SUSE-IU-2020:117-1: Security update of suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Dec 14 03:22:53 MST 2020
SUSE Image Update Advisory: suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2020:117-1
Image Tags : suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64:20201210
Image Release :
Severity : important
Type : security
References : 1010996 1011548 1050244 1051510 1051510 1051510 1051858 1058115
1058115 1058115 1061840 1065600 1065600 1065729 1065729 1071152
1071390 1071995 1071995 1071995 1082318 1085030 1086301 1086313
1086314 1089895 1100137 1100369 1104902 1104967 1106843 1107238
1109160 1109911 1113719 1114279 1118338 1118367 1118368 1120386
1128220 1130864 1130873 1130873 1131277 1133297 1134973 1142733
1143959 1144333 1146991 1151910 1151927 1152107 1153917 1153943
1153946 1154243 1154366 1154803 1154803 1154824 1154871 1154935
1155027 1155305 1155911 1156159 1156205 1156286 1156913 1157051
1157155 1157157 1157315 1157692 1158013 1158021 1158026 1158265
1158336 1158755 1158819 1158830 1159028 1159198 1159271 1159285
1159394 1159483 1159484 1159569 1159588 1159819 1159841 1159908
1159909 1159910 1159911 1159955 1160007 1160195 1160210 1160211
1160218 1160433 1160442 1160476 1160560 1160755 1160756 1160784
1160787 1160802 1160803 1160804 1160917 1160947 1160966 1161087
1161168 1161239 1161335 1161360 1161514 1161518 1161522 1161523
1161549 1161552 1161555 1161573 1161674 1161931 1161933 1161934
1161935 1161936 1161937 1161951 1162002 1162067 1162109 1162139
1162698 1162928 1162929 1162931 1163524 1163971 1164051 1164069
1164078 1164260 1164538 1164543 1164543 1164705 1164712 1164727
1164728 1164729 1164730 1164731 1164732 1164733 1164734 1164735
1164871 1165111 1165424 1165476 1165476 1165502 1165573 1165573
1165629 1165631 1165741 1165873 1165881 1165984 1165985 1166409
1166513 1166602 1166610 1166610 1166965 1166969 1167122 1167122
1167152 1167421 1167423 1167471 1167629 1168075 1168140 1168142
1168143 1168276 1168295 1168424 1168669 1168670 1168829 1168854
1168990 1168990 1168994 1169390 1169392 1169444 1169488 1169514
1169625 1169746 1169947 1170011 1170056 1170154 1170232 1170345
1170347 1170415 1170475 1170476 1170554 1170617 1170618 1170621
1170667 1170713 1170778 1170801 1170901 1170964 1171078 1171098
1171145 1171189 1171191 1171195 1171202 1171205 1171217 1171218
1171219 1171220 1171224 1171313 1171388 1171417 1171546 1171652
1171673 1171689 1171732 1171740 1171762 1171806 1171863 1171864
1171866 1171868 1171878 1171883 1171978 1171982 1171983 1171988
1171995 1172055 1172072 1172073 1172085 1172113 1172135 1172195
1172205 1172221 1172225 1172257 1172295 1172317 1172348 1172356
1172366 1172377 1172428 1172453 1172458 1172461 1172506 1172695
1172698 1172704 1172745 1172775 1172781 1172782 1172783 1172798
1172807 1172807 1172824 1172846 1172861 1172925 1172929 1172952
1172958 1172999 1173027 1173032 1173106 1173115 1173227 1173229
1173233 1173238 1173240 1173256 1173265 1173273 1173274 1173280
1173307 1173311 1173338 1173357 1173376 1173377 1173378 1173380
1173422 1173422 1173433 1173514 1173529 1173539 1173567 1173573
1173659 1173798 1173812 1173972 1173983 1173999 1174000 1174011
1174091 1174115 1174154 1174205 1174232 1174240 1174421 1174443
1174444 1174462 1174463 1174543 1174543 1174551 1174561 1174564
1174570 1174593 1174618 1174673 1174697 1174736 1174753 1174757
1174782 1174817 1174847 1174918 1174918 1174918 1175036 1175060
1175109 1175112 1175122 1175128 1175168 1175204 1175213 1175250
1175251 1175306 1175342 1175443 1175515 1175518 1175568 1175592
1175691 1175721 1175749 1175811 1175830 1175831 1175847 1175882
1175894 1175992 1176011 1176062 1176069 1176086 1176092 1176123
1176142 1176155 1176173 1176173 1176179 1176181 1176192 1176192
1176235 1176262 1176278 1176343 1176344 1176345 1176346 1176347
1176348 1176349 1176350 1176381 1176410 1176423 1176435 1176435
1176482 1176485 1176513 1176549 1176625 1176671 1176674 1176698
1176712 1176712 1176721 1176722 1176723 1176725 1176732 1176740
1176740 1176759 1176800 1176877 1176902 1176902 1176907 1176922
1176990 1177027 1177086 1177121 1177143 1177165 1177206 1177226
1177238 1177238 1177409 1177409 1177410 1177411 1177412 1177412
1177413 1177413 1177414 1177414 1177458 1177460 1177460 1177470
1177479 1177490 1177510 1177511 1177513 1177526 1177526 1177603
1177724 1177725 1177766 1177790 1177858 1177864 1177913 1177914
1177915 1177939 1177950 1177957 1177983 1178003 1178029 1178078
1178123 1178278 1178330 1178346 1178346 1178350 1178353 1178376
1178387 1178393 1178466 1178512 1178591 1178591 1178622 1178727
1178765 1178782 1178838 1178882 1178882 1178963 1179150 1179151
1179193 1179398 1179399 1179431 1179491 1179593 906079 927831
935885 935885 941629 973042 975267 CVE-2017-3136 CVE-2018-1000199
CVE-2018-18751 CVE-2018-5741 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897
CVE-2019-16746 CVE-2019-16994 CVE-2019-17006 CVE-2019-19036 CVE-2019-19045
CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19462
CVE-2019-19768 CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054
CVE-2019-20095 CVE-2019-20096 CVE-2019-20807 CVE-2019-20810 CVE-2019-20812
CVE-2019-20907 CVE-2019-20908 CVE-2019-20916 CVE-2019-3701 CVE-2019-6477
CVE-2019-9455 CVE-2019-9458 CVE-2020-0305 CVE-2020-0404 CVE-2020-0427
CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-0543 CVE-2020-0543
CVE-2020-10135 CVE-2020-10543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10713
CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10766
CVE-2020-10767 CVE-2020-10768 CVE-2020-10769 CVE-2020-10773 CVE-2020-10878
CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-11669
CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743
CVE-2020-12114 CVE-2020-12351 CVE-2020-12352 CVE-2020-12399 CVE-2020-12402
CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655
CVE-2020-12656 CVE-2020-12657 CVE-2020-12723 CVE-2020-12769 CVE-2020-12771
CVE-2020-12888 CVE-2020-13143 CVE-2020-13401 CVE-2020-13777 CVE-2020-13844
CVE-2020-13974 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
CVE-2020-14314 CVE-2020-14331 CVE-2020-14351 CVE-2020-14356 CVE-2020-14381
CVE-2020-14386 CVE-2020-14390 CVE-2020-14416 CVE-2020-14422 CVE-2020-15393
CVE-2020-15563 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 CVE-2020-15705
CVE-2020-15706 CVE-2020-15707 CVE-2020-15719 CVE-2020-15780 CVE-2020-15999
CVE-2020-16120 CVE-2020-16166 CVE-2020-1749 CVE-2020-1971 CVE-2020-24394
CVE-2020-24659 CVE-2020-24977 CVE-2020-25212 CVE-2020-25219 CVE-2020-25284
CVE-2020-25285 CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599
CVE-2020-25600 CVE-2020-25601 CVE-2020-25603 CVE-2020-25604 CVE-2020-25641
CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25692
CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-26154 CVE-2020-2732
CVE-2020-27670 CVE-2020-27670 CVE-2020-27671 CVE-2020-27671 CVE-2020-27672
CVE-2020-27672 CVE-2020-27673 CVE-2020-27673 CVE-2020-27674 CVE-2020-27675
CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-7053 CVE-2020-8023
CVE-2020-8027 CVE-2020-8037 CVE-2020-8177 CVE-2020-8231 CVE-2020-8277
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8428 CVE-2020-8616
CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621
CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-8647 CVE-2020-8648
CVE-2020-8649 CVE-2020-8694 CVE-2020-8834 CVE-2020-8992 CVE-2020-9383
-----------------------------------------------------------------
The container suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1541-1
Released: Thu Jun 4 13:23:27 2020
Summary: Recommended update for pciutils
Type: recommended
Severity: moderate
References: 1170554
This update for pciutils fixes the following issues:
- Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1542-1
Released: Thu Jun 4 13:24:37 2020
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References: 1172055
This update for timezone fixes the following issue:
- zdump --version reported 'unknown' (bsc#1172055)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1551-1
Released: Mon Jun 8 09:31:41 2020
Summary: Security update for vim
Type: security
Severity: moderate
References: 1172225,CVE-2019-20807
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1558-1
Released: Mon Jun 8 10:36:32 2020
Summary: Recommended update for chrony
Type: recommended
Severity: moderate
References: 1172113
This update for chrony fixes the following issue:
- Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1559-1
Released: Mon Jun 8 10:38:24 2020
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1171388,975267
This update for dracut fixes the following issues:
- Detect the sysfs attribute 'is_boot_target' (bsc#975267, bsc#1171388)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released: Tue Jun 9 17:05:23 2020
Summary: Recommended update for audit
Type: recommended
Severity: important
References: 1156159,1172295
This update for audit fixes the following issues:
- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released: Tue Jun 9 18:39:15 2020
Summary: Security update for gnutls
Type: security
Severity: important
References: 1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:
- CVE-2020-13777: Fixed an insecure session ticket key construction which could
have made the TLS server to not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
an attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (bsc#1172506).
