SUSE-IU-2020:116-1: Security update of sles-15-sp2-chost-byos-v20201208

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Dec 11 04:07:03 MST 2020


SUSE Image Update Advisory: sles-15-sp2-chost-byos-v20201208
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2020:116-1
Image Tags        : sles-15-sp2-chost-byos-v20201208:20201208
Image Release     : 
Severity          : critical
Type              : security
References        : 1027519 1055014 1055186 1061843 1065600 1065600 1065729 1065729
                        1066382 1077428 1104902 1129923 1134760 1149032 1152489 1154935
                        1155027 1155798 1158830 1159460 1162896 1163592 1164076 1164648
                        1165502 1165692 1166602 1167471 1168155 1168468 1170415 1171234
                        1171675 1171688 1171806 1172082 1172798 1172846 1172952 1173256
                        1173391 1173422 1173902 1173914 1173972 1173994 1174003 1174098
                        1174099 1174232 1174257 1174564 1174593 1174697 1174748 1174753
                        1174817 1174918 1174969 1175052 1175168 1175599 1175621 1175721
                        1175749 1175807 1175894 1175898 1176019 1176062 1176123 1176142
                        1176155 1176173 1176192 1176262 1176262 1176285 1176325 1176354
                        1176400 1176435 1176485 1176513 1176549 1176712 1176713 1176740
                        1176800 1176902 1176907 1176979 1177086 1177090 1177109 1177121
                        1177193 1177194 1177196 1177206 1177238 1177258 1177271 1177281
                        1177283 1177284 1177285 1177286 1177297 1177315 1177315 1177353
                        1177384 1177394 1177409 1177409 1177410 1177411 1177412 1177412
                        1177413 1177413 1177414 1177414 1177458 1177460 1177460 1177470
                        1177490 1177510 1177511 1177603 1177613 1177617 1177681 1177683
                        1177687 1177694 1177697 1177719 1177724 1177725 1177726 1177739
                        1177749 1177750 1177754 1177755 1177765 1177766 1177790 1177799
                        1177801 1177811 1177814 1177817 1177854 1177855 1177856 1177858
                        1177861 1177864 1177913 1177914 1177915 1177939 1177950 1177957
                        1177983 1177998 1178002 1178078 1178079 1178166 1178173 1178175
                        1178176 1178177 1178183 1178184 1178185 1178186 1178190 1178191
                        1178217 1178246 1178255 1178278 1178288 1178307 1178330 1178346
                        1178350 1178353 1178354 1178376 1178387 1178395 1178466 1178486
                        1178512 1178591 1178591 1178727 1178882 1178882 1178963 1179031
                        1179032 1179193 1179431 1179515 935885 954532 959556 CVE-2019-20916
                        CVE-2019-20916 CVE-2020-12351 CVE-2020-12352 CVE-2020-13844 CVE-2020-14318
                        CVE-2020-14323 CVE-2020-14351 CVE-2020-14383 CVE-2020-15999 CVE-2020-16120
                        CVE-2020-24490 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645
                        CVE-2020-25656 CVE-2020-25692 CVE-2020-25705 CVE-2020-27670 CVE-2020-27670
                        CVE-2020-27671 CVE-2020-27671 CVE-2020-27672 CVE-2020-27672 CVE-2020-27673
                        CVE-2020-27674 CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-8037
                        CVE-2020-8277 CVE-2020-8694 
-----------------------------------------------------------------

The container sles-15-sp2-chost-byos-v20201208 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2953-1
Released:    Mon Oct 19 06:25:15 2020
Summary:     Recommended update for gettext-runtime
Type:        recommended
Severity:    moderate
References:  1176142
This update for gettext-runtime fixes the following issues:

- Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2971-1
Released:    Tue Oct 20 16:41:36 2020
Summary:     Recommended update for shim-susesigned
Type:        recommended
Severity:    moderate
References:  1177315


This update contains changes needed for Common criteria certification.

shim:

* add a temporary shim loader EFI signed by SUSE that contains additional checks of Extended Key Usage for Codesigning (bsc#1177315)

The Common Criteria system role for 15-SP2 was adjusted:

* Configure alternative shim (bsc#1177315)
* Remove curve25519-sha256 at libssh.org as it doesn't work in fips mode
* doc: logrotate is started via timer


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2980-1
Released:    Wed Oct 21 13:28:37 2020
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    critical
References:  1065600,1065729,1155798,1165692,1168468,1171675,1171688,1174003,1174098,1175599,1175621,1175807,1176019,1176400,1176907,1176979,1177090,1177109,1177121,1177193,1177194,1177206,1177258,1177271,1177283,1177284,1177285,1177286,1177297,1177384,1177511,1177617,1177681,1177683,1177687,1177694,1177697,1177719,1177724,1177725,1177726,954532,CVE-2020-12351,CVE-2020-12352,CVE-2020-24490,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).
- CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka 'BleedingTooth' aka 'BadVibes' (bsc#1177726).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' aka 'BadChoice' (bsc#1177725).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).

