-devel-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (s390x): kernel-default-man-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64): kernel-bigmem-3.0.101-108.111.1 kernel-bigmem-base-3.0.101-108.111.1 kernel-bigmem-devel-3.0.101-108.111.1 kernel-ppc64-3.0.101-108.111.1 kernel-ppc64-base-3.0.101-108.111.1 kernel-ppc64-devel-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586): kernel-pae-3.0.101-108.111.1 kernel-pae-base-3.0.101-108.111.1 kernel-pae-devel-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-108.111.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-108.111.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-108.111.1 kernel-default-debugsource-3.0.101-108.111.1 kernel-trace-debuginfo-3.0.101-108.111.1 kernel-trace-debugsource-3.0.101-108.111.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-108.111.1 kernel-trace-devel-debuginfo-3.0.101-108.111.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-108.111.1 kernel-ec2-debugsource-3.0.101-108.111.1 kernel-xen-debuginfo-3.0.101-108.111.1 kernel-xen-debugsource-3.0.101-108.111.1 kernel-xen-devel-debuginfo-3.0.101-108.111.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-108.111.1 kernel-bigmem-debugsource-3.0.101-108.111.1 kernel-ppc64-debuginfo-3.0.101-108.111.1 kernel-ppc64-debugsource-3.0.101-108.111.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-108.111.1 kernel-pae-debugsource-3.0.101-108.111.1 kernel-pae-devel-debuginfo-3.0.101-108.111.1 References: https://www.suse.com/security/cve/CVE-2019-12456.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-15213.html https://www.suse.com/security/cve/CVE-2019-15916.html https://www.suse.com/security/cve/CVE-2019-18660.html https://www.suse.com/security/cve/CVE-2019-18675.html https://www.suse.com/security/cve/CVE-2019-19066.html https://www.suse.com/security/cve/CVE-2019-19073.html https://www.suse.com/security/cve/CVE-2019-19074.html https://www.suse.com/security/cve/CVE-2019-19227.html https://www.suse.com/security/cve/CVE-2019-19523.html https://www.suse.com/security/cve/CVE-2019-19524.html https://www.suse.com/security/cve/CVE-2019-19527.html https://www.suse.com/security/cve/CVE-2019-19530.html https://www.suse.com/security/cve/CVE-2019-19531.html https://www.suse.com/security/cve/CVE-2019-19532.html https://www.suse.com/security/cve/CVE-2019-19537.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11608.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1091041 https://bugzilla.suse.com/1105327 https://bugzilla.suse.com/1131107 https://bugzilla.suse.com/1136471 https://bugzilla.suse.com/1136922 https://bugzilla.suse.com/1146519 https://bugzilla.suse.com/1146544 https://bugzilla.suse.com/1146612 https://bugzilla.suse.com/1148871 https://bugzilla.suse.com/1149448 https://bugzilla.suse.com/1152631 https://bugzilla.suse.com/1156652 https://bugzilla.suse.com/1157038 https://bugzilla.suse.com/1157070 https://bugzilla.suse.com/1157143 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157303 https://bugzilla.suse.com/1157344 https://bugzilla.suse.com/1157678 https://bugzilla.suse.com/1157804 https://bugzilla.suse.com/1157923 https://bugzilla.suse.com/1158381 https://bugzilla.suse.com/1158410 https://bugzilla.suse.com/1158413 https://bugzilla.suse.com/1158427 https://bugzilla.suse.com/1158445 https://bugzilla.suse.com/1158823 https://bugzilla.suse.com/1158824 https://bugzilla.suse.com/1158834 https://bugzilla.suse.com/1158900 https://bugzilla.suse.com/1158904 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1161358 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854