- Fixed an improper handling of certificate chain with cross-signed intermediate
CA certificates (bsc#1172461).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released: Fri Jun 12 09:38:05 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.4 to fix:
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
zypper was updated to version 1.14.36:
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1634-1
Released: Wed Jun 17 10:35:38 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1167152,1168140,1168142,1168143,1169392,1172205,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).
- Xenstored Crashed during VM install (bsc#1167152)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1640-1
Released: Wed Jun 17 15:46:04 2020
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1166409,1166513
This update for grub2 fixes the following issues:
- Implement support searching for specific config files for netboot. (bsc#1166409)
- Skip zfcpdump kernel from the grub boot menu (bsc#1166513)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1657-1
Released: Thu Jun 18 10:49:53 2020
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Type: security
Severity: moderate
References: 1172377,CVE-2020-13401
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce
runc was updated to version 1.0.0-rc10
containerd was updated to version 1.2.13
- CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router
advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial
of service (bsc#1172377).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1663-1
Released: Thu Jun 18 11:17:18 2020
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1050244,1051510,1051858,1058115,1061840,1065600,1065729,1071995,1085030,1086301,1086313,1086314,1089895,1109911,1114279,1118338,1120386,1134973,1143959,1144333,1151910,1151927,1153917,1154243,1154824,1156286,1157155,1157157,1157692,1158013,1158021,1158026,1158265,1158819,1159028,1159198,1159271,1159285,1159394,1159483,1159484,1159569,1159588,1159841,1159908,1159909,1159910,1159911,1159955,1160195,1160210,1160211,1160218,1160433,1160442,1160476,1160560,1160755,1160756,1160784,1160787,1160802,1160803,1160804,1160917,1160966,1161087,1161514,1161518,1161522,1161523,1161549,1161552,1161555,1161674,1161931,1161933,1161934,1161935,1161936,1161937,1161951,1162067,1162109,1162139,1162928,1162929,1162931,1163971,1164051,1164069,1164078,1164705,1164712,1164727,1164728,1164729,1164730,1164731,1164732,1164733,1164734,1164735,1164871,1165111,1165741,1165873,1165881,1165984,1165985,1166969,1167421,1167423,1167629,1168075,1168276,1168295,1168424,1168670,1168829,1168854,1169390,1169514,1
169625,1170056,1170345,1170617,1170618,1170621,1170778,1170901,1171098,1171189,1171191,1171195,1171202,1171205,1171217,1171218,1171219,1171220,1171689,1171982,1171983,1172221,1172317,1172453,1172458,CVE-2018-1000199,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-16994,CVE-2019-19036,CVE-2019-19045,CVE-2019-19054,CVE-2019-19318,CVE-2019-19319,CVE-2019-19447,CVE-2019-19462,CVE-2019-19768,CVE-2019-19770,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20095,CVE-2019-20096,CVE-2019-20810,CVE-2019-20812,CVE-2019-3701,CVE-2019-9455,CVE-2019-9458,CVE-2020-0543,CVE-2020-10690,CVE-2020-10711,CVE-2020-10720,CVE-2020-10732,CVE-2020-10751,CVE-2020-10757,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-11669,CVE-2020-12114,CVE-2020-12464,CVE-2020-12652,CVE-2020-12653,CVE-2020-12654,CVE-2020-12655,CVE-2020-12656,CVE-2020-12657,CVE-2020-12769,CVE-2020-13143,CVE-2020-2732,CVE-2020-7053,CVE-2020-8428,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8834,CVE-2020-899
2,CVE-2020-9383
The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111).
- CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069).
- CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276).
- CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931).
- CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928).
- CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929).
- CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109).
- CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966).
- CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971).
- CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).
- CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).
- CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).
- CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).
- CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854).
- CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829).
- CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424).
- CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
- CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).
- CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386).
- CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).
- CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908).
- CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909).
- CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841).
- CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911).
- CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285).
- CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).
- CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819).
- CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021).
- CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026).
- CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518).
- CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522).
- CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692).
- CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523).
- CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155).
- CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157).
- CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195).
- CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).
The following non-security bugs were fixed:
- 6pack,mkiss: fix possible deadlock (bsc#1051510).
- ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510).
- ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510).
- ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510).
- af_packet: set defaule value for tmo (bsc#1051510).
- ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes).
- ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes).
- ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes).
- ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes).
- ALSA: hda/ca0132 - Avoid endless loop (git-fixes).
- ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes).
- ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes).
- ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes).
- ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes).
- ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510).
- ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510).
- ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510).
- ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes).
- ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510).
- ALSA: sh: Fix compile warning wrt const (git-fixes).
- ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510).
- ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510).
- ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510).
- arm64: Revert support for execute-only user mappings (bsc#1160218).
- ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510).
- ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510).
- ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510).
- ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510).
- ASoC: wm8962: fix lambda value (git-fixes).
- ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510).
- ath9k: fix storage endpoint lookup (git-fixes).
- a typo in %kernel_base_conflicts macro name
- batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510).
- bcma: remove set but not used variable 'sizel' (git-fixes).
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- bonding: fix active-backup transition after link failure (git-fixes).
- bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510).
- bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510).
- brcmfmac: fix interface sanity check (git-fixes).
- brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes).
- brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes).
- btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936).
- btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569).
- btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067).
- btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934).
- btrfs: Ensure we trim ranges across block group boundary (bsc#1151910).
- btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442).
- btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243).
- btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804).
- btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433).
- btrfs: fix missing data checksums after replaying a log tree (bsc#1161931).
- btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802).
- btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803).
- btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692).
- btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937).
- btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973).
- btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692).
- btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931).
- btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692).
- btrfs: record all roots for rename exchange on a subvol (bsc#1161933).
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588).
- btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067).
- btrfs: send, skip backreference walking for extents with many references (bsc#1162139).
- btrfs: skip log replay on orphaned roots (bsc#1161935).
- btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692).
- btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692).
- btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692).
- btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692).
- btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692).
- btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692).
- btrfs: tree-checker: Verify dev item (dependency for bsc#1157692).
- btrfs: tree-checker: Verify inode item (dependency for bsc#1157692).
- btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910).
- can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510).
- can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510).
- can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510).
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510).
- cfg80211: check for set_wiphy_params (bsc#1051510).
- cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510).
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510).
- cgroup: pids: use atomic64_t for pids->limit (bsc#1161514).
- CIFS: add support for flock (bsc#1144333).
- CIFS: Close cached root handle only if it had a lease (bsc#1144333).
- CIFS: Close open handle after interrupted close (bsc#1144333).
- CIFS: close the shared root handle on tree disconnect (bsc#1144333).
- CIFS: Do not miss cancelled OPEN responses (bsc#1144333).
- CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333).
- CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333).
- CIFS: Fix mount options set in automount (bsc#1144333).
- CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333).
- CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333).
- CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333).
- CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333).
- CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333).
- CIFS: Properly process SMB3 lease breaks (bsc#1144333).
- CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333).
- CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333).
- clk: Do not try to enable critical clocks if prepare failed (bsc#1051510).
- clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510).
- clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510).
- clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510).
- clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510).
- clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510).
- clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621).