The following non-security bugs were fixed:

- 9p: Fix memory leak in v9fs_mount (git-fixes).
- ACPI: EC: Reference count query handlers under lock (git-fixes).
- airo: Fix read overflows sending packets (git-fixes).
- ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
- arm64: Enable PCI write-combine resources under sysfs (bsc#1175807).
- ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes).
- ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes).
- ASoC: kirkwood: fix IRQ error handling (git-fixes).
- ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes).
- ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes).
- ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 (git-fixes).
- ath10k: fix array out-of-bounds access (git-fixes).
- ath10k: fix memory leak for tpc_stats_final (git-fixes).
- ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
- Bluetooth: Fix refcount use-after-free issue (git-fixes).
- Bluetooth: guard against controllers sending zero'd events (git-fixes).
- Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes).
- Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes).
- Bluetooth: prefetch channel before killing sock (git-fixes).
- brcmfmac: Fix double freeing in the fmac usb data path (git-fixes).
- btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019).
- btrfs: block-group: fix free-space bitmap threshold (bsc#1176019).
- btrfs: block-group: refactor how we delete one block group item (bsc#1176019).
- btrfs: block-group: refactor how we insert a block group item (bsc#1176019).
- btrfs: block-group: refactor how we read one block group item (bsc#1176019).
- btrfs: block-group: rename write_one_cache_group() (bsc#1176019).
- btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687).
- btrfs: do not set the full sync flag on the inode during page release (bsc#1177687).
- btrfs: do not take an extra root ref at allocation time (bsc#1176019).
- btrfs: drop logs when we've aborted a transaction (bsc#1176019).
- btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019).
- Btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019).
- btrfs: fix race between page release and a fast fsync (bsc#1177687).
- btrfs: free block groups after free'ing fs trees (bsc#1176019).
- btrfs: hold a ref on the root on the dead roots list (bsc#1176019).
- btrfs: kill the subvol_srcu (bsc#1176019).
- btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019).
- btrfs: make inodes hold a ref on their roots (bsc#1176019).
- btrfs: make the extent buffer leak check per fs info (bsc#1176019).
- btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019).
- btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019).
- btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019).
- btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687).
- btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687).
- btrfs: reduce contention on log trees when logging checksums (bsc#1177687).
- btrfs: release old extent maps during page release (bsc#1177687).
- btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019).
- btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687).
- btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019).
- btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019).
- btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687).
- bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes).
- clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes).
- clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes).
- clk: tegra: Always program PLL_E when enabled (git-fixes).
- clk/ti/adpll: allocate room for terminating null (git-fixes).
- clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes).
- clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes).
- create Storage / NVMe subsection
- crypto: algif_aead - Do not set MAY_BACKLOG on the async path (git-fixes).
- crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes).
- crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes).
- crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes).
- crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes).
- crypto: omap-sham - fix digcnt register handling with export/import (git-fixes).
- crypto: picoxcell - Fix potential race condition bug (git-fixes).
- crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA (git-fixes).
- cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes).
- Disable CONFIG_LIVEPATCH_IPA_CLONES where not needed Explicitly disable CONFIG_LIVEPATCH_IPA_CLONES in configs where it is not needed to avoid confusion and unwanted values due to fragment config files.
- dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes).
- dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
- dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes).
- dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes).
- dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
- dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes).
- drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes).
- drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes).
- drm/radeon: revert 'Prefer lower feedback dividers' (bsc#1177384).
- drop Storage / bsc#1171688 subsection No effect on expanded tree.
- e1000: Do not perform reset in reset_task if we are already down (git-fixes).
- ftrace: Move RCU is watching check after recursion check (git-fixes).
- fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193).
- gpio: mockup: fix resource leak in error path (git-fixes).
- gpio: rcar: Fix runtime PM imbalance on error (git-fixes).
- gpio: siox: explicitly support only threaded irqs (git-fixes).
- gpio: sprd: Clear interrupt when setting the type as edge (git-fixes).
- gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
- hwmon: (applesmc) check status earlier (git-fixes).
- hwmon: (mlxreg-fan) Fix double 'Mellanox' (git-fixes).
- hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} (git-fixes).
- i2c: aspeed: Mask IRQ status to relevant bits (git-fixes).
- i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes).
- i2c: cpm: Fix i2c_ram structure (git-fixes).
- i2c: i801: Exclude device from suspend direct complete optimization (git-fixes).
- i2c: meson: fix clock setting overwrite (git-fixes).
- i2c: meson: fixup rate calculation with filter delay (git-fixes).
- i2c: owl: Clear NACK and BUS error bits (git-fixes).
- i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes).
- i2c: tegra: Restore pinmux on system resume (git-fixes).
- ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
- ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
- iio: adc: qcom-spmi-adc5: fix driver name (git-fixes).
- ima: extend boot_aggregate with kernel measurements (bsc#1177617).
- Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532).
- iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297).
- iommu/amd: Fix potential @entry null deref (bsc#1177283).
- iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284).
- iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285).
- iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286).
- iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400).
- kabi fix for NFS: Fix flexfiles read failover (git-fixes).
- kabi: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- kabi/severities: ignore kABI for target_core_rbd Match behaviour for all other Ceph specific modules.
- kernel-binary.spec.in: Exclude .config.old from kernel-devel  - use tar excludes for .kernel-binary.spec.buildenv
- kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.
- leds: mlxreg: Fix possible buffer overflow (git-fixes).
- libceph-add-support-for-CMPEXT-compare-extent-reques.patch: (bsc#1177090).
- mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes).
- mac80211: skip mpath lookup also for control port tx (git-fixes).
- mac802154: tx: fix use-after-free (git-fixes).
- macsec: avoid use-after-free in macsec_handle_frame() (git-fixes).
- media: camss: Fix a reference count leak (git-fixes).
- media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes).
- media: mc-device.c: fix memleak in media_device_register_entity (git-fixes).
- media: mx2_emmaprp: Fix memleak in emmaprp_probe (git-fixes).
- media: omap3isp: Fix memleak in isp_probe (git-fixes).
- media: ov5640: Correct Bit Div register in clock tree diagram (git-fixes).
- media: platform: fcp: Fix a reference count leak (git-fixes).
- media: rcar-csi2: Allocate v4l2_async_subdev dynamically (git-fixes).
- media: rcar-vin: Fix a reference count leak (git-fixes).
- media: rc: do not access device via sysfs after rc_unregister_device() (git-fixes).
- media: rc: uevent sysfs file races with rc_unregister_device() (git-fixes).
- media: Revert 'media: exynos4-is: Add missed check for pinctrl_lookup_state()' (git-fixes).
- media: rockchip/rga: Fix a reference count leak (git-fixes).
- media: s5p-mfc: Fix a reference count leak (git-fixes).
- media: smiapp: Fix error handling at NVM reading (git-fixes).
- media: staging/intel-ipu3: css: Correctly reset some memory (git-fixes).
- media: stm32-dcmi: Fix a reference count leak (git-fixes).
- media: tc358743: cleanup tc358743_cec_isr (git-fixes).
- media: tc358743: initialize variable (git-fixes).