- copy/pasted 'Recommends:' instead of 'Provides:', 'Obsoletes:' and 'Conflicts:
- crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510).
- crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510).
- crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510).
- crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510).
- crypto: ccp - fix uninitialized list head (bsc#1051510).
- crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510).
- crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510).
- crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510).
- crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix).
- debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198.
- debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198.
- dmaengine: coh901318: Fix a double-lock bug (bsc#1051510).
- dmaengine: coh901318: Remove unused variable (bsc#1051510).
- dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510).
- dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510).
- drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993).
- drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510).
- drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617).
- drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617).
- drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617).
- drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510).
- drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510).
- drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510).
- drm: bridge: dw-hdmi: constify copied structure (bsc#1051510).
- drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510).
- drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510).
- drm/i810: Prevent underflow in ioctl (bsc#1114279)
- drm/i915: Add missing include file <linux/math64.h> (bsc#1051510).
- drm/i915: Fix pid leak with banned clients (bsc#1114279)
- drm: limit to INT_MAX in create_blob ioctl (bsc#1051510).
- drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510).
- drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510).
- drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510).
- drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028)
- drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279)
- drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510).
- drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510).
- e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510).
- exit: panic before exit_mm() on global init exit (bsc#1161549).
- extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510).
- firestream: fix memory leaks (bsc#1051510).
- fix autofs regression caused by follow_managed() changes (bsc#1159271).
- fix dget_parent() fastpath race (bsc#1159271).
- Fix partial checked out tree build ... so that bisection does not break.
- fjes: fix missed check in fjes_acpi_add (bsc#1051510).
- fs: cifs: Fix atime update check vs mtime (bsc#1144333).
- fs/namei.c: fix missing barriers when checking positivity (bsc#1159271).
- fs/namei.c: pull positivity check into follow_managed() (bsc#1159271).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ftrace: Avoid potential division by zero in function profiler (bsc#1160784).
- futex: Prevent robust futex exit race (bsc#1161555).
- gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510).
- HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510).
- HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510).
- hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510).
- HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510).
- hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510).
- hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510).
- hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510).
- i2c: imx: do not print error message on probe defer (bsc#1051510).
- IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.
- ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983).
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- iio: adc: max9611: Fix too short conversion time delay (bsc#1051510).
- iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510).
- inet: protect against too small mtu values (networking-stable-19_12_16).
- Input: add safety guards to input_set_keycode() (bsc#1168075).
- Input: aiptek - fix endpoint sanity check (bsc#1051510).
- Input: cyttsp4_core - fix use after free bug (bsc#1051510).
- Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510).
- Input: gtco - fix endpoint sanity check (bsc#1051510).
- Input: keyspan-remote - fix control-message timeouts (bsc#1051510).
- Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510).
- Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510).
- Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510).
- Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510).
- Input: sur40 - fix interface sanity checks (bsc#1051510).
- Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510).
- Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510).
- Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510).
- iommu: Remove device link to group on failure (bsc#1160755).
- iommu/vt-d: Unlink device if failed to add to group (bsc#1160756).
- iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes).
- iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510).
- iwlwifi: mvm: synchronize TID queue removal (bsc#1051510).
- kABI: protect struct sctp_ep_common (kabi).
- kABI: restore debugfs_remove_recursive() (bsc#1159198).
- kABI workaround for can/skb.h inclusion (bsc#1051510).
- kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- KVM: fix spectrev1 gadgets (bsc#1164705).
- KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476).
- KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734).
- KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728).
- KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729).
- KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712).
- KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730).
- KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733).
- KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731).
- KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732).
- KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735).
- KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705).
- KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727).
- leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674).
- leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674).
- lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510).
- lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510).
- livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995).
- livepatch/selftest: Clean up shadow variable names and type (bsc#1071995).
- mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510).
- macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510).
- macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510).
- media: cec: report Vendor ID after initialization (bsc#1051510).
- media: iguanair: fix endpoint sanity check (bsc#1051510).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510).
- media: stkwebcam: Bugfix for wrong return values (bsc#1051510).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510).
- media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510).
- media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510).
- missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ('rpm/kernel-subpackage-spec: Unify dependency handling.') Fixes: 3fd22e219f77 ('rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)')
- mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510).
- mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510).
- mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510).
- mmc: sdhci-of-esdhc: Revert 'mmc: sdhci-of-esdhc: add erratum A-009204 support' (bsc#1051510).
- mmc: tegra: fix SDR50 tuning override (bsc#1051510).
- mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993).
- mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394).
- mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes).
- net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16).
- netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes).
- net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25).
- net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25).
- net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858).
- net: psample: fix skb_over_panic (networking-stable-19_12_03).
- net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25).
- net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25).
- net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03).
- net: usb: lan78xx: limit size of local TSO packets (bsc#1051510).
- net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18).
- new helper: lookup_positive_unlocked() (bsc#1159271).
- NFC: pn533: fix bulk-message timeout (bsc#1051510).
- NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes).
- objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514).
- openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03).
- openvswitch: remove another BUG_ON() (networking-stable-19_12_03).
- openvswitch: support asymmetric conntrack (networking-stable-19_12_16).
- orinoco_usb: fix interface sanity check (git-fixes).
- PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510).
- PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510).
- phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510).
- pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510).
- pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510).
- platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510).
- platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510).
- platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510).
- powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17).
- powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17).
- powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729).
- powerpc: Fix vDSO clock_getres() (bsc#1065729).
- powerpc/irq: fix stack overflow verification (bsc#1065729).
- powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729).
- powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840).
- powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729).
- powerpc/powernv: Disable native PCIe port management (bsc#1065729).
- powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729).
- powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734).
- powerpc/tools: Do not quote $objdump in scripts (bsc#1065729).
- powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030).
- powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030).
- powerpc/xmon: do not access ASDR in VMs (bsc#1065729).
- ppp: Adjust indentation into ppp_async_input (git-fixes).
- prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286).
- pstore/ram: Write new dumps to start of recycled zones (bsc#1051510).
- qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ).
- r8152: add missing endpoint sanity check (bsc#1051510).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244).
- regulator: Fix return value of _set_load() stub (bsc#1051510).
- regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510).
- regulator: rn5t618: fix module aliases (bsc#1051510).
- Revert 'Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers' (bsc#1051510).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- Revert 'mmc: sdhci: Fix incorrect switch to HS mode' (bsc#1051510).
- rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510).
- rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510).
- rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510).
- rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510).
- rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013).
- scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013).
- scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013).
- scsi: qla2xxx: Consolidate fabric scan (bsc#1158013).
- scsi: qla2xxx: Correct fcport flags handling (bsc#1158013).
- scsi: qla2xxx: Fix fabric scan hang (bsc#1158013).
- scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013).
- scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013).
- scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013).
- scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013).
- scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013).
- scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013).
- scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013).
- scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013).
- scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013).
- scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013).
- scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013).
- sctp: cache netns in sctp_ep_common (networking-stable-19_12_03).
- serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510).
- serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510).
- serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510).
- serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510).
- serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510).
- sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25).
- sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510).
- sh_eth: fix dumping ARSTR (bsc#1051510).
- sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510).
- sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510).
- sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510).
- sh_eth: fix TXALCR1 offsets (bsc#1051510).
- sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510).
- smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333).
- smb3: Fix persistent handles reconnect (bsc#1144333).
- smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333).
- smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1144333).
- soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510).
- spi: tegra114: clear packed bit for unpacked mode (bsc#1051510).
- spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510).
- spi: tegra114: fix for unpacked mode transfers (bsc#1051510).
- spi: tegra114: flush fifos (bsc#1051510).
- spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510).
- staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510).
- Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510).
- staging: rtl8188eu: fix interface sanity check (bsc#1051510).
- staging: wlan-ng: ensure error return is actually returned (bsc#1051510).
- tcp: clear tp->packets_out when purging write queue (bsc#1160560).
- tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159).
- tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16).
- tracing: Have the histogram compare functions convert to u64 first (bsc#1160210).
- tracing: xen: Ordered comparison of function pointers (git-fixes).
- tty: n_hdlc: fix build on SPARC (bsc#1051510).
- tty/serial: atmel: Add is_half_duplex helper (bsc#1051510).
- tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510).
- tty: vt: keyboard: reject invalid keycodes (bsc#1051510).
- USB: Allow USB device to be warm reset in suspended state (bsc#1051510).
- USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510).
- USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510).
- USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510).
- USB: core: urb: fix URB structure initialization function (bsc#1051510).
- USB: documentation: flags on usb-storage versus UAS (bsc#1051510).
- USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510).
- USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510).
- USB: dwc3: ep0: Clear started flag on completion (bsc#1051510).
- USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510).
- USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510).
- USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510).
- USB: gadget: pch_udc: fix use after free (bsc#1051510).
- USB: gadget: u_serial: add missing port entry locking (bsc#1051510).
- USB: gadget: Zero ffs_io_data (bsc#1051510).
- USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510).
- usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510).
- USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510).
- USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510).
- USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510).
- USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510).
- USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510).
- USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510).
- USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510).
- USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510).
- USB: serial: ir-usb: fix IrLAP framing (bsc#1051510).
- USB: serial: ir-usb: fix link-speed handling (bsc#1051510).
- USB: serial: keyspan: handle unbound ports (bsc#1051510).
- USB: serial: opticon: fix control-message timeouts (bsc#1051510).
- USB: serial: option: Add support for Quectel RM500Q (bsc#1051510).
- USB: serial: quatech2: handle unbound ports (bsc#1051510).
- USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510).
- USB: serial: suppress driver bind attributes (bsc#1051510).
- USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510).
- USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510).
- USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510).
- USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510).
- workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211).
- x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115).
- x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115).
- x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115).
- x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115).
- x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617).
- x86/Hyper-V: report value of misc_features (git-fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617).
- x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279).
- x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279).
- x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279).
- x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279).
- x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279).
- x86/mm: Split vmalloc_sync_all() (bsc#1165741).
- x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279).
- x86/resctrl: Fix potential memory leak (bsc#1114279).
- x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115).
- x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115).
- x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115).
- x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115).
- x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115).
- x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115).
- x86/xen: fix booting 32-bit pv guest (bsc#1071995).
- x86/xen: Make the boot CPU idle task reliable (bsc#1071995).
- x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995).
- xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xfrm: Fix transport mode skb control buffer usage (bsc#1161552).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917).
- xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510).
- xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510).
- xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510).
- xhci: make sure interrupts are restored to correct state (bsc#1051510).
- zd1211rw: fix storage endpoint lookup (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1677-1
Released: Thu Jun 18 18:16:39 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: important
References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1679-1
Released: Thu Jun 18 20:07:06 2020
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1170154,1171546,1171995
This update for cloud-init contains the following fixes:
- rsyslog warning, '~' is deprecated: (bsc#1170154)
+ replace deprecated syntax '& ~' by '& stop' for more information please
see https://www.rsyslog.com/rsyslog-error-2307/.
+ Explicitly test for netconfig version 1 as well as 2.
+ Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1682-1
Released: Fri Jun 19 09:44:54 2020
Summary: Security update for perl
Type: security
Severity: important
References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1760-1
Released: Thu Jun 25 18:46:13 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1157315,1162698,1164538,1169488,1171145,1172072
This update for systemd fixes the following issues:
- Merge branch 'SUSE/v234' into SLE15
units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
udev: rename the persistent link for ATA devices (bsc#1164538)
shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
tmpfiles: remove unnecessary assert (bsc#1171145)
test-engine: manager_free() was called too early
pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1773-1
Released: Fri Jun 26 08:05:59 2020
Summary: Security update for curl
Type: security
Severity: important
References: 1173027,CVE-2020-8177
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious
server to overwrite a local file when using the -J option (bsc#1173027).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1820-1
Released: Thu Jul 2 08:38:44 2020
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1161573
This update for dracut fixes the following issue:
- Fix dracut timeout on missing root device (bsc#1161573)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1822-1
Released: Thu Jul 2 11:30:42 2020
Summary: Security update for python3
Type: security
Severity: important
References: 1173274,CVE-2020-14422
This update for python3 fixes the following issues:
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released: Fri Jul 3 12:33:05 2020
Summary: Security update for zstd
Type: security
Severity: moderate
References: 1082318,1133297
This update for zstd fixes the following issues:
- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1850-1
Released: Mon Jul 6 14:44:39 2020
Summary: Security update for mozilla-nss
Type: security
Severity: moderate
References: 1168669,1173032,CVE-2020-12402
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1852-1
Released: Mon Jul 6 16:50:23 2020
Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts
Type: recommended
Severity: moderate
References: 1169444
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released: Mon Jul 6 17:05:51 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1858-1
Released: Mon Jul 6 17:08:06 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1171883
This update for permissions fixes the following issues:
- Removed conflicting entries which might expose pcp to security issues (bsc#1171883)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released: Tue Jul 7 15:08:12 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.14:
- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
(bnc#1172135)
- Support rules with multiple negative literals in choice rule
generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin
libzypp was updated to 17.23.7:
- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
(fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
wants to be able to get rid of the nginx/FastCGI-devel build
requirement. Use 'rpmbuild --without mediabackend_tests' or
'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
packages are available. Avoid using retracted items as candidate
(jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
It's actually not needed and for this to work also libsolv needs
to support it. You can sill use a librpmDb::db_const_iterator to
access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)
zypper was updated to 1.14.37:
- Reformat manpages to workaround asciidoctor shortcomings
(bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
(jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
supplementing zypper means zypper-aptitude gets installed by
default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1888-1
Released: Fri Jul 10 15:51:12 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1173376,1173377,1173378,1173380,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15566: Fixed incorrect error handling in event channel port allocation (bsc#1173376).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1953-1
Released: Sat Jul 18 03:06:11 2020
Summary: Recommended update for parted
Type: recommended
Severity: important
References: 1164260
This update for parted fixes the following issue:
- fix support of NVDIMM (pmemXs) devices (bsc#1164260)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1986-1
Released: Tue Jul 21 16:06:29 2020
Summary: Recommended update for openvswitch
Type: recommended
Severity: moderate
References: 1172861,1172929
This update for openvswitch fixes the following issues:
- Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861)
- Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1999-1
Released: Wed Jul 22 09:04:32 2020
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1172807
This update for dracut fixes the following issues:
- PXE boot process times out (bsc#1172807)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2073-1
Released: Wed Jul 29 18:59:25 2020
Summary: Security update for grub2
Type: security
Severity: important
References: 1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Type: recommended
Severity: moderate
References: 1156913
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2099-1
Released: Fri Jul 31 08:06:40 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1173227,1173229,1173422
This update for systemd fixes the following issues:
- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)
The marker is used to make sure the script is run only once. Instead
of storing it in /usr, use /var which is more appropriate for such
file.
Also make it owned by systemd package.
- Fix inconsistent file modes for some ghost files (bsc#1173227)
Ghost files are assumed by rpm to have mode 000 by default which is
not consistent with file permissions set at runtime.
Also /var/lib/systemd/random-seed was tracked wrongly as a
directory.
Also don't track (ghost) /etc/systemd/system/runlevel*.target
aliases since we're not supposed to track units or aliases user
might define/override.
- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2106-1
Released: Mon Aug 3 16:43:48 2020
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1051510,1065729,1071995,1104967,1152107,1158755,1162002,1170011,1171078,1171673,1171732,1171868,1172257,1172775,1172781,1172782,1172783,1172999,1173265,1173280,1173514,1173567,1173573,1173659,1173999,1174000,1174115,1174462,1174543,CVE-2019-16746,CVE-2019-20908,CVE-2020-0305,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10769,CVE-2020-10773,CVE-2020-12771,CVE-2020-12888,CVE-2020-13974,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780
The SUSE Linux Enterprise 15 GA LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).
- CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).
- CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c which did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107 1173659).
- CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).
- CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-10768: Indirect branch speculation could have been enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command. (bnc#1172783).
- CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (bnc#1172781).
- CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled when STIBP is unavailable or enhanced IBRS is available. (bnc#1172782).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059 (bnc#1172775).
The following non-security bugs were fixed:
- Merge ibmvnic reset fixes (bsc#1158755 ltc#182094).
- block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).
- block, bfq: postpone rq preparation to insert or merge (bsc#1104967 bsc#1171673).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).
- livepatch: Disallow vmlinux.ko (bsc#1071995).
- livepatch: Make klp_apply_object_relocs static (bsc#1071995).
- livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995).
- livepatch: Remove .klp.arch (bsc#1071995).
- vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1051510).
- vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174000).
- vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1051510).
- vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1173999).