- media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
- media: ti-vpe: Fix a missing check and reference count leak (git-fixes).
- media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes).
- media: usbtv: Fix refcounting mixup (git-fixes).
- media: uvcvideo: Set media controller entity functions (git-fixes).
- media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes).
- media: v4l2-async: Document asd allocation requirements (git-fixes).
- mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes).
- mm: call cond_resched() from deferred_init_memmap() (git fixes (mm/init), bsc#1177697).
- mmc: core: do not set limits.discard_granularity as 0 (git-fixes).
- mmc: core: Rework wp-gpio handling (git-fixes).
- mm, compaction: fully assume capture is not NULL in compact_zone_order() (git fixes (mm/compaction), bsc#1177681).
- mm, compaction: make capture control handling safe wrt interrupts (git fixes (mm/compaction), bsc#1177681).
- mmc: sdhci-acpi: AMDI0040: Set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes).
- mmc: sdhci: Add LTR support for some Intel BYT based controllers (git-fixes).
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes).
- mm/debug.c: always print flags in dump_page() (git fixes (mm/debug)).
- mm: initialize deferred pages with interrupts enabled (git fixes (mm/init), bsc#1177697).
- mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() (bsc#1177694).
- mm/migrate.c: also overwrite error when it is bigger than zero (git fixes (mm/move_pages), bsc#1177683).
- mm: move_pages: report the number of non-attempted pages (git fixes (mm/move_pages), bsc#1177683).
- mm: move_pages: return valid node id in status if the page is already on the target node (git fixes (mm/move_pages), bsc#1177683).
- mm/pagealloc.c: call touch_nmi_watchdog() on max order boundaries in deferred init (git fixes (mm/init), bsc#1177697).
- mm, slab/slub: move and improve cache_from_obj() (mm/slub bsc#1165692). mm, slab/slub: improve error reporting and overhead of cache_from_obj() (mm/slub bsc#1165692). 
- mm, slub: extend checks guarded by slub_debug static key (mm/slub bsc#1165692).
- mm, slub: extend slub_debug syntax for multiple blocks (mm/slub bsc#1165692).
- mm, slub: introduce kmem_cache_debug_flags() (mm/slub bsc#1165692).
- mm, slub: introduce static key for slub_debug() (mm/slub bsc#1165692).
- mm, slub: make reclaim_account attribute read-only (mm/slub bsc#1165692).
- mm, slub: make remaining slub_debug related attributes read-only (mm/slub bsc#1165692).
- mm, slub: make some slub_debug related attributes read-only (mm/slub bsc#1165692).
- mm, slub: remove runtime allocation order changes (mm/slub bsc#1165692).
- mm, slub: restore initial kmem_cache flags (mm/slub bsc#1165692).
- Move upstreamed intel-vbtn patch into sorted section
- mt76: add missing locking around ampdu action (git-fixes).
- mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes).
- mt76: do not use devm API for led classdev (git-fixes).
- mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes).
- mt76: fix LED link time failure (git-fixes).
- mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes).
- mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes).
- mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes).
- net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes).
- nfsd4: fix NULL dereference in nfsd/clients display code (git-fixes).
- NFS: Do not move layouts to plh_return_segs list while in use (git-fixes).
- NFS: Do not return layout segments that are in use (git-fixes).
- NFS: ensure correct writeback errors are returned on close() (git-fixes).
- NFS: Fix flexfiles read failover (git-fixes).
- NFS: Fix security label length not being reset (bsc#1176381).
- NFS: nfs_file_write() should check for writeback errors (git-fixes).
- NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes).
- nvme-multipath: retry commands for dying queues (bsc#1171688).
- patches.suse/target-compare-and-write-backend-driver-sense-handli.patch: (bsc#1177719).
- patches.suse/target-rbd-detect-stripe_unit-SCSI-block-size-misali.patch (bsc#1177090).
- patches.suse/target-rbd-support-COMPARE_AND_WRITE.patch: (fate#318836, bsc#1177090).
- PCI: Avoid double hpmemsize MMIO window assignment (git-fixes).
- PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- PCI: tegra194: Fix runtime PM imbalance on error (git-fixes).
- PCI: tegra: Fix runtime PM imbalance on error (git-fixes).
- phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes).
- pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB (git-fixes).
- pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
- Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes).
- platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes).
- platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes).
- platform/x86: intel_pmc_core: do not create a static struct device (git-fixes).
- platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599).
- platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes).
- platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes).
- pNFS/flexfiles: Ensure we initialise the mirror bsizes correctly on read (git-fixes).
- powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729).
- power: supply: max17040: Correct voltage reading (git-fixes).
- qla2xxx: Return EBUSY on fcport deletion (bsc#1171688).
- r8169: fix data corruption issue on RTL8402 (bsc#1174098).
- rbd-add-rbd_img_fill_cmp_and_write_from_bvecs.patch: (bsc#1177090).
- rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch: (bsc#1177090).
- RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request (bsc#1175621).
- Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675).
- regulator: axp20x: fix LDO2/4 description (git-fixes).
- regulator: resolve supply after creating regulator (git-fixes).
- rename Other drivers / Intel IOMMU subsection to IOMMU
- Rename patches to the same name as in SLE15-SP3.
- Rename scsi-fnic-do-not-call-scsi_done-for-unhandled-commands.patch Fix typo in patch file name.
- rtc: ds1374: fix possible race condition (git-fixes).
- rtc: sa1100: fix possible race condition (git-fixes).
- s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979).
- sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)).
- sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)).
- scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258).
- scsi: qla2xxx: Add IOCB resource tracking (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Add rport fields in debugfs (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Add SLER and PI control support (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix memory size truncation (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix MPI reset needed message (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix reset of MPI firmware (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Performance tweak (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1171688 bsc#1174003).
- serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes).
- serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes).
- serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
- serial: uartps: Wait for tx_empty in console setup (git-fixes).
- spi: dw-pci: free previously allocated IRQs if desc->setup() fails (git-fixes).
- spi: fsl-espi: Only process interrupts for expected events (git-fixes).
- spi: omap2-mcspi: Improve performance waiting for CHSTAT (git-fixes).
- spi: sprd: Release DMA channel also on probe deferral (git-fixes).
- spi: stm32: Rate-limit the 'Communication suspended' message (git-fixes).
- svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (git-fixes).
- target-rbd-add-emulate_legacy_capacity-dev-attribute.patch: (bsc#1177109).
- target-rbd-add-WRITE-SAME-support.patch: (bsc#1177090).
- target-rbd-conditionally-fix-off-by-one-bug-in-get_b.patch: (bsc#1177109).
- target-rbd-fix-unmap-discard-block-size-conversion.patch: (bsc#1177271).
- target-rbd-fix-unmap-handling-with-unmap_zeroes_data.patch: (bsc#1177271).
- thermal: rcar_thermal: Handle probe error gracefully (git-fixes).
- Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194).
- USB: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes).
- USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
- USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes).
- USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
- vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979).
- virtio-net: do not disable guest csum when disable LRO (git-fixes).
- vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes).
- wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes).
- wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes).
- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1176907).
- xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
- xprtrdma: fix incorrect header size calculations (git-fixes).
- yam: fix possible memory leak in yam_init_driver (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2989-1
Released:    Thu Oct 22 08:53:10 2020
Summary:     Recommended update for chrony
Type:        recommended
Severity:    moderate
References:  1171806
This update for chrony fixes the following issues:

- Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released:    Thu Oct 22 10:03:09 2020
Summary:     Security update for freetype2
Type:        security
Severity:    important
References:  1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3046-1
Released:    Tue Oct 27 14:41:21 2020
Summary:     Recommended update for shim-susesigned
Type:        recommended
Severity:    moderate
References:  1177315
This update for shim-susesigned fixes the following issues:

- Fix a buffer use-after-free at the end of the EKU verification in shim-susesigned (bsc#1177315)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3049-1
Released:    Tue Oct 27 16:08:27 2020
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
This update for xen fixes the following issues:

- bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3058-1
Released:    Wed Oct 28 06:11:14 2020
Summary:     Recommended update for catatonit
Type:        recommended
Severity:    moderate
References:  1176155
This update for catatonit fixes the following issues:

- Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3059-1
Released:    Wed Oct 28 06:11:23 2020
Summary:     Recommended update for sysconfig
Type:        recommended
Severity:    moderate
References:  1173391,1176285,1176325
This update for sysconfig fixes the following issues:

- Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285)
- Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325)
- Fix for 'chrony helper' calling in background. (bsc#1173391)
- Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3081-1
Released:    Thu Oct 29 11:00:34 2020
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1173902,1173994,1177613,CVE-2020-14318,CVE-2020-14323,CVE-2020-14383
This update for samba fixes the following issues:

Update to samba 4.11.14

- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
- lib/util: Do not install /usr/bin/test_util
- smbd: don't log success as error
- idmap_ad does not deal properly with a RFC4511 section 4.4.1 response;
- winbind: Fix a memleak
- idmap_ad: Pass tldap debug messages on to DEBUG()
- lib/replace: Move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to REPLACE_HOSTCC_SOURCE
- ctdb disable/enable can fail due to race condition

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3099-1
Released:    Thu Oct 29 19:33:41 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3122-1
Released:    Tue Nov  3 09:46:29 2020
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1055014,1055186,1061843,1065729,1077428,1129923,1134760,1152489,1174748,1174969,1175052,1175898,1176485,1176713,1177086,1177353,1177410,1177411,1177470,1177739,1177749,1177750,1177754,1177755,1177765,1177814,1177817,1177854,1177855,1177856,1177861,1178002,1178079,1178246,CVE-2020-14351,CVE-2020-16120,CVE-2020-25285
The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485).
- CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file. (bsc#1177470)
- CVE-2020-14351: Fixed a race condition in the perf_mmap_close() function (bsc#1177086).