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1172257).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2159-1
Released: Thu Aug 6 20:05:30 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1172356,1174543
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to attach on next
reboot while it should be live attached
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2208-1
Released: Tue Aug 11 17:25:45 2020
Summary: Recommended update for rsyslog
Type: recommended
Severity: important
References: 1173338
This update for rsyslog fixes the following issues:
- Fix for logrotate to avoid unexpected exit with coredump after logrotate. (bsc#1173338)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2219-1
Released: Wed Aug 12 15:47:42 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata
Type: recommended
Severity: moderate
References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847
This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:
supportutils-plugin-suse-public-cloud:
- Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt
are installed at the same time (bsc#1174618)
- Sensitive information like credentials (such as access keys) will be removed when the
metadata is being collected (bsc#1170475, bsc#1170476)
python3-azuremetadata:
- Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)
- Detects when the VM is running in ASM (Azure Classic) and does now handle the condition
to generate the data without requiring access to the full IMDS available, only in ARM
instances (bsc#1173357, bsc#1174847)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2221-1
Released: Thu Aug 13 09:06:20 2020
Summary: Recommended update for SUSEConnect
Type: recommended
Severity: moderate
References: 1130864,1155911,1160007
This update for SUSEConnect fixes the following issues:
Update from version 0.3.22 to version 0.3.25
- Don't fail de-activation when '-release' package already got removed.
- Fix cloud_provider detection on AWS large instances. (bsc#1160007)
- Forbid de-registration for on-demand Public Cloud instances. (bsc#1155911)
- Setup customer_center on read-only boot system. (bsc#1130864)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2223-1
Released: Thu Aug 13 09:12:03 2020
Summary: Recommended update for zypper-migration-plugin
Type: recommended
Severity: moderate
References: 1100137,1107238,1171652
This update for zypper-migration-plugin fixes the following issues:
- Fix for an issue when not all release packages are installed after migration. (bsc#1171652)
- Fix for snapper configuration to avoid migration failures. (jira#SLE-7752)
- Fix for the issue when zypper migration tool does not provide a proper exit code if it is not mirrored on registration server. (bsc#1107238)
- Fix for failing salt migration by check for closed standard input. (bsc#1100137)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2224-1
Released: Thu Aug 13 09:15:47 2020
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1171878,1172085
This update for glibc fixes the following issues:
- Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
- Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2243-1
Released: Fri Aug 14 15:27:12 2020
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1174782,1175036,1175060
This update for grub2 fixes the following issues:
- A potential regression has been fixed that would cause systems with an
updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker
symbol. (bsc#1174782)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2256-1
Released: Mon Aug 17 15:08:46 2020
Summary: Recommended update for sysfsutils
Type: recommended
Severity: moderate
References: 1155305
This update for sysfsutils fixes the following issue:
- Fix cdev name comparison. (bsc#1155305)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2277-1
Released: Wed Aug 19 13:24:03 2020
Summary: Security update for python3
Type: security
Severity: moderate
References: 1174091,CVE-2019-20907
This update for python3 fixes the following issues:
- bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2279-1
Released: Wed Aug 19 21:26:55 2020
Summary: Recommended update for libzypp
Type: recommended
Severity: moderate
References: 1173106,1174011
This update for libzypp fixes the following issues:
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
(bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)
- Completey rework the purge-kernels algorithm. The new code is closer to the original
perl script, grouping the packages by name before applying the keep spec. (bsc#1173106)
- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2284-1
Released: Thu Aug 20 16:04:17 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1010996,1071152,1071390,1154871,1174673,973042
This update for ca-certificates-mozilla fixes the following issues:
update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root
* AddTrust Class 1 CA Root
* LuxTrust Global Root 2
* Staat der Nederlanden Root CA - G2
* Symantec Class 1 Public Primary Certification Authority - G4
* Symantec Class 2 Public Primary Certification Authority - G4
* VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2
* e-Szigno Root CA 2017
* Microsoft ECC Root Certificate Authority 2017
* Microsoft RSA Root Certificate Authority 2017
- reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2296-1
Released: Mon Aug 24 10:34:37 2020
Summary: Security update for gettext-runtime
Type: security
Severity: moderate
References: 1106843,1113719,941629,CVE-2018-18751
This update for gettext-runtime fixes the following issues:
- Fix boo941629-unnessary-rpath-on-standard-path.patch (bsc#941629)
- Added msgfmt-double-free.patch to fix a double free error
(CVE-2018-18751 bsc#1113719)
- Add patch msgfmt-reset-msg-length-after-remove.patch
which does reset the length of message string after a line
has been removed (bsc#1106843)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2303-1
Released: Tue Aug 25 14:46:36 2020
Summary: Security update for grub2
Type: security
Severity: important
References: 1172745,1174421,CVE-2020-15705
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2337-1
Released: Wed Aug 26 13:00:47 2020
Summary: Recommended update for dracut
Type: recommended
Severity: moderate
References: 1172807
This update for dracut fixes the following issue:
- Fix typo in did setup conditional. (bsc#1172807)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2380-1
Released: Fri Aug 28 14:54:08 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Type: recommended
Severity: moderate
References: 1175250,1175251
This update for supportutils-plugin-suse-public-cloud contains the following fix:
- Update to version 1.0.5: (bsc#1175250, bsc#1175251)
+ Query for new GCE initialization code packages
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released: Sat Aug 29 00:57:13 2020
Summary: Recommended update for e2fsprogs
Type: recommended
Severity: low
References: 1170964
This update for e2fsprogs fixes the following issues:
- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released: Tue Sep 1 13:28:47 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:
- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
'Exec*='. (bsc#1172824, bsc#1142733)
pid1: improve message when setting up namespace fails.
execute: let's close glibc syslog channels too.
execute: normalize logging in *execute.c*.
execute: fix typo in error message.
execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
execute: make use of the new logging mode in *execute.c*
log: add a mode where we open the log fds for every single log message.
log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
execute: downgrade a log message ERR â WARNING, since we proceed ignoring its result.
execute: rework logging in *setup_keyring()* to include unit info.
execute: improve and augment execution log messages.
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released: Tue Sep 1 13:48:35 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1174551,1174736
This update for zlib provides the following fixes:
- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2446-1
Released: Wed Sep 2 09:33:22 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1175109,CVE-2020-8231
This update for curl fixes the following issues:
- An application that performs multiple requests with libcurl's
multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
rare circumstances experience that when subsequently using the
setup connect-only transfer, libcurl will pick and use the wrong
connection and instead pick another one the application has
created since then. [bsc#1175109, CVE-2020-8231]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2458-1
Released: Wed Sep 2 15:44:30 2020
Summary: Recommended update for iputils
Type: recommended
Severity: moderate
References: 927831
This update for iputils fixes the following issue:
- ping: Remove workaround for bug in IP_RECVERR on raw sockets. (bsc#927831)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released: Wed Sep 9 13:07:07 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:
- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
SAN's falling back to CN validation in violation of rfc6125.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2610-1
Released: Fri Sep 11 11:11:50 2020
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1058115,1071995,1154366,1165629,1165631,1171988,1172428,1173798,1174205,1174757,1175112,1175122,1175128,1175204,1175213,1175515,1175518,1175691,1175992,1176069,CVE-2020-10135,CVE-2020-14314,CVE-2020-14331,CVE-2020-14356,CVE-2020-14386,CVE-2020-16166,CVE-2020-1749,CVE-2020-24394
The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165629).
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14356: Fixed a null pointer dereference in cgroupv2 subsystem which could have led to privilege escalation (bsc#1175213).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2020-24394: Fixed an issue which could set incorrect permissions on new filesystem objects when the filesystem lacks ACL support (bsc#1175518).
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication Bluetooth might have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access (bsc#1171988).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- cifs: add support for fallocate mode 0 for non-sparse files (bsc#1175122).
- cifs: allow unlock flock and OFD lock across fork (bsc#1175122).
- cifs_atomic_open(): fix double-put on late allocation failure (bsc#1175122).
- cifs: Avoid doing network I/O while holding cache lock (bsc#1175122).
- cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1175122).
- cifs: Clean up DFS referral cache (bsc#1175122).
- cifs: document and cleanup dfs mount (bsc#1172428 bsc#1175122).
- cifs: do not ignore the SYNC flags in getattr (bsc#1175122).
- cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1175122).
- cifs: do not share tcons with DFS (bsc#1175122).
- cifs: ensure correct super block for DFS reconnect (bsc#1175122).
- cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1175122).
- cifs: fiemap: do not return EINVAL if get nothing (bsc#1175122).
- cifs: Fix an error pointer dereference in cifs_mount() (bsc#1172428 bsc#1175122).
- cifs: fix double free error on share and prefix (bsc#1172428 bsc#1175122).
- cifs: fix leaked reference on requeued write (bsc#1175122).
- cifs: fix NULL dereference in match_prepath (bsc#1175122).