The following non-security bugs were fixed:

- ACPI: Always build evged in (git-fixes).
- ACPI: button: fix handling lid state changes when input device closed (git-fixes).
- ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes).
- acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes).
- ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes).
- Add CONFIG_CHECK_CODESIGN_EKU
- ALSA: ac97: (cosmetic) align argument names (git-fixes).
- ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes).
- ALSA: asihpi: fix spellint typo in comments (git-fixes).
- ALSA: atmel: ac97: clarify operator precedence (git-fixes).
- ALSA: bebob: potential info leak in hwdep_read() (git-fixes).
- ALSA: compress_offload: remove redundant initialization (git-fixes).
- ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes).
- ALSA: core: pcm: simplify locking for timers (git-fixes).
- ALSA: core: timer: clarify operator precedence (git-fixes).
- ALSA: core: timer: remove redundant assignment (git-fixes).
- ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes).
- ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes).
- ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes).
- ALSA: hda: (cosmetic) align function parameters (git-fixes).
- ALSA: hda - Do not register a cb func if it is registered already (git-fixes).
- ALSA: hda - Fix the return value if cb func is already registered (git-fixes).
- ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes).
- ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes).
- ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes).
- ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes).
- ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes).
- ALSA: hda: use semicolons rather than commas to separate statements (git-fixes).
- ALSA: hdspm: Fix typo arbitary (git-fixes).
- ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes).
- ALSA: portman2x4: fix repeated word 'if' (git-fixes).
- ALSA: rawmidi: (cosmetic) align function parameters (git-fixes).
- ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes).
- ALSA: sparc: dbri: fix repeated word 'the' (git-fixes).
- ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes).
- ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes).
- ALSA: usb-audio: fix spelling mistake 'Frequence' -> 'Frequency' (git-fixes).
- ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes).
- ALSA: usb: scarless_gen2: fix endianness issue (git-fixes).
- ALSA: vx: vx_core: clarify operator precedence (git-fixes).
- ALSA: vx: vx_pcm: remove redundant assignment (git-fixes).
- ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes).
- ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes).
- ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes).
- ASoC: qcom: lpass-platform: fix memory leak (git-fixes).
- ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes).
- ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes).
- ata: sata_rcar: Fix DMA boundary mask (git-fixes).
- ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes).
- ath10k: provide survey info as accumulated data (git-fixes).
- ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes).
- ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes).
- ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes).
- ath9k_htc: Use appropriate rs_datalen type (git-fixes).
- backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes).
- blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750).
- block: ensure bdi->io_pages is always initialized (bsc#1177749).
- block: Fix page_is_mergeable() for compound pages (bsc#1177814).
- Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes).
- Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes).
- brcmfmac: check ndev pointer (git-fixes).
- btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861).
- can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes).
- can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes).
- can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes).
- clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes).
- clk: at91: remove the checking of parent_name (git-fixes).
- clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes).
- clk: imx8mq: Fix usdhc parents order (git-fixes).
- clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes).
- clk: meson: g12a: mark fclk_div2 as critical (git-fixes).
- clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes).
- cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes).
- dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817).
- dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743).
- dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743).
- dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743).
- dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743).
- dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743).
- dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743).
- dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743).
- dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743).
- dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743).
- dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743).
- dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743).
- dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes).
- dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes).
- dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743).
- dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743).
- dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743).
- dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743).
- dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743).
- dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743).
- dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743).
- dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743).
- dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743).
- dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743).
- dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743).
- dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743).
- dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743).
- dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743).
- dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743).
- dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743).
- dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743).
- dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743).
- dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743).
- dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743).
- dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743).
- dm: Call proper helper to determine dax support (bsc#1177817).
- dm/dax: Fix table reference counts (bsc#1178246).
- docs: driver-api: remove a duplicated index entry (git-fixes).
- EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489).
- extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes).
- HID: hid-input: fix stylus battery reporting (git-fixes).
- HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes).
- HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes).
- i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes).
- i2c: imx: Fix external abort on interrupt in exit paths (git-fixes).
- i2c: rcar: Auto select RESET_CONTROLLER (git-fixes).
- i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes).
- i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes).
- ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes).
- ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes).
- ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes).
- ida: Free allocated bitmap in error path (git-fixes).
- iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes).
- iio: adc: gyroadc: fix leak of device node iterator (git-fixes).
- iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes).
- iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes).
- iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes).
- iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes).
- iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes).
- ima: Do not ignore errors from crypto_shash_update() (git-fixes).
- ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes).
- Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes).
- Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes).
- Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: stmfts - fix a & vs && typo (git-fixes).
- Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes).
- Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes).
- iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739).
- ipmi_si: Fix wrong return value in try_smi_init() (git-fixes).
- iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes).
- kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353).
- leds: mt6323: move period calculation (git-fixes).
- lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes).
- memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes).
- memory: omap-gpmc: Fix a couple off by ones (git-fixes).
- memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes).
- mfd: sm501: Fix leaks in probe() (git-fixes).
- misc: mic: scif: Fix error handling path (git-fixes).
- mm: do not panic when links can't be created in sysfs (bsc#1178002).
- mm: do not rely on system state to detect hot-plug operations (bsc#1178002).
- mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)).
- mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)).
- mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)).
- mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)).
- mm: replace memmap_context by meminit_context (bsc#1178002).
- mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)).
- mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)).
- mtd: lpddr: Fix bad logic in print_drs_error (git-fixes).
- mtd: lpddr: fix excessive stack usage with clang (git-fixes).
- mtd: mtdoops: Do not write panic data twice (git-fixes).
- mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes).
- mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes).
- mtd: spinand: gigadevice: Add QE Bit (git-fixes).
- mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes).
- mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes).
- mwifiex: fix double free (git-fixes).
- mwifiex: remove function pointer check (git-fixes).
- mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes).
- net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes).
- nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes).
- nl80211: fix non-split wiphy information (git-fixes).
- NTB: hw: amd: fix an issue about leak system resources (git-fixes).
- ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes).
- nvme-rdma: fix crash due to incorrect cqe (bsc#1174748).
- nvme-rdma: fix crash when connect rejected (bsc#1174748).
- overflow: Include header file with SIZE_MAX declaration (git-fixes).
- PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes).
- percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)).
- perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489).
- perf/x86: Fix n_pair for cancelled txn (bsc#1152489).
- pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes).
- pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes).
- PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353).
- platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes).
- PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079).
- powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes).
- powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729).
- powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729).
- powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729).
- powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729).
- powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes).
- powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729).
- powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729).
- powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729).
- powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes).
- powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes).
- powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729).
- pwm: img: Fix null pointer access in probe (git-fixes).
- pwm: lpss: Add range limit check for the base_unit register value (git-fixes).
- pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes).
- qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes).
- r8169: fix operation under forced interrupt threading (git-fixes).
- rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes).
- reset: sti: reset-syscfg: fix struct description warnings (git-fixes).
- ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes).
- rtc: rx8010: do not modify the global rtc ops (git-fixes).
- scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729).
- scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743).
- slimbus: core: check get_addr before removing laddr ida (git-fixes).
- slimbus: core: do not enter to clock pause mode in core (git-fixes).
- slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes).
- soc: fsl: qbman: Fix return value on success (git-fixes).
- staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes).
- staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes).
- tracing: Check return value of __create_val_fields() before using its result (git-fixes).
- tracing: Save normal string variables (git-fixes).
- USB: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes).
- USB: dwc2: Fix parameter type in function pointer prototype (git-fixes).
- USB: dwc3: core: add phy cleanup for probe error handling (git-fixes).
- USB: dwc3: core: do not trigger runtime pm when remove driver (git-fixes).
- USB: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes).
- USB: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes).
- USB: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes).
- USB: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes).
- USB: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes).
- usblp: fix race between disconnect() and read() (git-fixes).
- USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes).
- USB: serial: option: add Cellient MPL200 card (git-fixes).
- USB: serial: option: Add Telit FT980-KS composition (git-fixes).
- USB: serial: pl2303: add device-id for HP GC device (git-fixes).
- USB: serial: qcserial: fix altsetting probing (git-fixes).
- usb: xhci-mtk: Fix typo (git-fixes).
- VMCI: check return value of get_user_pages_fast() for errors (git-fixes).
- w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes).
- watchdog: Fix memleak in watchdog_cdev_register (git-fixes).
- watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes).
- watchdog: Use put_device on error (git-fixes).
- wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes).
- writeback: Avoid skipping inode writeback (bsc#1177755).
- writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755).
- writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755).
- X.509: Add CodeSigning extended key usage parsing (bsc#1177353).
- x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489).
- x86/ioapic: Unbreak check_timer() (bsc#1152489).
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765).
- x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743).
- x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xfs: force the log after remapping a synchronous-writes file (git-fixes).
- xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3123-1
Released:    Tue Nov  3 09:48:13 2020
Summary:     Recommended update for timezone
Type:        recommended
Severity:    important
References:  1177460,1178346,1178350,1178353
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3157-1
Released:    Wed Nov  4 15:37:05 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3199-1
Released:    Fri Nov  6 13:01:11 2020
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    moderate
References:  1155027
This update for SUSEConnect fixes the following issues:

- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
- Add 'rpmlintrc' to filter false-positive warning about patch not applied
- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3253-1
Released:    Mon Nov  9 07:45:04 2020
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1174697,1176173
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
  NIST SP800-56Arev3 compliant (bsc#1176173).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3270-1
Released:    Tue Nov 10 17:53:08 2020
Summary:     Recommended update for bind
Type:        recommended
Severity:    moderate
References:  1175894,1177603,1177790,1177913,1177915,1178078
This update for bind fixes the following issues:

- Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078)
- Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790)
- Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915)
- Added a comment for reference which should be removed in the future. (bsc#1177603)
- Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894)
- Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3286-1
Released:    Wed Nov 11 12:24:19 2020
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1172952,1176062,1177957,1178278
This update for grub2 fixes the following issues:

- Fixed an issue, where the https boot was interrupted by an unrecognized network address
  error message (bsc#1172952)
- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)
- Fixed an error in grub2-install where it exited with 'failed to get canonical path
  of `/boot/grub2/i386-pc'.' (bsc#1177957)
- Fixed a boot failure issue on blocklist installations (bsc#1178278)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3294-1
Released:    Wed Nov 11 12:28:46 2020
Summary:     Recommended update for SLES-release
Type:        recommended
Severity:    moderate
References:  1177998
This update for SLES-release fixes the following issue:

- Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3301-1
Released:    Thu Nov 12 13:51:02 2020
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1177939
This update for openssh fixes the following issues:

- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3273-1
Released:    Sat Nov 14 08:21:39 2020
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065600,1066382,1149032,1163592,1164648,1170415,1175721,1175749,1176354,1177281,1177766,1177799,1177801,1178166,1178173,1178175,1178176,1178177,1178183,1178184,1178185,1178186,1178190,1178191,1178255,1178307,1178330,1178395,CVE-2020-25656,CVE-2020-25705,CVE-2020-8694

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bug fixes.


The following security bugs were fixed:

- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721)

The following non-security bugs were fixed:

- act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24).
- ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes).
- ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes).
- block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes).
- Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes).
- Bluetooth: Only mark socket zapped after unlocking (git-fixes).
- bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes).
- bonding: show saner speed for broadcast mode (networking-stable-20_08_24).
- brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes).
- brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes).
- btrfs: allocate scrub workqueues outside of locks (bsc#1178183).
- btrfs: do not force read-only after error in drop snapshot (bsc#1176354).
- btrfs: drop path before adding new uuid tree entry (bsc#1178176).
- btrfs: fix filesystem corruption after a device replace (bsc#1178395).
- btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190).
- btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191).
- btrfs: fix space cache memory leak after transaction abort (bsc#1178173).
- btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395).
- btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395).
- btrfs: set the correct lockdep class for new nodes (bsc#1178184).
- btrfs: set the lockdep class for log tree extent buffers (bsc#1178186).
- can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes).
- ceph: promote to unsigned long long before shifting (bsc#1178175).
- crypto: ccp - fix error handling (git-fixes).
- cxgb4: fix memory leak during module unload (networking-stable-20_09_24).
- cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24).
- Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes
- Disable module compression on SLE15 SP2 (bsc#1178307)
- dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes).
- eeprom: at25: set minimum read/write access stride to 1 (git-fixes).
- futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648).
- futex: Consistently use fshared as boolean (bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1149032).
- futex: Remove put_futex_key() (bsc#1149032).
- futex: Remove unused or redundant includes (bsc#1149032).
- gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24).
- gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11).
- HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes).
- ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897).
- ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes).
- icmp: randomize the global rate limiter (git-fixes).
- ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24).
- ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24).
- ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes).
- ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24).
- ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24).
- ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11).
- ipvlan: fix device features (networking-stable-20_08_24).
- kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes).
- kbuild: enforce -Werror=return-type (bsc#1177281).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes).
- libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177).
- mac80211: handle lack of sband->bitrates in rates (git-fixes).
- mailbox: avoid timer start from callback (git-fixes).
- media: ati_remote: sanity check for both endpoints (git-fixes).
- media: bdisp: Fix runtime PM imbalance on error (git-fixes).
- media: exynos4-is: Fix a reference count leak (git-fixes).
- media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes).
- media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes).
- media: firewire: fix memory leak (git-fixes).
- media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes).
- media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes).
- media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes).
- media: media/pci: prevent memory leak in bttv_probe (git-fixes).
- media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes).
- media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes).
- media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes).
- media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes).
- media: saa7134: avoid a shift overflow (git-fixes).
- media: st-delta: Fix reference count leak in delta_run_work (git-fixes).
- media: sti: Fix reference count leaks (git-fixes).
- media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes).
- media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes).
- media: vsp1: Fix runtime PM imbalance on error (git-fixes).
- mic: vop: copy data to kernel space then write to io memory (git-fixes).
- misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes).
- misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes).
- mm: fix a race during THP splitting (bsc#1178255).
- mm: madvise: fix vma user-after-free (git-fixes).
- mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes).
- module: Correctly truncate sysfs sections output (git-fixes).
- module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes).
- module: Refactor section attr into bin attribute (git-fixes).
- module: statically initialize init section freeing data (git-fixes).
- mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes).
- net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes).
- net/mlx5: Fix FTE cleanup (networking-stable-20_09_24).
- net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24).
- net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24).
- net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24).
- net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24).
- net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24).
- net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24).
- net: disable netpoll on fresh napis (networking-stable-20_09_11).
- net: dsa: b53: check for timeout (networking-stable-20_08_24).
- net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24).
- net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24).
- net: Fix bridge enslavement failure (networking-stable-20_09_24).
- net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24).
- net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11).
- net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24).
- net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24).
- net: lantiq: Use napi_complete_done() (networking-stable-20_09_24).
- net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24).
- net: lantiq: Wake TX queue again (networking-stable-20_09_24).
- net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24).
- net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24).
- net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24).
- net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24).
- net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24).
- net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11).
- net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11).
- net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes).
- net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes).
- netlabel: fix problems with mapping removal (networking-stable-20_09_11).
- nfp: use correct define to return NONE fec (networking-stable-20_09_24).
- PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes).
- r8169: fix issue with forced threading in combination with shared interrupts (git-fixes).
- rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files.
- rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592)
- rtl8xxxu: prevent potential memory leak (git-fixes).
- rtw88: increse the size of rx buffer size (git-fixes).
- s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733).
- s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735).
- scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226).
- sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11).
- selftests/timers: Turn off timeout setting (git-fixes).
- spi: spi-s3c64xx: Check return values (git-fixes).
- spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes).
- taprio: Fix allowing too small intervals (networking-stable-20_09_24).
- time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648).
- tipc: fix memory leak caused by tipc_buf_append() (git-fixes).
- tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24).
- tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24).
- tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11).
- tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes).
- tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24).
- tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24).
- tty: ipwireless: fix error handling (git-fixes).
- tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes).
- usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes).
- usb: cdc-acm: handle broken union descriptors (git-fixes).
- usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes).
- usb: core: Solve race condition in anchor cleanup functions (git-fixes).
- usb: dwc3: simple: add support for Hikey 970 (git-fixes).
- usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes).
- usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes).
- usb: ohci: Default to per-port over-current protection (git-fixes).
- x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749).
- xen/gntdev.c: Mark pages as dirty (bsc#1065600).
- xfs: fix high key handling in the rt allocator's query_range function (git-fixes).
- xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes).
- xfs: limit entries returned when counting fsmap records (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3358-1
Released:    Tue Nov 17 13:17:10 2020
Summary:     Security update for tcpdump
Type:        security
Severity:    moderate
References:  1178466,CVE-2020-8037
This update for tcpdump fixes the following issues:

- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3382-1
Released:    Thu Nov 19 11:03:01 2020
Summary:     Recommended update for dmidecode
Type:        recommended
Severity:    moderate
References:  1174257
This update for dmidecode fixes the following issues:

- Add partial support for SMBIOS 3.4.0. (bsc#1174257)
- Skip details of uninstalled memory modules. (bsc#1174257)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3412-1
Released:    Thu Nov 19 12:44:57 2020
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1177950,1178591,CVE-2020-28368
This update for xen fixes the following issues:

Security issue fixed:

- CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591).