- cifs: Fix null pointer check in cifs_read (bsc#1175122).
- cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1175122).
- cifs: fix potential mismatch of UNC paths (bsc#1175122).
- cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1175122).
- cifs: Fix return value in __update_cache_entry (bsc#1175122).
- cifs: fix soft mounts hanging in the reconnect code (bsc#1175122).
- cifs: Fix task struct use-after-free on reconnect (bsc#1175122).
- cifs: fix uninitialised lease_key in open_shroot() (bsc#1175122).
- cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1175122).
- cifs: Get rid of kstrdup_const()'d paths (bsc#1175122).
- cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1175122).
- cifs: handle empty list of targets in cifs_reconnect() (bsc#1172428 bsc#1175122).
- cifs: handle hostnames that resolve to same ip in failover (bsc#1175122).
- cifs: handle prefix paths in reconnect (bsc#1175122).
- cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1172428 bsc#1175122).
- cifs: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1175122).
- cifs: Introduce helpers for finding TCP connection (bsc#1175122).
- cifs: make sure we do not overflow the max EA buffer size (bsc#1175122).
- cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1175122).
- cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#1172428 bsc#1175122).
- cifs: Merge is_path_valid() into get_normalized_path() (bsc#1175122).
- cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1175122).
- cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#1172428 bsc#1175122).
- cifs: Optimize readdir on reparse points (bsc#1175122).
- cifs: potential unintitliazed error code in cifs_getattr() (bsc#1175122).
- cifs: protect updating server->dstaddr with a spinlock (bsc#1175122).
- cifs: reduce number of referral requests in DFS link lookups (bsc#1172428 bsc#1175122).
- cifs: rename reconn_inval_dfs_target() (bsc#1172428 bsc#1175122).
- cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1175122).
- cifs: set up next DFS target before generic_ip_connect() (bsc#1175122).
- cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1175122).
- cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1175122).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175128).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL (bsc#1175515).
- ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL (bsc#1175515).
- kabi: hide new parameter of ip6_dst_lookup_flow() (bsc#1165629).
- kabi: mask changes to struct ipv6_stub (bsc#1165629).
- mm: Avoid calling build_all_zonelists_init under hotplug context (bsc#1154366).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- scripts/git_sort/git_sort.py: add bluetooth/bluetooth-next.git repository
- selftests/livepatch: fix mem leaks in test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: more verification in test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: rework test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: simplify test-klp-callbacks busy target tests (bsc#1071995).
- smb3: fix performance regression with setting mtime (bsc#1175122).
- smb3: query attributes on file close (bsc#1175122).
- smb3: remove unused flag passed into close functions (bsc#1175122).
- Update patch reference for a tipc fix patch (bsc#1175515)
- x86/unwind/orc: Fix ORC for newly forked tasks (bsc#1058115).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released: Fri Sep 11 11:18:01 2020
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2617-1
Released: Mon Sep 14 10:40:04 2020
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1174443,1174444
This update for cloud-init contains the following fixes:
- Update to version 20.2 (bsc#1174443, bsc#1174444)
+ Remove patches included upstream:
- 0001-Make-tests-work-with-Python-3.8-139.patch
- cloud-init-ostack-metadat-dencode.patch
- cloud-init-use-different-random-src.diff
- cloud-init-long-pass.patch
- cloud-init-mix-static-dhcp.patch
+ Remove patches build switched to Python 3 for all distributions
- cloud-init-python2-sigpipe.patch
- cloud-init-template-py2.patch
+ Add
- cloud-init-after-kvp.diff
- cloud-init-recognize-hpc.patch
+ doc/format: reference make-mime.py instead of an inline script (#334)
+ Add docs about creating parent folders (#330) [Adrian Wilkins]
+ DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)
+ schema: ignore spurious pylint error (#332)
+ schema: add json schema for write_files module (#152)
+ BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder]
+ nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder]
+ cloudinit: drop dependencies on unittest2 and contextlib2 (#322)
+ distros: handle a potential mirror filtering error case (#328)
+ log: remove unnecessary import fallback logic (#327)
+ .travis.yml: don't run integration test on ubuntu/* branches (#321)
+ More unit test documentation (#314)
+ conftest: introduce disable_subp_usage autouse fixture (#304)
+ YAML align indent sizes for docs readability (#323) [Tak Nishigori]
+ network_state: add missing space to log message (#325)
+ tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)
+ test_mounts: expand happy path test for both happy paths (#319)
+ cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)
+ swap file 'size' being used before checked if str (#315) [Eduardo Otubo]
+ HACKING.rst: add pytest version gotchas section (#311)
+ docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]
+ readme: OpenBSD is now supported (#309) [Goneri Le Bouder]
+ net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)
+ Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)
+ openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder]
+ tools/.github-cla-signers: add beezly as CLA signer (#301)
+ util: remove unnecessary lru_cache import fallback (#299)
+ HACKING.rst: reorganise/update CLA signature info (#297)
+ distros: drop leading/trailing hyphens from mirror URL labels (#296)
+ HACKING.rst: add note about variable annotations (#295)
+ CiTestCase: stop using and remove sys_exit helper (#283)
+ distros: replace invalid characters in mirror URLs with hyphens (#291)
(LP: #1868232)
+ rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]
+ Fix cloud-init ignoring some misdeclared mimetypes in user-data.
[Kurt Garloff]
+ net: ubuntu focal prioritize netplan over eni even if both present
(#267) (LP: #1867029)
+ cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)
+ net/cmdline: replace type comments with annotations (#294)
+ HACKING.rst: add Type Annotations design section (#293)
+ net: introduce is_ip_address function (#288)
+ CiTestCase: remove now-unneeded parse_and_read helper method (#286)
+ .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)
+ sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)
+ setup.py: drop NIH check_output implementation (#282)
+ Identify SAP Converged Cloud as OpenStack [Silvio Knizek]
+ add Openbsd support (#147) [Goneri Le Bouder]
+ HACKING.rst: add examples of the two test class types (#278)
+ VMWware: support to update guest info gc status if enabled (#261)
[xiaofengw-vmware]
+ Add lp-to-git mapping for kgarloff (#279)
+ set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder]
+ HACKING.rst: add Unit Testing design section (#277)
+ util: read_cc_from_cmdline handle urlencoded yaml content (#275)
+ distros/tests/test_init: add tests for _get_package_mirror_info (#272)
+ HACKING.rst: add links to new Code Review Process doc (#276)
+ freebsd: ensure package update works (#273) [Goneri Le Bouder]
+ doc: introduce Code Review Process documentation (#160)
+ tools: use python3 (#274)
+ cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)
+ cc_apt_configure/util: combine search_for_mirror implementations (#271)
+ bsd: boottime does not depend on the libc soname (#269)
[Goneri Le Bouder]
+ test_oracle,DataSourceOracle: sort imports (#266)
+ DataSourceOracle: update .network_config docstring (#257)
+ cloudinit/tests: remove unneeded with_logs configuration (#263)
+ .travis.yml: drop stale comment (#255)
+ .gitignore: add more common directories (#258)
+ ec2: render network on all NICs and add secondary IPs as static (#114)
(LP: #1866930)
+ ec2 json validation: fix the reference to the 'merged_cfg' key (#256)
[Paride Legovini]
+ releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]
+ cloudinit: remove six from packaging/tooling (#253)
+ util/netbsd: drop six usage (#252)
+ workflows: introduce stale pull request workflow (#125)
+ cc_resolv_conf: introduce tests and stabilise output across Python
versions (#251)
+ fix minor issue with resolv_conf template (#144) [andreaf74]
+ doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder]
+ Add Netbsd support (#62) [Goneri Le Bouder]
+ tox.ini: avoid substition syntax that causes a traceback on xenial (#245)
+ Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]
+ Introduce and use of a list of GitHub usernames that have signed CLA
(#244)
+ workflows/cla.yml: use correct username for CLA check (#243)
+ tox.ini: use xenial version of jsonpatch in CI (#242)
+ workflows: CLA validation altered to fail status on pull_request (#164)
+ tox.ini: bump pyflakes version to 2.1.1 (#239)
+ cloudinit: move to pytest for running tests (#211)
+ instance-data: add cloud-init merged_cfg and sys_info keys to json
(#214) (LP: #1865969)
+ ec2: Do not fallback to IMDSv1 on EC2 (#216)
+ instance-data: write redacted cfg to instance-data.json (#233)
(LP: #1865947)
+ net: support network-config:disabled on the kernel commandline (#232)
(LP: #1862702)
+ ec2: only redact token request headers in logs, avoid altering request
(#230) (LP: #1865882)
+ docs: typo fixed: dta â data [Alexey Vazhnov]
+ Fixes typo on Amazon Web Services (#217) [Nick Wales]
+ Fix docs for OpenStack DMI Asset Tag (#228)
[Mark T. Voelker] (LP: #1669875)