Non-security issues fixed:

- Updated to Xen 4.13.2 bug fix release (bsc#1027519).
- Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519).
- Adjusted help for --max_iters, default is 5 (bsc#1177950).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3420-1
Released:    Thu Nov 19 13:40:55 2020
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    moderate
References:  1162896,1178354
This update for multipath-tools fixes the following issues:

- Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896)
- Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3461-1
Released:    Fri Nov 20 13:09:07 2020
Summary:     Recommended update for bind
Type:        recommended
Severity:    low
References:  1177983
This update for bind fixes the following issue:

- Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3478-1
Released:    Mon Nov 23 09:33:17 2020
Summary:     Security update for c-ares
Type:        security
Severity:    moderate
References:  1178882,CVE-2020-8277
This update for c-ares fixes the following issues:

- Version update to 1.17.0
  * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882)
  * For further details see https://c-ares.haxx.se/changelog.html

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3481-1
Released:    Mon Nov 23 11:17:09 2020
Summary:     Optional update for vim
Type:        optional
Severity:    low
References:  1166602,1173256,1174564,1176549
This update for vim doesn't fix any user visible issues and it is optional to install.

- Introduce vim-small package with reduced requirements for small installations (bsc#1166602).
- Stop owning /etc/vimrc so the old, distro provided config actually gets removed. 
- Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256)
- Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3498-1
Released:    Tue Nov 24 13:07:16 2020
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1164076,1177811,1178217
This update for dracut fixes the following issues:

- Update from version 049.1+suse.156.g7d852636 to version 049.1+suse.171.g65b2addf:
  - dracut.sh: FIPS workaround for openssl-libs (bsc#1178217)
  - 01fips: turn info calls into fips_info calls (bsc#1164076)
  - 00systemd: add missing cryptsetup-related targets (bsc#1177811)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3517-1
Released:    Wed Nov 25 13:36:40 2020
Summary:     Recommended update for cpupower
Type:        recommended
Severity:    moderate
References:  1177394
This update for cpupower fixes the following issue:

- Add AMD Family 19h support. (bsc#1177394)
  
  Family 19h processors have the same RAPL (Running average power limit) hardware register interface as Family 
  17h processors. Change the family checks to succeed for Family 17h and above to enable core and package energy 
  measurement on Family 19h machines.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3534-1
Released:    Thu Nov 26 15:12:41 2020
Summary:     Recommended update for kdump
Type:        recommended
Severity:    important
References:  1173914,1177196
This update for kdump fixes the following issues:

- Remove `console=hvc0` from command line. (bsc#1173914)
- Set serial console from Xen command line. (bsc#1173914)
- Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3540-1
Released:    Thu Nov 26 15:57:16 2020
Summary:     Recommended update for wicked
Type:        recommended
Severity:    moderate
References:  1168155,1171234,1172082,1174099,959556
This update for wicked fixes the following issues:

- Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099)
- Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770)
- Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082)
- Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234)
- Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3566-1
Released:    Mon Nov 30 16:56:52 2020
Summary:     Security update for python-setuptools
Type:        security
Severity:    important
References:  1176262,CVE-2019-20916
This update for python-setuptools fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3570-1
Released:    Mon Nov 30 17:14:35 2020
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1178288
This update for rsyslog fixes the following issue:

- Fix location and naming of journald dropin. (bsc#1178288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released:    Tue Dec  1 14:40:22 2020
Summary:     Recommended update for libusb-1_0
Type:        recommended
Severity:    moderate
References:  1178376
This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released:    Wed Dec  2 10:33:49 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:

Update to 3.6.12 (bsc#1179193), including:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3615-1
Released:    Thu Dec  3 10:02:02 2020
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
This update for xen fixes the following issues:

- bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3616-1
Released:    Thu Dec  3 10:56:12 2020
Summary:     Recommended update for c-ares
Type:        recommended
Severity:    moderate
References:  1178882


- Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3619-1
Released:    Thu Dec  3 14:40:33 2020
Summary:     Recommended update for cloud-netconfig, google-guest-agent
Type:        recommended
Severity:    moderate
References:  1159460,1178486,1179031,1179032
This update for cloud-netconfig, google-guest-agent fixes the following issues:

cloud-netconfig:

- Update to version 1.5:
  + Add support for GCE (bsc#1159460, bsc#1178486)
  + Improve default gateway determination

google-guest-agent:

- Update to version 20201026.00
  * remove old unused workflow files
  * fallback to IP for metadata
  * getPasswd: Check full prefix of line for username

- dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files
  to allow manual configuration and compatibility with
  cloud-netconfig. (bsc#1159460, bsc#1178486)

- Update to version 20200929.00
  * correct varname
  * don't call dhclient -x on network setup
  * add instance id dir override
  * update agent systemd service file
  * typo, change to noadjfile
  * add gaohannk to OWNERS
  * remove illfelder from OWNERS
  * Add all license files to packages

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `<N>` characters length in 
  some form. This is enabled by the new parameter `usersubstr=<N>`

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3626-1
Released:    Fri Dec  4 13:51:46 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1179515
This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)



More information about the sle-security-updates mailing list