+ Add physical network type: cascading to openstack helpers (#200)
[sab-systems]
+ tests: add focal integration tests for ubuntu (#225)
- From 20.1 (first vesrion after 19.4)
+ ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)
(LP: #1863943)
+ utils: use SystemRandom when generating random password. (#204)
[Dimitri John Ledkov]
+ docs: mount_default_files is a list of 6 items, not 7 (#212)
+ azurecloud: fix issues with instances not starting (#205) (LP: #1861921)
+ unittest: fix stderr leak in cc_set_password random unittest
output. (#208)
+ cc_disk_setup: add swap filesystem force flag (#207)
+ import sysvinit patches from freebsd-ports tree (#161) [Igor GaliÄ]
+ docs: fix typo (#195) [Edwin Kofler]
+ sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
[Robert Schweikert] (LP: #1800854)
+ cloudinit: replace 'from six import X' imports (except in util.py) (#183)
+ run-container: use 'test -n' instead of 'test ! -z' (#202)
[Paride Legovini]
+ net/cmdline: correctly handle static ip= config (#201)
[Dimitri John Ledkov] (LP: #1861412)
+ Replace mock library with unittest.mock (#186)
+ HACKING.rst: update CLA link (#199)
+ Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
[Louis Bouchard]
+ cloudinit/cmd/devel/net_convert.py: add missing space (#191)
+ tools/run-container: drop support for python2 (#192) [Paride Legovini]
+ Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
+ Make the RPM build use Python 3 (#190) [Paride Legovini]
+ cc_set_password: increase random pwlength from 9 to 20 (#189)
(LP: #1860795)
+ .travis.yml: use correct Python version for xenial tests (#185)
+ cloudinit: remove ImportError handling for mock imports (#182)
+ Do not use fallocate in swap file creation on xfs. (#70)
[Eduardo Otubo] (LP: #1781781)
+ .readthedocs.yaml: install cloud-init when building docs (#181)
(LP: #1860450)
+ Introduce an RTD config file, and pin the Sphinx version to the RTD
default (#180)
+ Drop most of the remaining use of six (#179)
+ Start removing dependency on six (#178)
+ Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
+ docs: add proposed SRU testing procedure (#167)
+ util: rename get_architecture to get_dpkg_architecture (#173)
+ Ensure util.get_architecture() runs only once (#172)
+ Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]
+ freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder]
+ ssh_auth_key_fingerprints_disable test: fix capitalization (#165)
[Paride Legovini]
+ util: move uptime's else branch into its own boottime function (#53)
[Igor GaliÄ] (LP: #1853160)
+ workflows: add contributor license agreement checker (#155)
+ net: fix rendering of 'static6' in network config (#77) (LP: #1850988)
+ Make tests work with Python 3.8 (#139) [Conrad Hoffmann]
+ fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]
+ freebsd: fix create_group() cmd (#146) [Goneri Le Bouder]
+ doc: make apt_update example consistent (#154)
+ doc: add modules page toc with links (#153) (LP: #1852456)
+ Add support for the amazon variant in cloud.cfg.tmpl (#119)
[Frederick Lefebvre]
+ ci: remove Python 2.7 from CI runs (#137)
+ modules: drop cc_snap_config config module (#134)
+ migrate-lp-user-to-github: ensure Launchpad repo exists (#136)
+ docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]
+ doc: update cc_set_hostname frequency and descrip (#109)
[Joshua Powers] (LP: #1827021)
+ freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder]
+ cc_snappy: remove deprecated module (#127)
+ HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)
+ freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder]
+ cloud-init: fix capitalisation of SSH (#126)
+ doc: update cc_ssh clarify host and auth keys
[Joshua Powers] (LP: #1827021)
+ ci: emit names of tests run in Travis (#120)
- Disable testing to aid elimination of unittest2 in Factory
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released: Wed Sep 16 14:42:55 2020
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1175811,1175830,1175831
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released: Tue Sep 22 17:08:03 2020
Summary: Security update for openldap2
Type: security
Severity: moderate
References: 1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:
- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2780-1
Released: Tue Sep 29 11:27:51 2020
Summary: Recommended update for rsyslog
Type: recommended
Severity: moderate
References: 1173433
This update for rsyslog fixes the following issues:
- Fix the URL for bug reporting. (bsc#1173433)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2789-1
Released: Tue Sep 29 14:13:14 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2814-1
Released: Thu Oct 1 09:55:30 2020
Summary: Security update for permissions
Type: security
Severity: moderate
References: 1161335,1176625
This update for permissions fixes the following issues:
- whitelist WMP (bsc#1161335, bsc#1176625)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2817-1
Released: Thu Oct 1 10:38:37 2020
Summary: Recommended update for libzypp, zypper
Type: recommended
Severity: moderate
References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:
Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.
Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
(bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2825-1
Released: Fri Oct 2 08:44:28 2020
Summary: Recommended update for suse-build-key
Type: recommended
Severity: moderate
References: 1170347,1176759
This update for suse-build-key fixes the following issues:
- The SUSE Notary Container key is different from the build signing
key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)
- The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released: Tue Oct 6 16:13:20 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:
- DIR_COLORS (bug#1006973):
- add screen.xterm-256color
- add TERM rxvt-unicode-256color
- sort and merge TERM entries in etc/DIR_COLORS
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released: Tue Oct 13 14:22:43 2020
Summary: Security update for libproxy
Type: security
Severity: important
References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released: Tue Oct 13 17:25:20 2020
Summary: Security update for bind
Type: security
Severity: moderate
References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
incorrectly treated as 'zonesub' rules, which allowed
keys used in 'subdomain' rules to update names outside
of the specified subdomains. The problem was fixed by
making sure 'subdomain' rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the 'named' group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released: Fri Oct 16 15:23:07 2020
Summary: Security update for gcc10, nvptx-tools
Type: security
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
- Enable build on aarch64
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2953-1
Released: Mon Oct 19 06:25:15 2020
Summary: Recommended update for gettext-runtime
Type: recommended
Severity: moderate
References: 1176142
This update for gettext-runtime fixes the following issues:
- Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released: Tue Oct 20 12:24:55 2020
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1158830
This update for procps fixes the following issues:
- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2978-1
Released: Wed Oct 21 11:36:05 2020
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1175847,1177479
This update for openssl-1_1 fixes the following issues:
FIPS:
* Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1175847, bsc#1177479).
* Add shared secret KAT to FIPS DH selftest (bsc#1175847).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2979-1
Released: Wed Oct 21 11:37:14 2020
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1176173
This update for mozilla-nss fixes the following issue:
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
NIST SP800-56Arev3 compliant (bsc#1176173).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released: Wed Oct 21 15:03:03 2020
Summary: Recommended update for file
Type: recommended
Severity: moderate
References: 1176123
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2988-1
Released: Wed Oct 21 17:35:34 2020
Summary: Security update for gnutls
Type: security
Severity: moderate
References: 1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:
- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2989-1
Released: Thu Oct 22 08:53:10 2020
Summary: Recommended update for chrony
Type: recommended
Severity: moderate
References: 1171806
This update for chrony fixes the following issues:
- Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released: Thu Oct 22 10:03:09 2020
Summary: Security update for freetype2
Type: security
Severity: important
References: 1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released: Tue Oct 27 16:05:17 2020
Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3052-1
Released: Tue Oct 27 16:09:00 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
This update for xen fixes the following issues:
- bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3058-1
Released: Wed Oct 28 06:11:14 2020
Summary: Recommended update for catatonit
Type: recommended
Severity: moderate
References: 1176155
This update for catatonit fixes the following issues:
- Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3099-1
Released: Thu Oct 29 19:33:41 2020
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References: 1177460
This update for timezone fixes the following issues:
- timezone update 2020b (bsc#1177460)
* Revised predictions for Morocco's changes starting in 2023.
* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
* Macquarie Island has stayed in sync with Tasmania since 2011.
* Casey, Antarctica is at +08 in winter and +11 in summer.
* zic no longer supports -y, nor the TYPE field of Rules.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3119-1
Released: Mon Nov 2 15:15:16 2020
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1177526
This update for cloud-init fixes the following issues:
- Update cloud-init-write-routes.patch (bsc#1177526)
+ Avoid exception if no gateway information is present and warning
is triggered for existing routing.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3123-1
Released: Tue Nov 3 09:48:13 2020
Summary: Recommended update for timezone
Type: recommended
Severity: important
References: 1177460,1178346,1178350,1178353
This update for timezone fixes the following issues:
- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released: Tue Nov 3 12:14:03 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:
- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471)
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3195-1
Released: Fri Nov 6 09:42:32 2020
Summary: Recommended update for SUSEConnect
Type: recommended
Severity: moderate
References: 1155027
This update for SUSEConnect fixes the following issues:
- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
- Add 'rpmlintrc' to filter false-positive warning about patch not applied
- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3234-1
Released: Fri Nov 6 16:01:36 2020
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1177864
This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
- Removed CAs:
- EE Certification Centre Root CA
- Taiwan GRCA
- Added CAs:
- Trustwave Global Certification Authority
- Trustwave Global ECC P256 Certification Authority
- Trustwave Global ECC P384 Certification Authority
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3253-1
Released: Mon Nov 9 07:45:04 2020
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1174697,1176173
This update for mozilla-nss fixes the following issues:
- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)
- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be
NIST SP800-56Arev3 compliant (bsc#1176173).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3270-1
Released: Tue Nov 10 17:53:08 2020
Summary: Recommended update for bind
Type: recommended
Severity: moderate
References: 1175894,1177603,1177790,1177913,1177915,1178078
This update for bind fixes the following issues:
- Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078)
- Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790)
- Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915)
- Added a comment for reference which should be removed in the future. (bsc#1177603)
- Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894)
- Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released: Wed Nov 11 12:25:32 2020
Summary: Recommended update for findutils
Type: recommended
Severity: moderate
References: 1174232
This update for findutils fixes the following issues:
- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3298-1
Released: Wed Nov 11 15:30:46 2020
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1177939
This update for openssh fixes the following issues:
- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released: Thu Nov 12 16:07:37 2020
Summary: Security update for openldap2
Type: security
Severity: important
References: 1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3341-1
Released: Mon Nov 16 13:59:51 2020
Summary: Recommended update for libsolv, libzypp, zypper
Type: recommended
Severity: moderate
References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- Fix bsc#1176902: When kernel-rt has been installed, the
purge-kernels service fails during boot.
- Use package name provides as group key in purge-kernel
(bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}=<version> to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- New solver testcase format.
- Link against libzsd to close libsolvs open references
(as we link statically)
zypper was updated to 1.14.40:
- info: Assume descriptions starting with '<p>' are richtext
(bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
searches case-insensitive (jsc#SLE-16271)
libsolv was updated to 0.7.16:
- do not ask the namespace callback for splitprovides when writing
a testcase
- fix add_complex_recommends() selecting conflicted packages in
rare cases leading to crashes
- improve choicerule generation so that package updates are
prefered in more cases
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3358-1
Released: Tue Nov 17 13:17:10 2020
Summary: Security update for tcpdump
Type: security
Severity: moderate
References: 1178466,CVE-2020-8037
This update for tcpdump fixes the following issues:
- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3375-1
Released: Thu Nov 19 09:28:25 2020
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released: Thu Nov 19 10:53:38 2020
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1177458,1177490,1177510
This update for systemd fixes the following issues:
- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
This allows to drop the workaround that consisted in cleaning journal-upload files and
{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3416-1
Released: Thu Nov 19 12:46:15 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1177950,1178591,CVE-2020-28368
This update for xen fixes the following issues:
Security issue fixed:
- CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591).
Non-security issue fixed:
- Adjusted help for --max_iters, default is 5 (bsc#1177950).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3461-1
Released: Fri Nov 20 13:09:07 2020
Summary: Recommended update for bind
Type: recommended
Severity: low
References: 1177983
This update for bind fixes the following issue:
- Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Type: recommended
Severity: moderate
References: 1174593,1177858,1178727
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3469-1
Released: Fri Nov 20 17:42:13 2020
Summary: Recommended update for grub2
Type: recommended
Severity: moderate
References: 1172952,1176062,1177957,1178278
This update for grub2 fixes the following issues:
- Fixed an issue, where the https boot was interrupted by an unrecognized network address
error message (bsc#1172952)
- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)
- Fixed an error in grub2-install where it exited with 'failed to get canonical path
of `/boot/grub2/i386-pc'.' (bsc#1177957)
- Fixed a boot failure issue on blocklist installations (bsc#1178278)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3478-1
Released: Mon Nov 23 09:33:17 2020
Summary: Security update for c-ares
Type: security
Severity: moderate
References: 1178882,CVE-2020-8277
This update for c-ares fixes the following issues:
- Version update to 1.17.0
* CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882)
* For further details see https://c-ares.haxx.se/changelog.html
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2020:3481-1
Released: Mon Nov 23 11:17:09 2020
Summary: Optional update for vim
Type: optional
Severity: low
References: 1166602,1173256,1174564,1176549
This update for vim doesn't fix any user visible issues and it is optional to install.
- Introduce vim-small package with reduced requirements for small installations (bsc#1166602).
- Stop owning /etc/vimrc so the old, distro provided config actually gets removed.
- Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256)
- Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3532-1
Released: Thu Nov 26 12:49:05 2020
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1051510,1058115,1065600,1131277,1160947,1161360,1163524,1166965,1170232,1170415,1171417,1172073,1172366,1173115,1173233,1175306,1175721,1175749,1175882,1176011,1176235,1176278,1176381,1176423,1176482,1176485,1176698,1176721,1176722,1176723,1176725,1176732,1176877,1176907,1176922,1176990,1177027,1177086,1177121,1177165,1177206,1177226,1177410,1177411,1177470,1177511,1177513,1177724,1177725,1177766,1178003,1178123,1178330,1178393,1178622,1178765,1178782,1178838,CVE-2020-0404,CVE-2020-0427,CVE-2020-0430,CVE-2020-0431,CVE-2020-0432,CVE-2020-12351,CVE-2020-12352,CVE-2020-14351,CVE-2020-14381,CVE-2020-14390,CVE-2020-16120,CVE-2020-25212,CVE-2020-25284,CVE-2020-25285,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645,CVE-2020-25656,CVE-2020-25668,CVE-2020-25704,CVE-2020-25705,CVE-2020-26088,CVE-2020-27673,CVE-2020-27675,CVE-2020-8694
The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511).
- CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)
- CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410).
The following non-security bugs were fixed:
- btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277).
- btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).
- btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).
- btrfs: remove root usage from can_overcommit (bsc#1131277).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly.
- livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability.
- powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968).
- scsi: qla2xxx: Do not consume srb greedily (bsc#1173233).
- scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3546-1
Released: Fri Nov 27 11:21:09 2020
Summary: Recommended update for gnutls
Type: recommended
Severity: moderate
References: 1172695
This update for gnutls fixes the following issue:
- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3579-1
Released: Tue Dec 1 14:24:31 2020
Summary: Recommended update for glib2
Type: recommended
Severity: moderate
References: 1178346
This update for glib2 fixes the following issues:
- Add support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released: Tue Dec 1 14:40:22 2020
Summary: Recommended update for libusb-1_0
Type: recommended
Severity: moderate
References: 1178376
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released: Wed Dec 2 10:33:49 2020
Summary: Security update for python3
Type: security
Severity: important
References: 1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:
Update to 3.6.12 (bsc#1179193), including:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3609-1
Released: Wed Dec 2 18:16:45 2020
Summary: Recommended update for cloud-init
Type: recommended
Severity: important
References: 1177526,1178029,1179150,1179151
This update for cloud-init includes the following fixes:
- Add wget as a requirement (bsc#1178029)
+ wget is used in the CloudStack data source
- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)
+ Properly set the password for the default user in all circumstances
- Patch the full package version into the cloud-init version file
- Update cloud-init default route patch. (bsc#1177526)
+ Fix missing default route when dual stack network setup is used. Once
a default route was configured for Ipv6 or IPv4 the default route
configuration for the othre protocol was skipped.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3616-1
Released: Thu Dec 3 10:56:12 2020
Summary: Recommended update for c-ares
Type: recommended
Severity: moderate
References: 1178882
- Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3627-1
Released: Fri Dec 4 16:59:53 2020
Summary: Security update for xen
Type: security
Severity: important
References: 1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
This update for xen fixes the following issues:
- bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released: Mon Dec 7 20:17:32 2020
Summary: Recommended update for aaa_base
Type: recommended
Severity: moderate
References: 1179431
This update for aaa_base fixes the following issue:
- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3722-1
Released: Wed Dec 9 13:37:08 2020
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3733-1
Released: Wed Dec 9 18:18:35 2020
Summary: Security update for curl
Type: security
Severity: moderate
References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
More information about the sle-security-updates
mailing list